ILIAS  release_5-0 Revision 5.0.0-1144-gc4397b1f870
All Data Structures Namespaces Files Functions Variables Modules Pages
Static Public Member Functions | Static Private Member Functions
Sanitizer Class Reference
+ Collaboration diagram for Sanitizer:

Static Public Member Functions

static validateTagAttributes ( $attribs, $element)
 Take an array of attribute names and values and normalize or discard illegal values for the given element type. More...
 
static checkCss ( $value)
 Pick apart some CSS and check it for forbidden or unsafe structures. More...
 
static fixTagAttributes ( $text, $element)
 Take a tag soup fragment listing an HTML element's attributes and normalize it to well-formed XML, discarding unwanted attributes. More...
 
static encodeAttribute ( $text)
 Encode an attribute value for HTML output. More...
 
static safeEncodeAttribute ( $text)
 Encode an attribute value for HTML tags, with extra armoring against further wiki processing. More...
 
static escapeId ( $id)
 Given a value escape it so that it can be used in an id attribute and return it, this does not validate the value however (see first link) More...
 
static escapeClass ( $class)
 Given a value, escape it so that it can be used as a CSS class and return it. More...
 
static decodeTagAttributes ( $text)
 Return an associative array of attribute names and values from a partial tag string. More...
 
static normalizeCharReferencesCallback ( $matches)
 
static normalizeEntity ( $name)
 If the named entity is defined in the HTML 4.0/XHTML 1.0 DTD, return the named entity reference as is. More...
 
static decCharReference ( $codepoint)
 
static hexCharReference ( $codepoint)
 
static decodeCharReferences ( $text)
 Decode any character references, numeric or named entities, in the text and return a UTF-8 string. More...
 
static decodeCharReferencesCallback ( $matches)
 
static decodeEntity ( $name)
 If the named entity is defined in the HTML 4.0/XHTML 1.0 DTD, return the UTF-8 encoding of that character. More...
 
static attributeWhitelist ( $element)
 Fetch the whitelist of acceptable attributes for a given element name. More...
 
static setupAttributeWhitelist ()
 
static stripAllTags ( $text)
 Take a fragment of (potentially invalid) HTML and return a version with any tags removed, encoded as plain text. More...
 
static hackDocType ()
 Hack up a private DOCTYPE with HTML's standard entity declarations. More...
 
static cleanUrl ( $url, $hostname=true)
 

Static Private Member Functions

static removeHTMLtags ( $text, $processCallback=null, $args=array())
 Cleans up HTML, removes dangerous tags and attributes, and removes HTML comments. More...
 
static removeHTMLcomments ( $text)
 Remove '', and everything between. More...
 
static armorLinksCallback ( $matches)
 Regex replace callback for armoring links against further processing. More...
 
static getTagAttributeCallback ( $set)
 Pick the appropriate attribute value from a match set from the MW_ATTRIBS_REGEX matches. More...
 
static normalizeAttributeValue ( $text)
 Normalize whitespace and character references in an XML source- encoded text for an attribute value. More...
 
static normalizeWhitespace ( $text)
 
static normalizeCharReferences ( $text)
 Ensure that any entities and character references are legal for XML and XHTML specifically. More...
 
static validateCodepoint ( $codepoint)
 Returns true if a given Unicode codepoint is a valid character in XML. More...
 
static decodeChar ( $codepoint)
 Return UTF-8 string for a codepoint if that is a valid character reference, otherwise U+FFFD REPLACEMENT CHARACTER. More...
 

Detailed Description

Definition at line 330 of file Sanitizer.php.

Member Function Documentation

◆ armorLinksCallback()

static Sanitizer::armorLinksCallback (   $matches)
staticprivate

Regex replace callback for armoring links against further processing.

Parameters
array$matches
Returns
string

Definition at line 772 of file Sanitizer.php.

774  {

◆ attributeWhitelist()

static Sanitizer::attributeWhitelist (   $element)
static

Fetch the whitelist of acceptable attributes for a given element name.

Parameters
string$element
Returns
array

Definition at line 1041 of file Sanitizer.php.

Referenced by hexCharReference().

1043  {
1044  static $list;
1045  if( !isset( $list ) ) {
1046  $list = Sanitizer::setupAttributeWhitelist();
1047  }
1048  return isset( $list[$element] )
1049  ? $list[$element]
Sanitizer\setupAttributeWhitelist
static setupAttributeWhitelist()
Definition: Sanitizer.php:1055
+ Here is the caller graph for this function:

◆ checkCss()

static Sanitizer::checkCss (   $value)
static

Pick apart some CSS and check it for forbidden or unsafe structures.

Returns a sanitized string, or false if it was just too evil.

Currently URL references, 'expression', 'tps' are forbidden.

Parameters
string$value
Returns
mixed

Definition at line 611 of file Sanitizer.php.

613  {
614  $stripped = Sanitizer::decodeCharReferences( $value );
615 
616  // Remove any comments; IE gets token splitting wrong
617  $stripped = StringUtils::delimiterReplace( '/*', '*/', ' ', $stripped );
618 
619  $value = $stripped;
620 
621  // ... and continue checks
622  $stripped = preg_replace( '!\\\\([0-9A-Fa-f]{1,6})[ \\n\\r\\t\\f]?!e',
623  'codepointToUtf8(hexdec("$1"))', $stripped );
624  $stripped = str_replace( '\\', '', $stripped );
625  if( preg_match( '/(?:expression|tps*:\/\/|url\\s*\().*/is',
626  $stripped ) ) {
627  # haxx0r
628  return false;
629  }
630 
Sanitizer\decodeCharReferences
static decodeCharReferences( $text)
Decode any character references, numeric or named entities, in the text and return a UTF-8 string...
Definition: Sanitizer.php:973

◆ cleanUrl()

static Sanitizer::cleanUrl (   $url,
  $hostname = true 
)
static

Definition at line 1232 of file Sanitizer.php.

References $rest, and decodeCharReferences().

Referenced by Parser\magicLinkCallback().

1234  {
1235  # Normalize any HTML entities in input. They will be
1236  # re-escaped by makeExternalLink().
1237 
1238  $url = Sanitizer::decodeCharReferences( $url );
1239 
1240  # Escape any control characters introduced by the above step
1241  $url = preg_replace( '/[\][<>"\\x00-\\x20\\x7F]/e', "urlencode('\\0')", $url );
1242 
1243  # Validate hostname portion
1244  $matches = array();
1245  if( preg_match( '!^([^:]+:)(//[^/]+)?(.*)$!iD', $url, $matches ) ) {
1246  list( /* $whole */, $protocol, $host, $rest ) = $matches;
1247 
1248  // Characters that will be ignored in IDNs.
1249  // http://tools.ietf.org/html/3454#section-3.1
1250  // Strip them before further processing so blacklists and such work.
1251  $strip = "/
1252  \\s| # general whitespace
1253  \xc2\xad| # 00ad SOFT HYPHEN
1254  \xe1\xa0\x86| # 1806 MONGOLIAN TODO SOFT HYPHEN
1255  \xe2\x80\x8b| # 200b ZERO WIDTH SPACE
1256  \xe2\x81\xa0| # 2060 WORD JOINER
1257  \xef\xbb\xbf| # feff ZERO WIDTH NO-BREAK SPACE
1258  \xcd\x8f| # 034f COMBINING GRAPHEME JOINER
1259  \xe1\xa0\x8b| # 180b MONGOLIAN FREE VARIATION SELECTOR ONE
1260  \xe1\xa0\x8c| # 180c MONGOLIAN FREE VARIATION SELECTOR TWO
1261  \xe1\xa0\x8d| # 180d MONGOLIAN FREE VARIATION SELECTOR THREE
1262  \xe2\x80\x8c| # 200c ZERO WIDTH NON-JOINER
1263  \xe2\x80\x8d| # 200d ZERO WIDTH JOINER
1264  [\xef\xb8\x80-\xef\xb8\x8f] # fe00-fe00f VARIATION SELECTOR-1-16
1265  /xuD";
1266 
1267  $host = preg_replace( $strip, '', $host );
1268 
1269  // @fixme: validate hostnames here
1270 
1271  return $protocol . $host . $rest;
1272  } else {
1273  return $url;
$rest
$rest
Definition: goto.php:85
Sanitizer\decodeCharReferences
static decodeCharReferences( $text)
Decode any character references, numeric or named entities, in the text and return a UTF-8 string...
Definition: Sanitizer.php:973
+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ decCharReference()

static Sanitizer::decCharReference (   $codepoint)
static

Definition at line 932 of file Sanitizer.php.

References validateCodepoint().

Referenced by normalizeWhitespace().

934  {
935  $point = intval( $codepoint );
936  if( Sanitizer::validateCodepoint( $point ) ) {
937  return sprintf( '&#%d;', $point );
938  } else {
939  return null;
Sanitizer\validateCodepoint
static validateCodepoint( $codepoint)
Returns true if a given Unicode codepoint is a valid character in XML.
Definition: Sanitizer.php:955
+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ decodeChar()

static Sanitizer::decodeChar (   $codepoint)
staticprivate

Return UTF-8 string for a codepoint if that is a valid character reference, otherwise U+FFFD REPLACEMENT CHARACTER.

Parameters
int$codepoint
Returns
string

Definition at line 1005 of file Sanitizer.php.

Referenced by hexCharReference().

1007  {
1008  if( Sanitizer::validateCodepoint( $codepoint ) ) {
1009  return codepointToUtf8( $codepoint );
1010  } else {
1011  return UTF8_REPLACEMENT;
UTF8_REPLACEMENT
const UTF8_REPLACEMENT
Definition: UtfNormal.php:83
codepointToUtf8
codepointToUtf8( $codepoint)
Return UTF-8 sequence for a given Unicode code point.
Definition: UtfNormalUtil.php:38
Sanitizer\validateCodepoint
static validateCodepoint( $codepoint)
Returns true if a given Unicode codepoint is a valid character in XML.
Definition: Sanitizer.php:955
+ Here is the caller graph for this function:

◆ decodeCharReferences()

static Sanitizer::decodeCharReferences (   $text)
static

Decode any character references, numeric or named entities, in the text and return a UTF-8 string.

Parameters
string$text
Returns
string

Definition at line 973 of file Sanitizer.php.

Referenced by cleanUrl(), Title\escapeFragmentForURL(), hexCharReference(), Parser\magicLinkCallback(), and Title\newFromText().

975  {
976  return preg_replace_callback(
977  MW_CHAR_REFS_REGEX,
978  array( 'Sanitizer', 'decodeCharReferencesCallback' ),
MW_CHAR_REFS_REGEX
const MW_CHAR_REFS_REGEX
Regular expression to match various types of character references in Sanitizer::normalizeCharReferenc...
Definition: Sanitizer.php:30
+ Here is the caller graph for this function:

◆ decodeCharReferencesCallback()

static Sanitizer::decodeCharReferencesCallback (   $matches)
static
Parameters
string$matches
Returns
string

Definition at line 984 of file Sanitizer.php.

Referenced by hexCharReference().

986  {
987  if( $matches[1] != '' ) {
988  return Sanitizer::decodeEntity( $matches[1] );
989  } elseif( $matches[2] != '' ) {
990  return Sanitizer::decodeChar( intval( $matches[2] ) );
991  } elseif( $matches[3] != '' ) {
992  return Sanitizer::decodeChar( hexdec( $matches[3] ) );
993  } elseif( $matches[4] != '' ) {
994  return Sanitizer::decodeChar( hexdec( $matches[4] ) );
995  }
996  # Last case should be an ampersand by itself
Sanitizer\decodeChar
static decodeChar( $codepoint)
Return UTF-8 string for a codepoint if that is a valid character reference, otherwise U+FFFD REPLACEM...
Definition: Sanitizer.php:1005
Sanitizer\decodeEntity
static decodeEntity( $name)
If the named entity is defined in the HTML 4.0/XHTML 1.0 DTD, return the UTF-8 encoding of that chara...
Definition: Sanitizer.php:1021
+ Here is the caller graph for this function:

◆ decodeEntity()

static Sanitizer::decodeEntity (   $name)
static

If the named entity is defined in the HTML 4.0/XHTML 1.0 DTD, return the UTF-8 encoding of that character.

Otherwise, returns pseudo-entity source (eg )

Parameters
string$name
Returns
string

Definition at line 1021 of file Sanitizer.php.

Referenced by hexCharReference().

1023  {
1024  global $wgHtmlEntities, $wgHtmlEntityAliases;
1025 
1026  if ( isset( $wgHtmlEntityAliases[$name] ) ) {
1027  $name = $wgHtmlEntityAliases[$name];
1028  }
1029  if( isset( $wgHtmlEntities[$name] ) ) {
1030  return codepointToUtf8( $wgHtmlEntities[$name] );
1031  } else {
1032  return "&$name;";
$wgHtmlEntities
global $wgHtmlEntities
List of all named character entities defined in HTML 4.01 http://www.w3.org/TR/html4/sgml/entities.html.
Definition: Sanitizer.php:61
codepointToUtf8
codepointToUtf8( $codepoint)
Return UTF-8 sequence for a given Unicode code point.
Definition: UtfNormalUtil.php:38
$wgHtmlEntityAliases
global $wgHtmlEntityAliases
Character entity aliases accepted by MediaWiki.
Definition: Sanitizer.php:319
+ Here is the caller graph for this function:

◆ decodeTagAttributes()

static Sanitizer::decodeTagAttributes (   $text)
static

Return an associative array of attribute names and values from a partial tag string.

Attribute names are forces to lowercase, character references are decoded to UTF-8 text.

Parameters
string
Returns
array

Definition at line 784 of file Sanitizer.php.

786  {
787  $attribs = array();
788 
789  if( trim( $text ) == '' ) {
790  return $attribs;
791  }
792 
793  $pairs = array();
794  if( !preg_match_all(
795  MW_ATTRIBS_REGEX,
796  $text,
797  $pairs,
798  PREG_SET_ORDER ) ) {
799  return $attribs;
800  }
801 
802  foreach( $pairs as $set ) {
803  $attribute = strtolower( $set[1] );
804  $value = Sanitizer::getTagAttributeCallback( $set );
805 
806  // Normalize whitespace
807  $value = preg_replace( '/[\t\r\n ]+/', ' ', $value );
808  $value = trim( $value );
809 
810  // Decode character references
811  $attribs[$attribute] = Sanitizer::decodeCharReferences( $value );
812  }
Sanitizer\getTagAttributeCallback
static getTagAttributeCallback( $set)
Pick the appropriate attribute value from a match set from the MW_ATTRIBS_REGEX matches.
Definition: Sanitizer.php:822
Sanitizer\decodeCharReferences
static decodeCharReferences( $text)
Decode any character references, numeric or named entities, in the text and return a UTF-8 string...
Definition: Sanitizer.php:973
MW_ATTRIBS_REGEX
const MW_ATTRIBS_REGEX
Definition: Sanitizer.php:43

◆ encodeAttribute()

static Sanitizer::encodeAttribute (   $text)
static

Encode an attribute value for HTML output.

Parameters
$text
Returns
HTML-encoded text fragment

Definition at line 674 of file Sanitizer.php.

676  {
677  $encValue = htmlspecialchars( $text );
678 
679  // Whitespace is normalized during attribute decoding,
680  // so if we've been passed non-spaces we must encode them
681  // ahead of time or they won't be preserved.
682  $encValue = strtr( $encValue, array(
683  "\n" => '&#10;',
684  "\r" => '&#13;',
685  "\t" => '&#9;',
686  ) );
687 

◆ escapeClass()

static Sanitizer::escapeClass (   $class)
static

Given a value, escape it so that it can be used as a CSS class and return it.

Todo:
For extra validity, input should be validated UTF-8.
See also
http://www.w3.org/TR/CSS21/syndata.html Valid characters/format
Parameters
string$class
Returns
string

Definition at line 758 of file Sanitizer.php.

760  {
761  // Convert ugly stuff to underscores and kill underscores in ugly places
762  return rtrim(preg_replace(
763  array('/(^[0-9\\-])|[\\x00-\\x20!"#$%&\'()*+,.\\/:;<=>?@[\\]^`{|}~]|\\xC2\\xA0/','/_+/'),
764  '_',

◆ escapeId()

static Sanitizer::escapeId (   $id)
static

Given a value escape it so that it can be used in an id attribute and return it, this does not validate the value however (see first link)

See also
http://www.w3.org/TR/html401/types.html#type-name Valid characters in the id and name attributes
http://www.w3.org/TR/html401/struct/links.html#h-12.2.3 Anchors with the id attribute
Parameters
string$id
Returns
string

Definition at line 736 of file Sanitizer.php.

Referenced by Parser\fetchScaryTemplateMaybeFromCache().

738  {
739  static $replace = array(
740  '%3A' => ':',
741  '%' => '.'
742  );
743 
744  $id = urlencode( Sanitizer::decodeCharReferences( strtr( $id, ' ', '_' ) ) );
745 
Sanitizer\decodeCharReferences
static decodeCharReferences( $text)
Decode any character references, numeric or named entities, in the text and return a UTF-8 string...
Definition: Sanitizer.php:973
+ Here is the caller graph for this function:

◆ fixTagAttributes()

static Sanitizer::fixTagAttributes (   $text,
  $element 
)
static

Take a tag soup fragment listing an HTML element's attributes and normalize it to well-formed XML, discarding unwanted attributes.

Output is safe for further wikitext processing, with escaping of values that could trigger problems.

  • Normalizes attribute names to lowercase
  • Discards attributes not on a whitelist for the given element
  • Turns broken or invalid entities into plaintext
  • Double-quotes all attribute values
  • Attributes without values are given the name as attribute
  • Double attributes are discarded
  • Unsafe style attributes are discarded
  • Prepends space if there are attributes.
Parameters
string$text
string$element
Returns
string

Definition at line 651 of file Sanitizer.php.

653  {
654  if( trim( $text ) == '' ) {
655  return '';
656  }
657 
658  $stripped = Sanitizer::validateTagAttributes(
659  Sanitizer::decodeTagAttributes( $text ), $element );
660 
661  $attribs = array();
662  foreach( $stripped as $attribute => $value ) {
663  $encAttribute = htmlspecialchars( $attribute );
664  $encValue = Sanitizer::safeEncodeAttribute( $value );
665 
666  $attribs[] = "$encAttribute=\"$encValue\"";
667  }
Sanitizer\validateTagAttributes
static validateTagAttributes( $attribs, $element)
Take an array of attribute names and values and normalize or discard illegal values for the given ele...
Definition: Sanitizer.php:575
Sanitizer\decodeTagAttributes
static decodeTagAttributes( $text)
Return an associative array of attribute names and values from a partial tag string.
Definition: Sanitizer.php:784
Sanitizer\safeEncodeAttribute
static safeEncodeAttribute( $text)
Encode an attribute value for HTML tags, with extra armoring against further wiki processing...
Definition: Sanitizer.php:695

◆ getTagAttributeCallback()

static Sanitizer::getTagAttributeCallback (   $set)
staticprivate

Pick the appropriate attribute value from a match set from the MW_ATTRIBS_REGEX matches.

Parameters
array$set
Returns
string

Definition at line 822 of file Sanitizer.php.

824  {
825  if( isset( $set[6] ) ) {
826  # Illegal #XXXXXX color with no quotes.
827  return $set[6];
828  } elseif( isset( $set[5] ) ) {
829  # No quotes.
830  return $set[5];
831  } elseif( isset( $set[4] ) ) {
832  # Single-quoted
833  return $set[4];
834  } elseif( isset( $set[3] ) ) {
835  # Double-quoted
836  return $set[3];
837  } elseif( !isset( $set[2] ) ) {
838  # In XHTML, attributes must have a value.
839  # For 'reduced' form, return explicitly the attribute name here.
840  return $set[1];
841  } else {
842  throw new MWException( "Tag conditions not met. This should never happen and is a bug." );

◆ hackDocType()

static Sanitizer::hackDocType ( )
static

Hack up a private DOCTYPE with HTML's standard entity declarations.

PHP 4 seemed to know these if you gave it an HTML doctype, but PHP 5.1 doesn't.

Use for passing XHTML fragments to PHP's XML parsing functions

Returns
string

Definition at line 1222 of file Sanitizer.php.

Referenced by hexCharReference().

1224  {
1225  global $wgHtmlEntities;
1226  $out = "<!DOCTYPE html [\n";
1227  foreach( $wgHtmlEntities as $entity => $codepoint ) {
1228  $out .= "<!ENTITY $entity \"&#$codepoint;\">";
1229  }
1230  $out .= "]>\n";
$wgHtmlEntities
global $wgHtmlEntities
List of all named character entities defined in HTML 4.01 http://www.w3.org/TR/html4/sgml/entities.html.
Definition: Sanitizer.php:61
+ Here is the caller graph for this function:

◆ hexCharReference()

static Sanitizer::hexCharReference (   $codepoint)
static

Definition at line 941 of file Sanitizer.php.

References $out, $wgHtmlEntities, $wgHtmlEntityAliases, attributeWhitelist(), codepointToUtf8(), decodeChar(), decodeCharReferences(), decodeCharReferencesCallback(), decodeEntity(), hackDocType(), MW_CHAR_REFS_REGEX, setupAttributeWhitelist(), stripAllTags(), UTF8_REPLACEMENT, and validateCodepoint().

Referenced by normalizeWhitespace().

943  {
944  $point = hexdec( $codepoint );
945  if( Sanitizer::validateCodepoint( $point ) ) {
946  return sprintf( '&#x%x;', $point );
947  } else {
948  return null;
Sanitizer\validateCodepoint
static validateCodepoint( $codepoint)
Returns true if a given Unicode codepoint is a valid character in XML.
Definition: Sanitizer.php:955
+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ normalizeAttributeValue()

static Sanitizer::normalizeAttributeValue (   $text)
staticprivate

Normalize whitespace and character references in an XML source- encoded text for an attribute value.

See http://www.w3.org/TR/REC-xml/#AVNormalize for background, but note that we're not returning the value, but are returning XML source fragments that will be slapped into output.

Parameters
string$text
Returns
string

Definition at line 856 of file Sanitizer.php.

858  {
859  return str_replace( '"', '&quot;',
860  self::normalizeWhitespace(

◆ normalizeCharReferences()

static Sanitizer::normalizeCharReferences (   $text)
staticprivate

Ensure that any entities and character references are legal for XML and XHTML specifically.

Any stray bits will be &-escaped to result in a valid text fragment.

a. any named char refs must be known in XHTML b. any numeric char refs must be legal chars, not invalid or forbidden c. use &#x, not &#X d. fix or reject non-valid attributes

Parameters
string$text
Returns
string

Definition at line 883 of file Sanitizer.php.

Referenced by normalizeWhitespace(), and Parser\setOutputType().

885  {
886  return preg_replace_callback(
887  MW_CHAR_REFS_REGEX,
888  array( 'Sanitizer', 'normalizeCharReferencesCallback' ),
MW_CHAR_REFS_REGEX
const MW_CHAR_REFS_REGEX
Regular expression to match various types of character references in Sanitizer::normalizeCharReferenc...
Definition: Sanitizer.php:30
+ Here is the caller graph for this function:

◆ normalizeCharReferencesCallback()

static Sanitizer::normalizeCharReferencesCallback (   $matches)
static
Parameters
string$matches
Returns
string

Definition at line 893 of file Sanitizer.php.

Referenced by normalizeWhitespace().

895  {
896  $ret = null;
897  if( $matches[1] != '' ) {
898  $ret = Sanitizer::normalizeEntity( $matches[1] );
899  } elseif( $matches[2] != '' ) {
900  $ret = Sanitizer::decCharReference( $matches[2] );
901  } elseif( $matches[3] != '' ) {
902  $ret = Sanitizer::hexCharReference( $matches[3] );
903  } elseif( $matches[4] != '' ) {
904  $ret = Sanitizer::hexCharReference( $matches[4] );
905  }
906  if( is_null( $ret ) ) {
907  return htmlspecialchars( $matches[0] );
908  } else {
909  return $ret;
$ret
$ret
Definition: Structures_BibTex_example.php:7
Sanitizer\hexCharReference
static hexCharReference( $codepoint)
Definition: Sanitizer.php:941
Sanitizer\decCharReference
static decCharReference( $codepoint)
Definition: Sanitizer.php:932
Sanitizer\normalizeEntity
static normalizeEntity( $name)
If the named entity is defined in the HTML 4.0/XHTML 1.0 DTD, return the named entity reference as is...
Definition: Sanitizer.php:921
+ Here is the caller graph for this function:

◆ normalizeEntity()

static Sanitizer::normalizeEntity (   $name)
static

If the named entity is defined in the HTML 4.0/XHTML 1.0 DTD, return the named entity reference as is.

If the entity is a MediaWiki-specific alias, returns the HTML equivalent. Otherwise, returns HTML-escaped text of pseudo-entity source (eg &foo;)

Parameters
string$name
Returns
string

Definition at line 921 of file Sanitizer.php.

Referenced by normalizeWhitespace().

923  {
924  global $wgHtmlEntities, $wgHtmlEntityAliases;
925  if ( isset( $wgHtmlEntityAliases[$name] ) ) {
926  return "&{$wgHtmlEntityAliases[$name]};";
927  } elseif( isset( $wgHtmlEntities[$name] ) ) {
928  return "&$name;";
929  } else {
930  return "&amp;$name;";
$wgHtmlEntities
global $wgHtmlEntities
List of all named character entities defined in HTML 4.01 http://www.w3.org/TR/html4/sgml/entities.html.
Definition: Sanitizer.php:61
$wgHtmlEntityAliases
global $wgHtmlEntityAliases
Character entity aliases accepted by MediaWiki.
Definition: Sanitizer.php:319
+ Here is the caller graph for this function:

◆ normalizeWhitespace()

static Sanitizer::normalizeWhitespace (   $text)
staticprivate

Definition at line 862 of file Sanitizer.php.

References $ret, $wgHtmlEntities, $wgHtmlEntityAliases, decCharReference(), hexCharReference(), MW_CHAR_REFS_REGEX, normalizeCharReferences(), normalizeCharReferencesCallback(), and normalizeEntity().

864  {
865  return preg_replace(
866  '/\r\n|[\x20\x0d\x0a\x09]/',
867  ' ',
+ Here is the call graph for this function:

◆ removeHTMLcomments()

static Sanitizer::removeHTMLcomments (   $text)
staticprivate

Remove '', and everything between.

To avoid leaving blank lines, when a comment is both preceded and followed by a newline (ignoring spaces), trim leading and trailing spaces and one of the newlines.

Parameters
string$text
Returns
string

Definition at line 526 of file Sanitizer.php.

Referenced by Parser\closeList().

528  {
529  wfProfileIn( __METHOD__ );
530  while (($start = strpos($text, '<!--')) !== false) {
531  $end = strpos($text, '-->', $start + 4);
532  if ($end === false) {
533  # Unterminated comment; bail out
534  break;
535  }
536 
537  $end += 3;
538 
539  # Trim space and newline if the comment is both
540  # preceded and followed by a newline
541  $spaceStart = max($start - 1, 0);
542  $spaceLen = $end - $spaceStart;
543  while (substr($text, $spaceStart, 1) === ' ' && $spaceStart > 0) {
544  $spaceStart--;
545  $spaceLen++;
546  }
547  while (substr($text, $spaceStart + $spaceLen, 1) === ' ')
548  $spaceLen++;
549  if (substr($text, $spaceStart, 1) === "\n" and substr($text, $spaceStart + $spaceLen, 1) === "\n") {
550  # Remove the comment, leading and trailing
551  # spaces, and leave only one newline.
552  $text = substr_replace($text, "\n", $spaceStart, $spaceLen + 1);
553  }
554  else {
555  # Remove just the comment.
556  $text = substr_replace($text, '', $start, $end - $start);
557  }
558  }
559  wfProfileOut( __METHOD__ );
+ Here is the caller graph for this function:

◆ removeHTMLtags()

static Sanitizer::removeHTMLtags (   $text,
  $processCallback = null,
  $args = array() 
)
staticprivate

Cleans up HTML, removes dangerous tags and attributes, and removes HTML comments.

Parameters
string$text
callback$processCallbackto do any variable or parameter replacements in HTML attribute values
array$argsfor the processing callback
Returns
string

Definition at line 340 of file Sanitizer.php.

Referenced by Parser\closeList().

342  {
343  global $wgUseTidy;
344 
345  static $htmlpairs, $htmlsingle, $htmlsingleonly, $htmlnest, $tabletags,
346  $htmllist, $listtags, $htmlsingleallowed, $htmlelements, $staticInitialised;
347 
348  wfProfileIn( __METHOD__ );
349 
350  if ( !$staticInitialised ) {
351 
352  $htmlpairs = array( # Tags that must be closed
353  'b', 'del', 'i', 'ins', 'u', 'font', 'big', 'small', 'sub', 'sup', 'h1',
354  'h2', 'h3', 'h4', 'h5', 'h6', 'cite', 'code', 'em', 's',
355  'strike', 'strong', 'tt', 'var', 'div', 'center',
356  'blockquote', 'ol', 'ul', 'dl', 'table', 'caption', 'pre',
357  'ruby', 'rt' , 'rb' , 'rp', 'p', 'span', 'u'
358  );
359  $htmlsingle = array(
360  'br', 'hr', 'li', 'dt', 'dd'
361  );
362  $htmlsingleonly = array( # Elements that cannot have close tags
363  'br', 'hr'
364  );
365  $htmlnest = array( # Tags that can be nested--??
366  'table', 'tr', 'td', 'th', 'div', 'blockquote', 'ol', 'ul',
367  'dl', 'font', 'big', 'small', 'sub', 'sup', 'span'
368  );
369  $tabletags = array( # Can only appear inside table, we will close them
370  'td', 'th', 'tr',
371  );
372  $htmllist = array( # Tags used by list
373  'ul','ol',
374  );
375  $listtags = array( # Tags that can appear in a list
376  'li',
377  );
378 
379  $htmlsingleallowed = array_merge( $htmlsingle, $tabletags );
380  $htmlelements = array_merge( $htmlsingle, $htmlpairs, $htmlnest );
381 
382  # Convert them all to hashtables for faster lookup
383  $vars = array( 'htmlpairs', 'htmlsingle', 'htmlsingleonly', 'htmlnest', 'tabletags',
384  'htmllist', 'listtags', 'htmlsingleallowed', 'htmlelements' );
385  foreach ( $vars as $var ) {
386  $$var = array_flip( $$var );
387  }
388  $staticInitialised = true;
389  }
390 
391  # Remove HTML comments
392  $text = Sanitizer::removeHTMLcomments( $text );
393  $bits = explode( '<', $text );
394  $text = str_replace( '>', '&gt;', array_shift( $bits ) );
395  if(!$wgUseTidy) {
396  $tagstack = $tablestack = array();
397  foreach ( $bits as $x ) {
398  $regs = array();
399  if( preg_match( '!^(/?)(\\w+)([^>]*?)(/{0,1}>)([^<]*)$!', $x, $regs ) ) {
400  list( /* $qbar */, $slash, $t, $params, $brace, $rest ) = $regs;
401  } else {
402  $slash = $t = $params = $brace = $rest = null;
403  }
404 
405  $badtag = 0 ;
406  if ( isset( $htmlelements[$t = strtolower( $t )] ) ) {
407  # Check our stack
408  if ( $slash ) {
409  # Closing a tag...
410  if( isset( $htmlsingleonly[$t] ) ) {
411  $badtag = 1;
412  } elseif ( ( $ot = @array_pop( $tagstack ) ) != $t ) {
413  if ( isset( $htmlsingleallowed[$ot] ) ) {
414  # Pop all elements with an optional close tag
415  # and see if we find a match below them
416  $optstack = array();
417  array_push ($optstack, $ot);
418  while ( ( ( $ot = @array_pop( $tagstack ) ) != $t ) &&
419  isset( $htmlsingleallowed[$ot] ) )
420  {
421  array_push ($optstack, $ot);
422  }
423  if ( $t != $ot ) {
424  # No match. Push the optinal elements back again
425  $badtag = 1;
426  while ( $ot = @array_pop( $optstack ) ) {
427  array_push( $tagstack, $ot );
428  }
429  }
430  } else {
431  @array_push( $tagstack, $ot );
432  # <li> can be nested in <ul> or <ol>, skip those cases:
433  if(!(isset( $htmllist[$ot] ) && isset( $listtags[$t] ) )) {
434  $badtag = 1;
435  }
436  }
437  } else {
438  if ( $t == 'table' ) {
439  $tagstack = array_pop( $tablestack );
440  }
441  }
442  $newparams = '';
443  } else {
444  # Keep track for later
445  if ( isset( $tabletags[$t] ) &&
446  ! in_array( 'table', $tagstack ) ) {
447  $badtag = 1;
448  } else if ( in_array( $t, $tagstack ) &&
449  ! isset( $htmlnest [$t ] ) ) {
450  $badtag = 1 ;
451  # Is it a self closed htmlpair ? (bug 5487)
452  } else if( $brace == '/>' &&
453  isset( $htmlpairs[$t] ) ) {
454  $badtag = 1;
455  } elseif( isset( $htmlsingleonly[$t] ) ) {
456  # Hack to force empty tag for uncloseable elements
457  $brace = '/>';
458  } else if( isset( $htmlsingle[$t] ) ) {
459  # Hack to not close $htmlsingle tags
460  $brace = NULL;
461  } else if( isset( $tabletags[$t] )
462  && in_array($t ,$tagstack) ) {
463  // New table tag but forgot to close the previous one
464  $text .= "</$t>";
465  } else {
466  if ( $t == 'table' ) {
467  array_push( $tablestack, $tagstack );
468  $tagstack = array();
469  }
470  array_push( $tagstack, $t );
471  }
472 
473  # Replace any variables or template parameters with
474  # plaintext results.
475  if( is_callable( $processCallback ) ) {
476  call_user_func_array( $processCallback, array( &$params, $args ) );
477  }
478 
479  # Strip non-approved attributes from the tag
480  $newparams = Sanitizer::fixTagAttributes( $params, $t );
481  }
482  if ( ! $badtag ) {
483  $rest = str_replace( '>', '&gt;', $rest );
484  $close = ( $brace == '/>' && !$slash ) ? ' /' : '';
485  $text .= "<$slash$t$newparams$close>$rest";
486  continue;
487  }
488  }
489  $text .= '&lt;' . str_replace( '>', '&gt;', $x);
490  }
491  # Close off any remaining tags
492  while ( is_array( $tagstack ) && ($t = array_pop( $tagstack )) ) {
493  $text .= "</$t>\n";
494  if ( $t == 'table' ) { $tagstack = array_pop( $tablestack ); }
495  }
496  } else {
497  # this might be possible using tidy itself
498  foreach ( $bits as $x ) {
499  preg_match( '/^(\\/?)(\\w+)([^>]*?)(\\/{0,1}>)([^<]*)$/',
500  $x, $regs );
501  @list( /* $qbar */, $slash, $t, $params, $brace, $rest ) = $regs;
502  if ( isset( $htmlelements[$t = strtolower( $t )] ) ) {
503  if( is_callable( $processCallback ) ) {
504  call_user_func_array( $processCallback, array( &$params, $args ) );
505  }
506  $newparams = Sanitizer::fixTagAttributes( $params, $t );
507  $rest = str_replace( '>', '&gt;', $rest );
508  $text .= "<$slash$t$newparams$brace$rest";
509  } else {
510  $text .= '&lt;' . str_replace( '>', '&gt;', $x);
511  }
512  }
513  }
514  wfProfileOut( __METHOD__ );
$rest
$rest
Definition: goto.php:85
$t
$t
Definition: class.ilBMFType_duration.php:154
Sanitizer\fixTagAttributes
static fixTagAttributes( $text, $element)
Take a tag soup fragment listing an HTML element&#39;s attributes and normalize it to well-formed XML...
Definition: Sanitizer.php:651
Sanitizer\removeHTMLcomments
static removeHTMLcomments( $text)
Remove &#39;&#39;, and everything between.
Definition: Sanitizer.php:526
+ Here is the caller graph for this function:

◆ safeEncodeAttribute()

static Sanitizer::safeEncodeAttribute (   $text)
static

Encode an attribute value for HTML tags, with extra armoring against further wiki processing.

Parameters
$text
Returns
HTML-encoded text fragment

Definition at line 695 of file Sanitizer.php.

697  {
698  $encValue = Sanitizer::encodeAttribute( $text );
699 
700  # Templates and links may be expanded in later parsing,
701  # creating invalid or dangerous output. Suppress this.
702  $encValue = strtr( $encValue, array(
703  '<' => '&lt;', // This should never happen,
704  '>' => '&gt;', // we've received invalid input
705  '"' => '&quot;', // which should have been escaped.
706  '{' => '&#123;',
707  '[' => '&#91;',
708  "''" => '&#39;&#39;',
709  'ISBN' => '&#73;SBN',
710  'RFC' => '&#82;FC',
711  'PMID' => '&#80;MID',
712  '|' => '&#124;',
713  '__' => '&#95;_',
714  ) );
715 
716  # Stupid hack
717  $encValue = preg_replace_callback(
718  '/(' . wfUrlProtocols() . ')/',
719  array( 'Sanitizer', 'armorLinksCallback' ),
720  $encValue );
Sanitizer\encodeAttribute
static encodeAttribute( $text)
Encode an attribute value for HTML output.
Definition: Sanitizer.php:674
wfUrlProtocols
wfUrlProtocols()
Returns a regular expression of url protocols.
Definition: class.ilMWParserAdapter.php:44

◆ setupAttributeWhitelist()

static Sanitizer::setupAttributeWhitelist ( )
static
Todo:
Document it a bit
Returns
array

Definition at line 1055 of file Sanitizer.php.

Referenced by hexCharReference().

1057  {
1058  $common = array( 'id', 'class', 'lang', 'dir', 'title', 'style' );
1059  $block = array_merge( $common, array( 'align' ) );
1060  $tablealign = array( 'align', 'char', 'charoff', 'valign' );
1061  $tablecell = array( 'abbr',
1062  'axis',
1063  'headers',
1064  'scope',
1065  'rowspan',
1066  'colspan',
1067  'nowrap', # deprecated
1068  'width', # deprecated
1069  'height', # deprecated
1070  'bgcolor' # deprecated
1071  );
1072 
1073  # Numbers refer to sections in HTML 4.01 standard describing the element.
1074  # See: http://www.w3.org/TR/html4/
1075  $whitelist = array (
1076  # 7.5.4
1077  'div' => $block,
1078  'center' => $common, # deprecated
1079  'span' => $block, # ??
1080 
1081  # 7.5.5
1082  'h1' => $block,
1083  'h2' => $block,
1084  'h3' => $block,
1085  'h4' => $block,
1086  'h5' => $block,
1087  'h6' => $block,
1088 
1089  # 7.5.6
1090  # address
1091 
1092  # 8.2.4
1093  # bdo
1094 
1095  # 9.2.1
1096  'em' => $common,
1097  'strong' => $common,
1098  'cite' => $common,
1099  # dfn
1100  'code' => $common,
1101  # samp
1102  # kbd
1103  'var' => $common,
1104  # abbr
1105  # acronym
1106 
1107  # 9.2.2
1108  'blockquote' => array_merge( $common, array( 'cite' ) ),
1109  # q
1110 
1111  # 9.2.3
1112  'sub' => $common,
1113  'sup' => $common,
1114 
1115  # 9.3.1
1116  'p' => $block,
1117 
1118  # 9.3.2
1119  'br' => array( 'id', 'class', 'title', 'style', 'clear' ),
1120 
1121  # 9.3.4
1122  'pre' => array_merge( $common, array( 'width' ) ),
1123 
1124  # 9.4
1125  'ins' => array_merge( $common, array( 'cite', 'datetime' ) ),
1126  'del' => array_merge( $common, array( 'cite', 'datetime' ) ),
1127 
1128  # 10.2
1129  'ul' => array_merge( $common, array( 'type' ) ),
1130  'ol' => array_merge( $common, array( 'type', 'start' ) ),
1131  'li' => array_merge( $common, array( 'type', 'value' ) ),
1132 
1133  # 10.3
1134  'dl' => $common,
1135  'dd' => $common,
1136  'dt' => $common,
1137 
1138  # 11.2.1
1139  'table' => array_merge( $common,
1140  array( 'summary', 'width', 'border', 'frame',
1141  'rules', 'cellspacing', 'cellpadding',
1142  'align', 'bgcolor',
1143  ) ),
1144 
1145  # 11.2.2
1146  'caption' => array_merge( $common, array( 'align' ) ),
1147 
1148  # 11.2.3
1149  'thead' => array_merge( $common, $tablealign ),
1150  'tfoot' => array_merge( $common, $tablealign ),
1151  'tbody' => array_merge( $common, $tablealign ),
1152 
1153  # 11.2.4
1154  'colgroup' => array_merge( $common, array( 'span', 'width' ), $tablealign ),
1155  'col' => array_merge( $common, array( 'span', 'width' ), $tablealign ),
1156 
1157  # 11.2.5
1158  'tr' => array_merge( $common, array( 'bgcolor' ), $tablealign ),
1159 
1160  # 11.2.6
1161  'td' => array_merge( $common, $tablecell, $tablealign ),
1162  'th' => array_merge( $common, $tablecell, $tablealign ),
1163 
1164  # 15.2.1
1165  'tt' => $common,
1166  'b' => $common,
1167  'i' => $common,
1168  'big' => $common,
1169  'small' => $common,
1170  'strike' => $common,
1171  's' => $common,
1172  'u' => $common,
1173 
1174  # 15.2.2
1175  'font' => array_merge( $common, array( 'size', 'color', 'face' ) ),
1176  # basefont
1177 
1178  # 15.3
1179  'hr' => array_merge( $common, array( 'noshade', 'size', 'width' ) ),
1180 
1181  # XHTML Ruby annotation text module, simple ruby only.
1182  # http://www.w3c.org/TR/ruby/
1183  'ruby' => $common,
1184  # rbc
1185  # rtc
1186  'rb' => $common,
1187  'rt' => $common, #array_merge( $common, array( 'rbspan' ) ),
1188  'rp' => $common,
1189  );
+ Here is the caller graph for this function:

◆ stripAllTags()

static Sanitizer::stripAllTags (   $text)
static

Take a fragment of (potentially invalid) HTML and return a version with any tags removed, encoded as plain text.

Warning: this return value must be further escaped for literal inclusion in HTML output as of 1.10!

Parameters
string$textHTML fragment
Returns
string

Definition at line 1201 of file Sanitizer.php.

Referenced by Parser\fetchScaryTemplateMaybeFromCache(), and hexCharReference().

1203  {
1204  # Actual <tags>
1205  $text = StringUtils::delimiterReplace( '<', '>', '', $text );
1206 
1207  # Normalize &entities and whitespace
1208  $text = self::decodeCharReferences( $text );
1209  $text = self::normalizeWhitespace( $text );
1210 
+ Here is the caller graph for this function:

◆ validateCodepoint()

static Sanitizer::validateCodepoint (   $codepoint)
staticprivate

Returns true if a given Unicode codepoint is a valid character in XML.

Parameters
int$codepoint
Returns
bool

Definition at line 955 of file Sanitizer.php.

Referenced by decCharReference(), and hexCharReference().

957  {
958  return ($codepoint == 0x09)
959  || ($codepoint == 0x0a)
960  || ($codepoint == 0x0d)
961  || ($codepoint >= 0x20 && $codepoint <= 0xd7ff)
962  || ($codepoint >= 0xe000 && $codepoint <= 0xfffd)
+ Here is the caller graph for this function:

◆ validateTagAttributes()

static Sanitizer::validateTagAttributes (   $attribs,
  $element 
)
static

Take an array of attribute names and values and normalize or discard illegal values for the given element type.

  • Discards attributes not on a whitelist for the given element
  • Unsafe style attributes are discarded
Parameters
array$attribs
string$element
Returns
array
Todo:

Check for legal values where the DTD limits things.

Check for unique id attribute :P

Definition at line 575 of file Sanitizer.php.

Referenced by Parser\fetchScaryTemplateMaybeFromCache().

575  :P
576  */
577  static function validateTagAttributes( $attribs, $element ) {
578  $whitelist = array_flip( Sanitizer::attributeWhitelist( $element ) );
579  $out = array();
580  foreach( $attribs as $attribute => $value ) {
581  if( !isset( $whitelist[$attribute] ) ) {
582  continue;
583  }
584  # Strip javascript "expression" from stylesheets.
585  # http://msdn.microsoft.com/workshop/author/dhtml/overview/recalc.asp
586  if( $attribute == 'style' ) {
587  $value = Sanitizer::checkCss( $value );
588  if( $value === false ) {
589  # haxx0r
590  continue;
591  }
592  }
593 
594  if ( $attribute === 'id' )
595  $value = Sanitizer::escapeId( $value );
596 
597  // If this attribute was previously set, override it.
598  // Output should only have one attribute of each name.
599  $out[$attribute] = $value;
600  }
Sanitizer\attributeWhitelist
static attributeWhitelist( $element)
Fetch the whitelist of acceptable attributes for a given element name.
Definition: Sanitizer.php:1041
Sanitizer\validateTagAttributes
static validateTagAttributes( $attribs, $element)
Take an array of attribute names and values and normalize or discard illegal values for the given ele...
Definition: Sanitizer.php:575
Sanitizer\escapeId
static escapeId( $id)
Given a value escape it so that it can be used in an id attribute and return it, this does not valida...
Definition: Sanitizer.php:736
Sanitizer\checkCss
static checkCss( $value)
Pick apart some CSS and check it for forbidden or unsafe structures.
Definition: Sanitizer.php:611
+ Here is the caller graph for this function:
The documentation for this class was generated from the following file: