/**
* Override the title of the page when viewed, provided we've been given a
* title which will normalise to the canonical title
*
* @param Parser $parser Parent parser
* @param string $text Desired title text
* @param string $uarg
* @return string
*/
public static function displaytitle($parser, $text = '', $uarg = '')
{
global $wgRestrictDisplayTitle;
static $magicWords = null;
if (is_null($magicWords)) {
$magicWords = new MagicWordArray(['displaytitle_noerror', 'displaytitle_noreplace']);
}
$arg = $magicWords->matchStartToEnd($uarg);
// parse a limited subset of wiki markup (just the single quote items)
$text = $parser->doQuotes($text);
// remove stripped text (e.g. the UNIQ-QINU stuff) that was generated by tag extensions/whatever
$text = $parser->killMarkers($text);
// list of disallowed tags for DISPLAYTITLE
// these will be escaped even though they are allowed in normal wiki text
$bad = ['h1', 'h2', 'h3', 'h4', 'h5', 'h6', 'div', 'blockquote', 'ol', 'ul', 'li', 'hr', 'table', 'tr', 'th', 'td', 'dl', 'dd', 'caption', 'p', 'ruby', 'rb', 'rt', 'rtc', 'rp', 'br'];
// disallow some styles that could be used to bypass $wgRestrictDisplayTitle
if ($wgRestrictDisplayTitle) {
$htmlTagsCallback = function (&$params) {
$decoded = Sanitizer::decodeTagAttributes($params);
if (isset($decoded['style'])) {
// this is called later anyway, but we need it right now for the regexes below to be safe
// calling it twice doesn't hurt
$decoded['style'] = Sanitizer::checkCss($decoded['style']);
if (preg_match('/(display|user-select|visibility)\\s*:/i', $decoded['style'])) {
$decoded['style'] = '/* attempt to bypass $wgRestrictDisplayTitle */';
}
}
$params = Sanitizer::safeEncodeTagAttributes($decoded);
};
} else {
$htmlTagsCallback = null;
}
// only requested titles that normalize to the actual title are allowed through
// if $wgRestrictDisplayTitle is true (it is by default)
// mimic the escaping process that occurs in OutputPage::setPageTitle
$text = Sanitizer::normalizeCharReferences(Sanitizer::removeHTMLtags($text, $htmlTagsCallback, [], [], $bad));
$title = Title::newFromText(Sanitizer::stripAllTags($text));
if (!$wgRestrictDisplayTitle || $title instanceof Title && !$title->hasFragment() && $title->equals($parser->mTitle)) {
$old = $parser->mOutput->getProperty('displaytitle');
if ($old === false || $arg !== 'displaytitle_noreplace') {
$parser->mOutput->setDisplayTitle($text);
}
if ($old !== false && $old !== $text && !$arg) {
$converter = $parser->getConverterLanguage()->getConverter();
return '<span class="error">' . wfMessage('duplicate-displaytitle', $converter->markNoConversion(wfEscapeWikiText($old)), $converter->markNoConversion(wfEscapeWikiText($text)))->inContentLanguage()->text() . '</span>';
} else {
return '';
}
} else {
$parser->addTrackingCategory('restricted-displaytitle-ignored');
$converter = $parser->getConverterLanguage()->getConverter();
return '<span class="error">' . wfMessage('restricted-displaytitle', $converter->markNoConversion(wfEscapeWikiText($text)))->inContentLanguage()->text() . '</span>';
}
}
/**
* Take a tag soup fragment listing an HTML element's attributes
* and normalize it to well-formed XML, discarding unwanted attributes.
* Output is safe for further wikitext processing, with escaping of
* values that could trigger problems.
*
* - Normalizes attribute names to lowercase
* - Discards attributes not on a whitelist for the given element
* - Turns broken or invalid entities into plaintext
* - Double-quotes all attribute values
* - Attributes without values are given the name as attribute
* - Double attributes are discarded
* - Unsafe style attributes are discarded
* - Prepends space if there are attributes.
*
* @param string $text
* @param string $element
* @return string
*/
static function fixTagAttributes($text, $element)
{
if (trim($text) == '') {
return '';
}
$decoded = Sanitizer::decodeTagAttributes($text);
$stripped = Sanitizer::validateTagAttributes($decoded, $element);
return Sanitizer::safeEncodeTagAttributes($stripped);
}
/**
* Override the title of the page when viewed, provided we've been given a
* title which will normalise to the canonical title
*
* @param $parser Parser: parent parser
* @param string $text desired title text
* @return String
*/
static function displaytitle($parser, $text = '')
{
global $wgRestrictDisplayTitle;
// parse a limited subset of wiki markup (just the single quote items)
$text = $parser->doQuotes($text);
// remove stripped text (e.g. the UNIQ-QINU stuff) that was generated by tag extensions/whatever
$text = preg_replace('/' . preg_quote($parser->uniqPrefix(), '/') . '.*?' . preg_quote(Parser::MARKER_SUFFIX, '/') . '/', '', $text);
// list of disallowed tags for DISPLAYTITLE
// these will be escaped even though they are allowed in normal wiki text
$bad = array('h1', 'h2', 'h3', 'h4', 'h5', 'h6', 'div', 'blockquote', 'ol', 'ul', 'li', 'hr', 'table', 'tr', 'th', 'td', 'dl', 'dd', 'caption', 'p', 'ruby', 'rb', 'rt', 'rp', 'br');
// disallow some styles that could be used to bypass $wgRestrictDisplayTitle
if ($wgRestrictDisplayTitle) {
$htmlTagsCallback = function (&$params) {
$decoded = Sanitizer::decodeTagAttributes($params);
if (isset($decoded['style'])) {
// this is called later anyway, but we need it right now for the regexes below to be safe
// calling it twice doesn't hurt
$decoded['style'] = Sanitizer::checkCss($decoded['style']);
if (preg_match('/(display|user-select|visibility)\\s*:/i', $decoded['style'])) {
$decoded['style'] = '/* attempt to bypass $wgRestrictDisplayTitle */';
}
}
$params = Sanitizer::safeEncodeTagAttributes($decoded);
};
} else {
$htmlTagsCallback = null;
}
// only requested titles that normalize to the actual title are allowed through
// if $wgRestrictDisplayTitle is true (it is by default)
// mimic the escaping process that occurs in OutputPage::setPageTitle
$text = Sanitizer::normalizeCharReferences(Sanitizer::removeHTMLtags($text, $htmlTagsCallback, array(), array(), $bad));
$title = Title::newFromText(Sanitizer::stripAllTags($text));
if (!$wgRestrictDisplayTitle) {
$parser->mOutput->setDisplayTitle($text);
} elseif ($title instanceof Title && !$title->hasFragment() && $title->equals($parser->mTitle)) {
$parser->mOutput->setDisplayTitle($text);
}
return '';
}
/**
* Hook to provide syntax highlighting for API pretty-printed output
*
* @param IContextSource $context
* @param string $text
* @param string $mime
* @param string $format
* @since MW 1.24
*/
public static function onApiFormatHighlight(IContextSource $context, $text, $mime, $format)
{
if (!isset(self::$mimeLexers[$mime])) {
return true;
}
$lexer = self::$mimeLexers[$mime];
$status = self::highlight($text, $lexer);
if (!$status->isOK()) {
return true;
}
$out = $status->getValue();
if (preg_match('/^<pre([^>]*)>/i', $out, $m)) {
$attrs = Sanitizer::decodeTagAttributes($m[1]);
$attrs['class'] .= ' api-pretty-content';
$encodedAttrs = Sanitizer::safeEncodeTagAttributes($attrs);
$out = '<pre' . $encodedAttrs . '>' . substr($out, strlen($m[0]));
}
$output = $context->getOutput();
$output->addModuleStyles('ext.pygments');
$output->addHTML('<div dir="ltr">' . $out . '</div>');
// Inform MediaWiki that we have parsed this page and it shouldn't mess with it.
return false;
}
/**
* Hook to provide syntax highlighting for API pretty-printed output
*
* @param IContextSource $context
* @param string $text
* @param string $mime
* @param string $format
* @since MW 1.24
*/
public static function apiFormatHighlight(IContextSource $context, $text, $mime, $format)
{
switch ($mime) {
case 'text/javascript':
case 'application/json':
$lang = 'javascript';
break;
case 'text/xml':
$lang = 'xml';
break;
default:
// Don't know how to handle this
return true;
}
$geshi = self::prepare($text, $lang);
if ($geshi instanceof GeSHi) {
$out = $geshi->parse_code();
if (!$geshi->error()) {
if (preg_match('/^<pre([^>]*)>/i', $out, $m)) {
$attrs = Sanitizer::decodeTagAttributes($m[1]);
$attrs['class'] .= ' api-pretty-content';
$out = '<pre' . Sanitizer::safeEncodeTagAttributes($attrs) . '>' . substr($out, strlen($m[0]));
}
$output = $context->getOutput();
$output->addModuleStyles(array("ext.geshi.language.{$lang}", 'ext.geshi.local'));
$output->addHTML("<div dir=\"ltr\">{$out}</div>");
// Inform MediaWiki that we have parsed this page and it shouldn't mess with it.
return false;
}
}
// Bottle out
return true;
}
