/** * Wraps the provided html code in a div and outputs it to the page * * @param Title $title * @param string $html * @param OutputPage $out */ private function showHtmlPreview(Title $title, $html, OutputPage $out) { $lang = $title->getPageViewLanguage(); $out->addHTML("<h2>" . $this->msg('expand_templates_preview')->escaped() . "</h2>\n"); global $wgRawHtml; if ($wgRawHtml) { $request = $this->getRequest(); $user = $this->getUser(); // To prevent cross-site scripting attacks, don't show the preview if raw HTML is // allowed and a valid edit token is not provided (bug 71111). However, MediaWiki // does not currently provide logged-out users with CSRF protection; in that case, // do not show the preview unless anonymous editing is allowed. if ($user->isAnon() && !$user->isAllowed('edit')) { $error = array('expand_templates_preview_fail_html_anon'); } elseif (!$user->matchEditToken($request->getVal('wpEditToken'), '', $request)) { $error = array('expand_templates_preview_fail_html'); } else { $error = false; } if ($error) { $out->wrapWikiMsg("<div class='previewnote'>\n\$1\n</div>", $error); return; } } $out->addHTML(Html::openElement('div', array('class' => 'mw-content-' . $lang->getDir(), 'dir' => $lang->getDir(), 'lang' => $lang->getHtmlCode()))); $out->addHTML($html); $out->addHTML(Html::closeElement('div')); }
/** * Render the supplied wiki text and append to the page as a preview * * @param Title $title * @param string $text * @param OutputPage $out */ private function showHtmlPreview($title, $text, $out) { global $wgParser; $pout = $wgParser->parse($text, $title, new ParserOptions()); $out->addHTML("<h2>" . wfMsgHtml('expand_templates_preview') . "</h2>\n"); global $wgRawHtml, $wgRequest, $wgUser; if ($wgRawHtml) { // To prevent cross-site scripting attacks, don't show the preview if raw HTML is // allowed and a valid edit token is not provided (bug 71111). However, MediaWiki // does not currently provide logged-out users with CSRF protection; in that case, // do not show the preview unless anonymous editing is allowed. if ($wgUser->isAnon() && !$wgUser->isAllowed('edit')) { $error = array('expand_templates_preview_fail_html_anon'); } elseif (!$wgUser->matchEditToken($wgRequest->getVal('wpEditToken'))) { $error = array('expand_templates_preview_fail_html'); } else { $error = false; } if ($error) { $out->wrapWikiMsg("<div class='previewnote'>\n\$1\n</div>", $error); return; } } $out->addHTML($pout->getText()); }