30define(
'MW_CHAR_REFS_REGEX',
31 '/&([A-Za-z0-9\x80-\xff]+);
43$space =
'[\x09\x0a\x0d\x20]';
44define(
'MW_ATTRIBS_REGEX',
45 "/(?:^|$space)($attrib+)
48 # The attribute value: quoted or alone
51 | ([a-zA-Z0-9!#$%&()*,\\-.\\/:;<>?@[\\]^_`{|}~]+)
52 | (\#[0-9a-fA-F]+) # Technically wrong, but lots of
53 # colors are specified like this.
54 # We'll be normalizing it.
56 )?(?=$space|\$)/sx" );
345 static $htmlpairs, $htmlsingle, $htmlsingleonly, $htmlnest, $tabletags,
346 $htmllist, $listtags, $htmlsingleallowed, $htmlelements, $staticInitialised;
348 wfProfileIn( __METHOD__ );
350 if ( !$staticInitialised ) {
352 $htmlpairs = array( # Tags that must be closed
353 'b',
'del',
'i',
'ins',
'u',
'font',
'big',
'small',
'sub',
'sup',
'h1',
354 'h2',
'h3',
'h4',
'h5',
'h6',
'cite',
'code',
'em',
's',
355 'strike',
'strong',
'tt',
'var',
'div',
'center',
356 'blockquote',
'ol',
'ul',
'dl',
'table',
'caption',
'pre',
357 'ruby',
'rt' ,
'rb' ,
'rp',
'p',
'span',
'u'
360 'br',
'hr',
'li',
'dt',
'dd'
362 $htmlsingleonly = array( # Elements that cannot have close tags
365 $htmlnest = array( # Tags that can be nested--??
366 'table',
'tr',
'td',
'th',
'div',
'blockquote',
'ol',
'ul',
367 'dl',
'font',
'big',
'small',
'sub',
'sup',
'span'
369 $tabletags = array( # Can only appear inside table, we will close them
372 $htmllist = array( # Tags used by list
375 $listtags = array( # Tags that can appear in a list
379 $htmlsingleallowed = array_merge( $htmlsingle, $tabletags );
380 $htmlelements = array_merge( $htmlsingle, $htmlpairs, $htmlnest );
382 # Convert them all to hashtables for faster lookup
383 $vars = array(
'htmlpairs',
'htmlsingle',
'htmlsingleonly',
'htmlnest',
'tabletags',
384 'htmllist',
'listtags',
'htmlsingleallowed',
'htmlelements' );
385 foreach ( $vars as $var ) {
386 $$var = array_flip( $$var );
388 $staticInitialised =
true;
391 # Remove HTML comments
393 $bits = explode(
'<',
$text );
394 $text = str_replace(
'>',
'>', array_shift( $bits ) );
396 $tagstack = $tablestack = array();
397 foreach ( $bits as
$x ) {
399 if( preg_match(
'!^(/?)(\\w+)([^>]*?)(/{0,1}>)([^<]*)$!',
$x, $regs ) ) {
406 if ( isset( $htmlelements[
$t = strtolower(
$t )] ) ) {
410 if( isset( $htmlsingleonly[
$t] ) ) {
412 } elseif ( ( $ot = @array_pop( $tagstack ) ) !=
$t ) {
413 if ( isset( $htmlsingleallowed[$ot] ) ) {
414 # Pop all elements with an optional close tag
415 # and see if we find a match below them
417 array_push ($optstack, $ot);
418 while ( ( ( $ot = @array_pop( $tagstack ) ) !=
$t ) &&
419 isset( $htmlsingleallowed[$ot] ) )
421 array_push ($optstack, $ot);
424 # No match. Push the optinal elements back again
426 while ( $ot = @array_pop( $optstack ) ) {
427 array_push( $tagstack, $ot );
431 @array_push( $tagstack, $ot );
432 # <li> can be nested in <ul> or <ol>, skip those cases:
433 if(!(isset( $htmllist[$ot] ) && isset( $listtags[
$t] ) )) {
438 if (
$t ==
'table' ) {
439 $tagstack = array_pop( $tablestack );
444 # Keep track for later
445 if ( isset( $tabletags[
$t] ) &&
446 ! in_array(
'table', $tagstack ) ) {
448 }
else if ( in_array(
$t, $tagstack ) &&
449 ! isset( $htmlnest [
$t ] ) ) {
451 # Is it a self closed htmlpair ? (bug 5487)
452 }
else if( $brace ==
'/>' &&
453 isset( $htmlpairs[
$t] ) ) {
455 } elseif( isset( $htmlsingleonly[
$t] ) ) {
456 # Hack to force empty tag for uncloseable elements
458 }
else if( isset( $htmlsingle[
$t] ) ) {
459 # Hack to not close $htmlsingle tags
461 }
else if( isset( $tabletags[
$t] )
462 && in_array(
$t ,$tagstack) ) {
466 if (
$t ==
'table' ) {
467 array_push( $tablestack, $tagstack );
470 array_push( $tagstack,
$t );
473 # Replace any variables or template parameters with
475 if( is_callable( $processCallback ) ) {
476 call_user_func_array( $processCallback, array( &
$params, $args ) );
479 # Strip non-approved attributes from the tag
484 $close = ( $brace ==
'/>' && !$slash ) ?
' /' :
'';
485 $text .=
"<$slash$t$newparams$close>$rest";
489 $text .=
'<' . str_replace(
'>',
'>',
$x);
491 # Close off any remaining tags
492 while ( is_array( $tagstack ) && (
$t = array_pop( $tagstack )) ) {
494 if (
$t ==
'table' ) { $tagstack = array_pop( $tablestack ); }
497 # this might be possible using tidy itself
498 foreach ( $bits as
$x ) {
499 preg_match(
'/^(\\/?)(\\w+)([^>]*?)(\\/{0,1}>)([^<]*)$/',
502 if ( isset( $htmlelements[
$t = strtolower(
$t )] ) ) {
503 if( is_callable( $processCallback ) ) {
504 call_user_func_array( $processCallback, array( &
$params, $args ) );
508 $text .=
"<$slash$t$newparams$brace$rest";
510 $text .=
'<' . str_replace(
'>',
'>',
$x);
514 wfProfileOut( __METHOD__ );
529 wfProfileIn( __METHOD__ );
530 while (($start = strpos(
$text,
'<!--')) !==
false) {
531 $end = strpos(
$text,
'-->', $start + 4);
532 if ($end ===
false) {
533 # Unterminated comment; bail out
539 # Trim space and newline if the comment is both
540 # preceded and followed by a newline
541 $spaceStart = max($start - 1, 0);
542 $spaceLen = $end - $spaceStart;
543 while (substr(
$text, $spaceStart, 1) ===
' ' && $spaceStart > 0) {
547 while (substr(
$text, $spaceStart + $spaceLen, 1) ===
' ')
549 if (substr(
$text, $spaceStart, 1) ===
"\n" and substr(
$text, $spaceStart + $spaceLen, 1) ===
"\n") {
550 # Remove the comment, leading and trailing
551 # spaces, and leave only one newline.
552 $text = substr_replace(
$text,
"\n", $spaceStart, $spaceLen + 1);
555 # Remove just the comment.
556 $text = substr_replace(
$text,
'', $start, $end - $start);
559 wfProfileOut( __METHOD__ );
580 foreach( $attribs as $attribute => $value ) {
581 if( !isset( $whitelist[$attribute] ) ) {
584 # Strip javascript "expression" from stylesheets.
586 if( $attribute ==
'style' ) {
588 if( $value ===
false ) {
594 if ( $attribute ===
'id' )
599 $out[$attribute] = $value;
613 static function checkCss( $value ) {
617 $stripped = StringUtils::delimiterReplace(
'/*',
'*/',
' ', $stripped );
622 $stripped = preg_replace_callback(
623 '!\\\\([0-9A-Fa-f]{1,6})[ \\n\\r\\t\\f]?!',
629 $stripped = str_replace(
'\\',
'', $stripped );
630 if( preg_match(
'/(?:expression|tps*:\/\/|url\\s*\().*/is',
659 if( trim(
$text ) ==
'' ) {
667 foreach( $stripped as $attribute => $value ) {
668 $encAttribute = htmlspecialchars( $attribute );
671 $attribs[] =
"$encAttribute=\"$encValue\"";
673 return count( $attribs ) ?
' ' . implode(
' ', $attribs ) :
'';
682 $encValue = htmlspecialchars(
$text );
687 $encValue = strtr( $encValue, array(
705 # Templates and links may be expanded in later parsing,
706 # creating invalid or dangerous output. Suppress this.
707 $encValue = strtr( $encValue, array(
713 "''" =>
'''',
714 'ISBN' =>
'ISBN',
716 'PMID' =>
'PMID',
722 $encValue = preg_replace_callback(
724 array(
'Sanitizer',
'armorLinksCallback' ),
744 static $replace = array(
751 return str_replace( array_keys( $replace ), array_values( $replace ), $id );
767 return rtrim(preg_replace(
768 array(
'/(^[0-9\\-])|[\\x00-\\x20!"#$%&\'()*+,.\\/:;<=>?@[\\]^`{|}~]|\\xC2\\xA0/',
'/_+/'),
780 return str_replace(
':',
':', $matches[1] );
794 if( trim(
$text ) ==
'' ) {
807 foreach( $pairs as $set ) {
808 $attribute = strtolower( $set[1] );
812 $value = preg_replace(
'/[\t\r\n ]+/',
' ', $value );
813 $value = trim( $value );
830 if( isset( $set[6] ) ) {
831 # Illegal #XXXXXX color with no quotes.
833 } elseif( isset( $set[5] ) ) {
836 } elseif( isset( $set[4] ) ) {
839 } elseif( isset( $set[3] ) ) {
842 } elseif( !isset( $set[2] ) ) {
843 # In XHTML, attributes must have a value.
844 # For 'reduced' form, return explicitly the attribute name here.
847 throw new MWException(
"Tag conditions not met. This should never happen and is a bug." );
864 return str_replace(
'"',
'"',
865 self::normalizeWhitespace(
871 '/\r\n|[\x20\x0d\x0a\x09]/',
891 return preg_replace_callback(
893 array(
'Sanitizer',
'normalizeCharReferencesCallback' ),
902 if( $matches[1] !=
'' ) {
904 } elseif( $matches[2] !=
'' ) {
906 } elseif( $matches[3] !=
'' ) {
908 } elseif( $matches[4] !=
'' ) {
911 if( is_null(
$ret ) ) {
912 return htmlspecialchars( $matches[0] );
931 return "&{$wgHtmlEntityAliases[$name]};";
935 return "&$name;";
940 $point = intval( $codepoint );
942 return sprintf(
'&#%d;', $point );
949 $point = hexdec( $codepoint );
951 return sprintf(
'&#x%x;', $point );
963 return ($codepoint == 0x09)
964 || ($codepoint == 0x0a)
965 || ($codepoint == 0x0d)
966 || ($codepoint >= 0x20 && $codepoint <= 0xd7ff)
967 || ($codepoint >= 0xe000 && $codepoint <= 0xfffd)
968 || ($codepoint >= 0x10000 && $codepoint <= 0x10ffff);
981 return preg_replace_callback(
983 array(
'Sanitizer',
'decodeCharReferencesCallback' ),
992 if( $matches[1] !=
'' ) {
994 } elseif( $matches[2] !=
'' ) {
996 } elseif( $matches[3] !=
'' ) {
998 } elseif( $matches[4] !=
'' ) {
1001 # Last case should be an ampersand by itself
1050 if( !isset( $list ) ) {
1053 return isset( $list[$element] )
1063 $common = array(
'id',
'class',
'lang',
'dir',
'title',
'style' );
1064 $block = array_merge( $common, array(
'align' ) );
1065 $tablealign = array(
'align',
'char',
'charoff',
'valign' );
1066 $tablecell = array(
'abbr',
1072 'nowrap', # deprecated
1073 'width', # deprecated
1074 'height', # deprecated
1075 'bgcolor' # deprecated
1078 # Numbers refer to sections in HTML 4.01 standard describing the element.
1080 $whitelist = array (
1083 'center' => $common, # deprecated
1084 'span' => $block, # ??
1102 'strong' => $common,
1113 'blockquote' => array_merge( $common, array(
'cite' ) ),
1124 'br' => array(
'id',
'class',
'title',
'style',
'clear' ),
1127 'pre' => array_merge( $common, array(
'width' ) ),
1130 'ins' => array_merge( $common, array(
'cite',
'datetime' ) ),
1131 'del' => array_merge( $common, array(
'cite',
'datetime' ) ),
1134 'ul' => array_merge( $common, array(
'type' ) ),
1135 'ol' => array_merge( $common, array(
'type',
'start' ) ),
1136 'li' => array_merge( $common, array(
'type',
'value' ) ),
1144 'table' => array_merge( $common,
1145 array(
'summary',
'width',
'border',
'frame',
1146 'rules',
'cellspacing',
'cellpadding',
1151 'caption' => array_merge( $common, array(
'align' ) ),
1154 'thead' => array_merge( $common, $tablealign ),
1155 'tfoot' => array_merge( $common, $tablealign ),
1156 'tbody' => array_merge( $common, $tablealign ),
1159 'colgroup' => array_merge( $common, array(
'span',
'width' ), $tablealign ),
1160 'col' => array_merge( $common, array(
'span',
'width' ), $tablealign ),
1163 'tr' => array_merge( $common, array(
'bgcolor' ), $tablealign ),
1166 'td' => array_merge( $common, $tablecell, $tablealign ),
1167 'th' => array_merge( $common, $tablecell, $tablealign ),
1175 'strike' => $common,
1180 'font' => array_merge( $common, array(
'size',
'color',
'face' ) ),
1184 'hr' => array_merge( $common, array(
'noshade',
'size',
'width' ) ),
1186 # XHTML Ruby annotation text module, simple ruby only.
1192 'rt' => $common, #array_merge( $common, array(
'rbspan' ) ),
1210 $text = StringUtils::delimiterReplace(
'<',
'>',
'',
$text );
1212 # Normalize &entities and whitespace
1231 $out =
"<!DOCTYPE html [\n";
1233 $out .=
"<!ENTITY $entity \"&#$codepoint;\">";
1240 # Normalize any HTML entities in input. They will be
1241 # re-escaped by makeExternalLink().
1245 # Escape any control characters introduced by the above step
1246 $url = preg_replace_callback(
1247 '/[\][<>"\\x00-\\x20\\x7F]/',
1249 if($hit[0] ===
'"') {
1255 return urlencode (
'\\"');
1257 return urlencode($hit[0]);
1263 # Validate hostname portion
1265 if( preg_match(
'!^([^:]+:)(//[^/]+)?(.*)$!iD',
$url, $matches ) ) {
1266 list( , $protocol, $host,
$rest ) = $matches;
1272 \\s| # general whitespace
1273 \xc2\xad| # 00ad SOFT HYPHEN
1274 \xe1\xa0\x86| # 1806 MONGOLIAN TODO SOFT HYPHEN
1275 \xe2\x80\x8b| # 200b ZERO WIDTH SPACE
1276 \xe2\x81\xa0| # 2060 WORD JOINER
1277 \xef\xbb\xbf| # feff ZERO WIDTH NO-BREAK SPACE
1278 \xcd\x8f| # 034f COMBINING GRAPHEME JOINER
1279 \xe1\xa0\x8b| # 180b MONGOLIAN FREE VARIATION SELECTOR ONE
1280 \xe1\xa0\x8c| # 180c MONGOLIAN FREE VARIATION SELECTOR TWO
1281 \xe1\xa0\x8d| # 180d MONGOLIAN FREE VARIATION SELECTOR THREE
1282 \xe2\x80\x8c| # 200c ZERO WIDTH NON-JOINER
1283 \xe2\x80\x8d| # 200d ZERO WIDTH JOINER
1284 [\xef\xb8\x80-\xef\xb8\x8f] # fe00-fe00f VARIATION SELECTOR-1-16
1287 $host = preg_replace( $strip,
'', $host );
1291 return $protocol . $host .
$rest;
global $wgHtmlEntities
List of all named character entities defined in HTML 4.01 http://www.w3.org/TR/html4/sgml/entities....
const MW_CHAR_REFS_REGEX
Regular expression to match various types of character references in Sanitizer::normalizeCharReferenc...
$attrib
Regular expression to match HTML/XML attribute pairs within a tag.
global $wgHtmlEntityAliases
Character entity aliases accepted by MediaWiki.
static armorLinksCallback( $matches)
Regex replace callback for armoring links against further processing.
static stripAllTags( $text)
Take a fragment of (potentially invalid) HTML and return a version with any tags removed,...
static decCharReference( $codepoint)
static decodeChar( $codepoint)
Return UTF-8 string for a codepoint if that is a valid character reference, otherwise U+FFFD REPLACEM...
static checkCss( $value)
Pick apart some CSS and check it for forbidden or unsafe structures.
static decodeEntity( $name)
If the named entity is defined in the HTML 4.0/XHTML 1.0 DTD, return the UTF-8 encoding of that chara...
static normalizeEntity( $name)
If the named entity is defined in the HTML 4.0/XHTML 1.0 DTD, return the named entity reference as is...
static fixTagAttributes( $text, $element)
Take a tag soup fragment listing an HTML element's attributes and normalize it to well-formed XML,...
static removeHTMLcomments( $text)
Remove '', and everything between.
static encodeAttribute( $text)
Encode an attribute value for HTML output.
static hexCharReference( $codepoint)
static validateTagAttributes( $attribs, $element)
Take an array of attribute names and values and normalize or discard illegal values for the given ele...
static escapeClass( $class)
Given a value, escape it so that it can be used as a CSS class and return it.
static setupAttributeWhitelist()
static normalizeCharReferencesCallback( $matches)
static hackDocType()
Hack up a private DOCTYPE with HTML's standard entity declarations.
static normalizeCharReferences( $text)
Ensure that any entities and character references are legal for XML and XHTML specifically.
static normalizeWhitespace( $text)
static cleanUrl( $url, $hostname=true)
static validateCodepoint( $codepoint)
Returns true if a given Unicode codepoint is a valid character in XML.
static removeHTMLtags( $text, $processCallback=null, $args=array())
Cleans up HTML, removes dangerous tags and attributes, and removes HTML comments.
static decodeCharReferences( $text)
Decode any character references, numeric or named entities, in the text and return a UTF-8 string.
static getTagAttributeCallback( $set)
Pick the appropriate attribute value from a match set from the MW_ATTRIBS_REGEX matches.
static normalizeAttributeValue( $text)
Normalize whitespace and character references in an XML source- encoded text for an attribute value.
static attributeWhitelist( $element)
Fetch the whitelist of acceptable attributes for a given element name.
static decodeCharReferencesCallback( $matches)
static decodeTagAttributes( $text)
Return an associative array of attribute names and values from a partial tag string.
static escapeId( $id)
Given a value escape it so that it can be used in an id attribute and return it, this does not valida...
static safeEncodeAttribute( $text)
Encode an attribute value for HTML tags, with extra armoring against further wiki processing.
wfUrlProtocols()
Returns a regular expression of url protocols.
codepointToUtf8( $codepoint)
Return UTF-8 sequence for a given Unicode code point.