Sanitizer Class Reference

Collaboration diagram for Sanitizer:

Static Public Member Functions
static	removeHTMLtags ($text, $processCallback=null, $args=array())
	Cleans up HTML, removes dangerous tags and attributes, and removes HTML comments. More...
static	removeHTMLcomments ($text)
	Remove '', and everything between. More...
static	validateTagAttributes ($attribs, $element)
	Take an array of attribute names and values and normalize or discard illegal values for the given element type. More...
static	checkCss ($value)
	Pick apart some CSS and check it for forbidden or unsafe structures. More...
static	fixTagAttributes ($text, $element)
	Take a tag soup fragment listing an HTML element's attributes and normalize it to well-formed XML, discarding unwanted attributes. More...
static	encodeAttribute ($text)
	Encode an attribute value for HTML output. More...
static	safeEncodeAttribute ($text)
	Encode an attribute value for HTML tags, with extra armoring against further wiki processing. More...
static	escapeId ($id)
	Given a value escape it so that it can be used in an id attribute and return it, this does not validate the value however (see first link) More...
static	escapeClass ($class)
	Given a value, escape it so that it can be used as a CSS class and return it. More...
static	decodeTagAttributes ($text)
	Return an associative array of attribute names and values from a partial tag string. More...
static	normalizeCharReferences ($text)
	Ensure that any entities and character references are legal for XML and XHTML specifically. More...
static	normalizeCharReferencesCallback ($matches)
static	normalizeEntity ($name)
	If the named entity is defined in the HTML 4.0/XHTML 1.0 DTD, return the named entity reference as is. More...
static	decCharReference ($codepoint)
static	hexCharReference ($codepoint)
static	decodeCharReferences ($text)
	Decode any character references, numeric or named entities, in the text and return a UTF-8 string. More...
static	decodeCharReferencesCallback ($matches)
static	decodeChar ($codepoint)
	Return UTF-8 string for a codepoint if that is a valid character reference, otherwise U+FFFD REPLACEMENT CHARACTER. More...
static	decodeEntity ($name)
	If the named entity is defined in the HTML 4.0/XHTML 1.0 DTD, return the UTF-8 encoding of that character. More...
static	attributeWhitelist ($element)
	Fetch the whitelist of acceptable attributes for a given element name. More...
static	setupAttributeWhitelist ()
static	stripAllTags ($text)
	Take a fragment of (potentially invalid) HTML and return a version with any tags removed, encoded as plain text. More...
static	hackDocType ()
	Hack up a private DOCTYPE with HTML's standard entity declarations. More...
static	cleanUrl ($url, $hostname=true)

Static Private Member Functions
static	armorLinksCallback ($matches)
	Regex replace callback for armoring links against further processing. More...
static	getTagAttributeCallback ($set)
	Pick the appropriate attribute value from a match set from the MW_ATTRIBS_REGEX matches. More...
static	normalizeAttributeValue ($text)
	Normalize whitespace and character references in an XML source- encoded text for an attribute value. More...
static	normalizeWhitespace ($text)
static	validateCodepoint ($codepoint)
	Returns true if a given Unicode codepoint is a valid character in XML. More...

Detailed Description

Definition at line 332 of file Sanitizer.php.

Member Function Documentation

armorLinksCallback()

static Sanitizer::armorLinksCallback (   $matches )

staticprivate

Regex replace callback for armoring links against further processing.

Parameters

array

$matches

Returns

string

Definition at line 799 of file Sanitizer.php.

    {

attributeWhitelist()

static Sanitizer::attributeWhitelist (   $element )

static

Fetch the whitelist of acceptable attributes for a given element name.

Parameters

string

$element

Returns

array

Definition at line 1091 of file Sanitizer.php.

Referenced by hexCharReference().

    {
        static $list;
        if (!isset($list)) {
            $list = Sanitizer::setupAttributeWhitelist();
        }

Here is the caller graph for this function:

checkCss()

static Sanitizer::checkCss (   $value )

static

Pick apart some CSS and check it for forbidden or unsafe structures.

Returns a sanitized string, or false if it was just too evil.

Currently URL references, 'expression', 'tps' are forbidden.

Parameters

string

$value

Returns

mixed

Definition at line 621 of file Sanitizer.php.

    {
        $stripped = Sanitizer::decodeCharReferences($value);

        // Remove any comments; IE gets token splitting wrong
        $stripped = StringUtils::delimiterReplace('/*', '*/', ' ', $stripped);
        
        $value = $stripped;

        // ... and continue checks
        $stripped = preg_replace_callback(
            '!\\\\([0-9A-Fa-f]{1,6})[ \\n\\r\\t\\f]?!',
            function ($hit) {
                return codepointToUtf8(hexdec($hit[1]));
            },
            $stripped
        );
        $stripped = str_replace('\\', '', $stripped);
        if (preg_match(
            '/(?:expression|tps*:\/\/|url\\s*\().*/is',
            $stripped
        )) {
            # haxx0r
            return false;

cleanUrl()

static Sanitizer::cleanUrl (   $url,   $hostname = true  )

static

NOTE: The original preg_replace/e IMPLICITLY adds a forward-slash on double quotes This could be a bug, but we will just mimic this behaviour 1:1 for now.

Definition at line 1288 of file Sanitizer.php.

References GuzzleHttp\Psr7\$protocol, $rest, $url, array, and decodeCharReferences().

Referenced by Parser\magicLinkCallback().

    {
        # Normalize any HTML entities in input. They will be
        # re-escaped by makeExternalLink().

        $url = Sanitizer::decodeCharReferences($url);

        # Escape any control characters introduced by the above step
        $url = preg_replace_callback(
            '/[\][<>"\\x00-\\x20\\x7F]/',
            function ($hit) {
                if ($hit[0] === '"') {
                    return urlencode('\\"');
                } else {
                    return urlencode($hit[0]);
                }
            },
            $url
        );

        # Validate hostname portion
        $matches = array();
        if (preg_match('!^([^:]+:)(//[^/]+)?(.*)$!iD', $url, $matches)) {
            list( /* $whole */, $protocol, $host, $rest) = $matches;

            // Characters that will be ignored in IDNs.
            // http://tools.ietf.org/html/3454#section-3.1
            // Strip them before further processing so blacklists and such work.
            $strip = "/
                                \\s|          # general whitespace
                                \xc2\xad|     # 00ad SOFT HYPHEN
                                \xe1\xa0\x86| # 1806 MONGOLIAN TODO SOFT HYPHEN
                                \xe2\x80\x8b| # 200b ZERO WIDTH SPACE
                                \xe2\x81\xa0| # 2060 WORD JOINER
                                \xef\xbb\xbf| # feff ZERO WIDTH NO-BREAK SPACE
                                \xcd\x8f|     # 034f COMBINING GRAPHEME JOINER
                                \xe1\xa0\x8b| # 180b MONGOLIAN FREE VARIATION SELECTOR ONE
                                \xe1\xa0\x8c| # 180c MONGOLIAN FREE VARIATION SELECTOR TWO
                                \xe1\xa0\x8d| # 180d MONGOLIAN FREE VARIATION SELECTOR THREE
                                \xe2\x80\x8c| # 200c ZERO WIDTH NON-JOINER
                                \xe2\x80\x8d| # 200d ZERO WIDTH JOINER
                                [\xef\xb8\x80-\xef\xb8\x8f] # fe00-fe00f VARIATION SELECTOR-1-16
                                /xuD";

            $host = preg_replace($strip, '', $host);

            // @fixme: validate hostnames here

            return $protocol . $host . $rest;

Here is the call graph for this function:

Here is the caller graph for this function:

decCharReference()

static Sanitizer::decCharReference (   $codepoint )

static

Definition at line 974 of file Sanitizer.php.

References validateCodepoint().

    {
        $point = intval($codepoint);
        if (Sanitizer::validateCodepoint($point)) {
            return sprintf('&#%d;', $point);

Here is the call graph for this function:

decodeChar()

static Sanitizer::decodeChar (   $codepoint )

static

Return UTF-8 string for a codepoint if that is a valid character reference, otherwise U+FFFD REPLACEMENT CHARACTER.

Parameters

int

$codepoint

Returns

string

Definition at line 1053 of file Sanitizer.php.

Referenced by hexCharReference().

    {
        if (Sanitizer::validateCodepoint($codepoint)) {
            return codepointToUtf8($codepoint);

Here is the caller graph for this function:

decodeCharReferences()

static Sanitizer::decodeCharReferences (   $text )

static

Decode any character references, numeric or named entities, in the text and return a UTF-8 string.

Parameters

string

$text

Returns

string

Definition at line 1018 of file Sanitizer.php.

Referenced by cleanUrl(), Title\escapeFragmentForURL(), hexCharReference(), Parser\magicLinkCallback(), and Title\newFromText().

    {
        return preg_replace_callback(
            MW_CHAR_REFS_REGEX,

Here is the caller graph for this function:

decodeCharReferencesCallback()

static Sanitizer::decodeCharReferencesCallback (   $matches )

static

Parameters

string

$matches

Returns

string

Definition at line 1031 of file Sanitizer.php.

Referenced by hexCharReference().

    {
        if ($matches[1] != '') {
            return Sanitizer::decodeEntity($matches[1]);
        } elseif ($matches[2] != '') {
            return  Sanitizer::decodeChar(intval($matches[2]));
        } elseif ($matches[3] != '') {
            return  Sanitizer::decodeChar(hexdec($matches[3]));
        } elseif ($matches[4] != '') {
            return  Sanitizer::decodeChar(hexdec($matches[4]));

Here is the caller graph for this function:

decodeEntity()

static Sanitizer::decodeEntity (   $name )

static

If the named entity is defined in the HTML 4.0/XHTML 1.0 DTD, return the UTF-8 encoding of that character.

Otherwise, returns pseudo-entity source (eg )

Parameters

string

$name

Returns

string

Definition at line 1070 of file Sanitizer.php.

Referenced by hexCharReference().

    {
        global $wgHtmlEntities, $wgHtmlEntityAliases;
        
        if (isset($wgHtmlEntityAliases[$name])) {
            $name = $wgHtmlEntityAliases[$name];
        }
        if (isset($wgHtmlEntities[$name])) {
            return codepointToUtf8($wgHtmlEntities[$name]);

Here is the caller graph for this function:

decodeTagAttributes()

static Sanitizer::decodeTagAttributes (   $text )

static

Return an associative array of attribute names and values from a partial tag string.

Attribute names are forces to lowercase, character references are decoded to UTF-8 text.

Parameters

string

Returns

array

Definition at line 812 of file Sanitizer.php.

    {
        $attribs = array();

        if (trim($text) == '') {
            return $attribs;
        }

        $pairs = array();
        if (!preg_match_all(
            MW_ATTRIBS_REGEX,
            $text,
            $pairs,
            PREG_SET_ORDER
        )) {
            return $attribs;
        }

        foreach ($pairs as $set) {
            $attribute = strtolower($set[1]);
            $value = Sanitizer::getTagAttributeCallback($set);

            // Normalize whitespace
            $value = preg_replace('/[\t\r\n ]+/', ' ', $value);
            $value = trim($value);

            // Decode character references

encodeAttribute()

static Sanitizer::encodeAttribute (   $text )

static

Encode an attribute value for HTML output.

Parameters

$text

Returns

HTML-encoded text fragment

Definition at line 695 of file Sanitizer.php.

    {
        $encValue = htmlspecialchars($text);

        // Whitespace is normalized during attribute decoding,
        // so if we've been passed non-spaces we must encode them
        // ahead of time or they won't be preserved.
        $encValue = strtr($encValue, array(
            "\n" => '
',
            "\r" => '
',
            "\t" => '	',

escapeClass()

static Sanitizer::escapeClass (   $class )

static

Given a value, escape it so that it can be used as a CSS class and return it.

Todo:

For extra validity, input should be validated UTF-8.

See also

http://www.w3.org/TR/CSS21/syndata.html Valid characters/format

Parameters

string

$class

Returns

string

Definition at line 783 of file Sanitizer.php.

    {
        // Convert ugly stuff to underscores and kill underscores in ugly places
        return rtrim(preg_replace(
            array('/(^[0-9\\-])|[\\x00-\\x20!"#$%&\'()*+,.\\/:;<=>?@[\\]^`{|}~]|\\xC2\\xA0/','/_+/'),

escapeId()

static Sanitizer::escapeId (   $id )

static

Given a value escape it so that it can be used in an id attribute and return it, this does not validate the value however (see first link)

See also

http://www.w3.org/TR/html401/types.html#type-name Valid characters in the id and name attributes

http://www.w3.org/TR/html401/struct/links.html#h-12.2.3 Anchors with the id attribute

Parameters

string

$id

Returns

string

Definition at line 760 of file Sanitizer.php.

Referenced by Parser\fetchScaryTemplateMaybeFromCache().

    {
        static $replace = array(
            '%3A' => ':',
            '%' => '.'
        );

Here is the caller graph for this function:

fixTagAttributes()

static Sanitizer::fixTagAttributes (   $text,   $element  )

static

Take a tag soup fragment listing an HTML element's attributes and normalize it to well-formed XML, discarding unwanted attributes.

Output is safe for further wikitext processing, with escaping of values that could trigger problems.

• Normalizes attribute names to lowercase
• Discards attributes not on a whitelist for the given element
• Turns broken or invalid entities into plaintext
• Double-quotes all attribute values
• Attributes without values are given the name as attribute
• Double attributes are discarded
• Unsafe style attributes are discarded
• Prepends space if there are attributes.

Parameters

string	$text
string	$element

Returns

string

Definition at line 669 of file Sanitizer.php.

    {
        if (trim($text) == '') {
            return '';
        }

        $stripped = Sanitizer::validateTagAttributes(
            Sanitizer::decodeTagAttributes($text),
            $element
        );

        $attribs = array();
        foreach ($stripped as $attribute => $value) {
            $encAttribute = htmlspecialchars($attribute);
            $encValue = Sanitizer::safeEncodeAttribute($value);

getTagAttributeCallback()

static Sanitizer::getTagAttributeCallback (   $set )

staticprivate

Pick the appropriate attribute value from a match set from the MW_ATTRIBS_REGEX matches.

Parameters

array

$set

Returns

string

Definition at line 852 of file Sanitizer.php.

    {
        if (isset($set[6])) {
            # Illegal #XXXXXX color with no quotes.
            return $set[6];
        } elseif (isset($set[5])) {
            # No quotes.
            return $set[5];
        } elseif (isset($set[4])) {
            # Single-quoted
            return $set[4];
        } elseif (isset($set[3])) {
            # Double-quoted
            return $set[3];
        } elseif (!isset($set[2])) {
            # In XHTML, attributes must have a value.
            # For 'reduced' form, return explicitly the attribute name here.
            return $set[1];

hackDocType()

static Sanitizer::hackDocType ( )

static

Hack up a private DOCTYPE with HTML's standard entity declarations.

PHP 4 seemed to know these if you gave it an HTML doctype, but PHP 5.1 doesn't.

Use for passing XHTML fragments to PHP's XML parsing functions

Returns

string

Definition at line 1277 of file Sanitizer.php.

Referenced by hexCharReference().

    {
        global $wgHtmlEntities;
        $out = "<!DOCTYPE html [\n";
        foreach ($wgHtmlEntities as $entity => $codepoint) {
            $out .= "<!ENTITY $entity \"&#$codepoint;\">";

Here is the caller graph for this function:

hexCharReference()

static Sanitizer::hexCharReference (   $codepoint )

static

Definition at line 984 of file Sanitizer.php.

References $list, $name, $out, $text, $wgHtmlEntities, $wgHtmlEntityAliases, array, attributeWhitelist(), codepointToUtf8(), decodeChar(), decodeCharReferences(), decodeCharReferencesCallback(), decodeEntity(), hackDocType(), ILIAS\FileDelivery\http(), MW_CHAR_REFS_REGEX, setupAttributeWhitelist(), stripAllTags(), UTF8_REPLACEMENT, and validateCodepoint().

    {
        $point = hexdec($codepoint);
        if (Sanitizer::validateCodepoint($point)) {
            return sprintf('&#x%x;', $point);

Here is the call graph for this function:

normalizeAttributeValue()

static Sanitizer::normalizeAttributeValue (   $text )

staticprivate

Normalize whitespace and character references in an XML source- encoded text for an attribute value.

See http://www.w3.org/TR/REC-xml/#AVNormalize for background, but note that we're not returning the value, but are returning XML source fragments that will be slapped into output.

Parameters

string

$text

Returns

string

Definition at line 887 of file Sanitizer.php.

    {
        return str_replace(
            '"',
            '"',
            self::normalizeWhitespace(

normalizeCharReferences()

static Sanitizer::normalizeCharReferences (   $text )

static

Ensure that any entities and character references are legal for XML and XHTML specifically.

Any stray bits will be &-escaped to result in a valid text fragment.

a. any named char refs must be known in XHTML b. any numeric char refs must be legal chars, not invalid or forbidden c. use &#x, not &#X d. fix or reject non-valid attributes

Parameters

string

$text

Returns

string

Definition at line 921 of file Sanitizer.php.

Referenced by Parser\setOutputType().

    {
        return preg_replace_callback(
            MW_CHAR_REFS_REGEX,

Here is the caller graph for this function:

normalizeCharReferencesCallback()

static Sanitizer::normalizeCharReferencesCallback (   $matches )

static

Parameters

string

$matches

Returns

string

Definition at line 933 of file Sanitizer.php.

    {
        $ret = null;
        if ($matches[1] != '') {
            $ret = Sanitizer::normalizeEntity($matches[1]);
        } elseif ($matches[2] != '') {
            $ret = Sanitizer::decCharReference($matches[2]);
        } elseif ($matches[3] != '') {
            $ret = Sanitizer::hexCharReference($matches[3]);
        } elseif ($matches[4] != '') {
            $ret = Sanitizer::hexCharReference($matches[4]);
        }
        if (is_null($ret)) {
            return htmlspecialchars($matches[0]);

normalizeEntity()

static Sanitizer::normalizeEntity (   $name )

static

If the named entity is defined in the HTML 4.0/XHTML 1.0 DTD, return the named entity reference as is.

If the entity is a MediaWiki-specific alias, returns the HTML equivalent. Otherwise, returns HTML-escaped text of pseudo-entity source (eg &foo;)

Parameters

string

$name

Returns

string

Definition at line 962 of file Sanitizer.php.

    {
        global $wgHtmlEntities, $wgHtmlEntityAliases;
        if (isset($wgHtmlEntityAliases[$name])) {
            return "&{$wgHtmlEntityAliases[$name]};";
        } elseif (isset($wgHtmlEntities[$name])) {
            return "&$name;";

normalizeWhitespace()

static Sanitizer::normalizeWhitespace (   $text )

staticprivate

Definition at line 898 of file Sanitizer.php.

    {
        return preg_replace(
            '/\r\n|[\x20\x0d\x0a\x09]/',

removeHTMLcomments()

static Sanitizer::removeHTMLcomments (   $text )

static

Remove '', and everything between.

To avoid leaving blank lines, when a comment is both preceded and followed by a newline (ignoring spaces), trim leading and trailing spaces and one of the newlines.

Parameters

string

$text

Returns

string

Definition at line 533 of file Sanitizer.php.

Referenced by Parser\createAssocArgs().

    {
        wfProfileIn(__METHOD__);
        while (($start = strpos($text, '<!--')) !== false) {
            $end = strpos($text, '-->', $start + 4);
            if ($end === false) {
                # Unterminated comment; bail out
                break;
            }

            $end += 3;

            # Trim space and newline if the comment is both
            # preceded and followed by a newline
            $spaceStart = max($start - 1, 0);
            $spaceLen = $end - $spaceStart;
            while (substr($text, $spaceStart, 1) === ' ' && $spaceStart > 0) {
                $spaceStart--;
                $spaceLen++;
            }
            while (substr($text, $spaceStart + $spaceLen, 1) === ' ') {
                $spaceLen++;
            }
            if (substr($text, $spaceStart, 1) === "\n" and substr($text, $spaceStart + $spaceLen, 1) === "\n") {
                # Remove the comment, leading and trailing
                # spaces, and leave only one newline.
                $text = substr_replace($text, "\n", $spaceStart, $spaceLen + 1);
            } else {
                # Remove just the comment.
                $text = substr_replace($text, '', $start, $end - $start);
            }

Here is the caller graph for this function:

removeHTMLtags()

static Sanitizer::removeHTMLtags (   $text,   $processCallback = null,   $args = array()  )

static

Cleans up HTML, removes dangerous tags and attributes, and removes HTML comments.

Parameters

string	$text
callback	$processCallback	to do any variable or parameter replacements in HTML attribute values
array	$args	for the processing callback

Returns

string

Definition at line 343 of file Sanitizer.php.

Referenced by Parser\createAssocArgs().

    {
        global $wgUseTidy;

        static $htmlpairs, $htmlsingle, $htmlsingleonly, $htmlnest, $tabletags,
            $htmllist, $listtags, $htmlsingleallowed, $htmlelements, $staticInitialised;

        wfProfileIn(__METHOD__);

        if (!$staticInitialised) {
            $htmlpairs = array( # Tags that must be closed
                'b', 'del', 'i', 'ins', 'u', 'font', 'big', 'small', 'sub', 'sup', 'h1',
                'h2', 'h3', 'h4', 'h5', 'h6', 'cite', 'code', 'em', 's',
                'strike', 'strong', 'tt', 'var', 'div', 'center',
                'blockquote', 'ol', 'ul', 'dl', 'table', 'caption', 'pre',
                'ruby', 'rt' , 'rb' , 'rp', 'p', 'span', 'u'
            );
            $htmlsingle = array(
                'br', 'hr', 'li', 'dt', 'dd'
            );
            $htmlsingleonly = array( # Elements that cannot have close tags
                'br', 'hr'
            );
            $htmlnest = array( # Tags that can be nested--??
                'table', 'tr', 'td', 'th', 'div', 'blockquote', 'ol', 'ul',
                'dl', 'font', 'big', 'small', 'sub', 'sup', 'span'
            );
            $tabletags = array( # Can only appear inside table, we will close them
                'td', 'th', 'tr',
            );
            $htmllist = array( # Tags used by list
                'ul','ol',
            );
            $listtags = array( # Tags that can appear in a list
                'li',
            );

            $htmlsingleallowed = array_merge($htmlsingle, $tabletags);
            $htmlelements = array_merge($htmlsingle, $htmlpairs, $htmlnest);

            # Convert them all to hashtables for faster lookup
            $vars = array( 'htmlpairs', 'htmlsingle', 'htmlsingleonly', 'htmlnest', 'tabletags',
                'htmllist', 'listtags', 'htmlsingleallowed', 'htmlelements' );
            foreach ($vars as $var) {
                $$var = array_flip($$var);
            }
            $staticInitialised = true;
        }

        # Remove HTML comments
        $text = Sanitizer::removeHTMLcomments($text);
        $bits = explode('<', $text);
        $text = str_replace('>', '&gt;', array_shift($bits));
        if (!$wgUseTidy) {
            $tagstack = $tablestack = array();
            foreach ($bits as $x) {
                $regs = array();
                if (preg_match('!^(/?)(\\w+)([^>]*?)(/{0,1}>)([^<]*)$!', $x, $regs)) {
                    list( /* $qbar */, $slash, $t, $params, $brace, $rest) = $regs;
                } else {
                    $slash = $t = $params = $brace = $rest = null;
                }

                $badtag = 0 ;
                if (isset($htmlelements[$t = strtolower($t)])) {
                    # Check our stack
                    if ($slash) {
                        # Closing a tag...
                        if (isset($htmlsingleonly[$t])) {
                            $badtag = 1;
                        } elseif (($ot = @array_pop($tagstack)) != $t) {
                            if (isset($htmlsingleallowed[$ot])) {
                                # Pop all elements with an optional close tag
                                # and see if we find a match below them
                                $optstack = array();
                                array_push($optstack, $ot);
                                while ((($ot = @array_pop($tagstack)) != $t) &&
                                        isset($htmlsingleallowed[$ot])) {
                                    array_push($optstack, $ot);
                                }
                                if ($t != $ot) {
                                    # No match. Push the optinal elements back again
                                    $badtag = 1;
                                    while ($ot = @array_pop($optstack)) {
                                        array_push($tagstack, $ot);
                                    }
                                }
                            } else {
                                @array_push($tagstack, $ot);
                                # <li> can be nested in <ul> or <ol>, skip those cases:
                                if (!(isset($htmllist[$ot]) && isset($listtags[$t]))) {
                                    $badtag = 1;
                                }
                            }
                        } else {
                            if ($t == 'table') {
                                $tagstack = array_pop($tablestack);
                            }
                        }
                        $newparams = '';
                    } else {
                        # Keep track for later
                        if (isset($tabletags[$t]) &&
                        !in_array('table', $tagstack)) {
                            $badtag = 1;
                        } elseif (in_array($t, $tagstack) &&
                        !isset($htmlnest [$t ])) {
                            $badtag = 1 ;
                        # Is it a self closed htmlpair ? (bug 5487)
                        } elseif ($brace == '/>' &&
                        isset($htmlpairs[$t])) {
                            $badtag = 1;
                        } elseif (isset($htmlsingleonly[$t])) {
                            # Hack to force empty tag for uncloseable elements
                            $brace = '/>';
                        } elseif (isset($htmlsingle[$t])) {
                            # Hack to not close $htmlsingle tags
                            $brace = null;
                        } elseif (isset($tabletags[$t])
                        &&  in_array($t, $tagstack)) {
                            // New table tag but forgot to close the previous one
                            $text .= "</$t>";
                        } else {
                            if ($t == 'table') {
                                array_push($tablestack, $tagstack);
                                $tagstack = array();
                            }
                            array_push($tagstack, $t);
                        }

                        # Replace any variables or template parameters with
                        # plaintext results.
                        if (is_callable($processCallback)) {
                            call_user_func_array($processCallback, array( &$params, $args ));
                        }

                        # Strip non-approved attributes from the tag
                        $newparams = Sanitizer::fixTagAttributes($params, $t);
                    }
                    if (!$badtag) {
                        $rest = str_replace('>', '&gt;', $rest);
                        $close = ($brace == '/>' && !$slash) ? ' /' : '';
                        $text .= "<$slash$t$newparams$close>$rest";
                        continue;
                    }
                }
                $text .= '&lt;' . str_replace('>', '&gt;', $x);
            }
            # Close off any remaining tags
            while (is_array($tagstack) && ($t = array_pop($tagstack))) {
                $text .= "</$t>\n";
                if ($t == 'table') {
                    $tagstack = array_pop($tablestack);
                }
            }
        } else {
            # this might be possible using tidy itself
            foreach ($bits as $x) {
                preg_match(
                    '/^(\\/?)(\\w+)([^>]*?)(\\/{0,1}>)([^<]*)$/',
                    $x,
                    $regs
                );
                @list( /* $qbar */, $slash, $t, $params, $brace, $rest) = $regs;
                if (isset($htmlelements[$t = strtolower($t)])) {
                    if (is_callable($processCallback)) {
                        call_user_func_array($processCallback, array( &$params, $args ));
                    }
                    $newparams = Sanitizer::fixTagAttributes($params, $t);
                    $rest = str_replace('>', '&gt;', $rest);
                    $text .= "<$slash$t$newparams$brace$rest";
                } else {
                    $text .= '&lt;' . str_replace('>', '&gt;', $x);
                }
            }

Here is the caller graph for this function:

safeEncodeAttribute()

static Sanitizer::safeEncodeAttribute (   $text )

static

Encode an attribute value for HTML tags, with extra armoring against further wiki processing.

Parameters

$text

Returns

HTML-encoded text fragment

Definition at line 717 of file Sanitizer.php.

    {
        $encValue = Sanitizer::encodeAttribute($text);

        # Templates and links may be expanded in later parsing,
        # creating invalid or dangerous output. Suppress this.
        $encValue = strtr($encValue, array(
            '<'    => '&lt;',   // This should never happen,
            '>'    => '&gt;',   // we've received invalid input
            '"'    => '&quot;', // which should have been escaped.
            '{'    => '&#123;',
            '['    => '&#91;',
            "''"   => '&#39;&#39;',
            'ISBN' => '&#73;SBN',
            'RFC'  => '&#82;FC',
            'PMID' => '&#80;MID',
            '|'    => '&#124;',
            '__'   => '&#95;_',
        ));

        # Stupid hack
        $encValue = preg_replace_callback(
            '/(' . wfUrlProtocols() . ')/',
            array( 'Sanitizer', 'armorLinksCallback' ),

setupAttributeWhitelist()

static Sanitizer::setupAttributeWhitelist ( )

static

Todo:

Document it a bit

Returns

array

Definition at line 1106 of file Sanitizer.php.

Referenced by hexCharReference().

    {
        $common = array( 'id', 'class', 'lang', 'dir', 'title', 'style' );
        $block = array_merge($common, array( 'align' ));
        $tablealign = array( 'align', 'char', 'charoff', 'valign' );
        $tablecell = array( 'abbr',
                            'axis',
                            'headers',
                            'scope',
                            'rowspan',
                            'colspan',
                            'nowrap', # deprecated
                            'width',  # deprecated
                            'height', # deprecated
                            'bgcolor' # deprecated
                            );

        # Numbers refer to sections in HTML 4.01 standard describing the element.
        # See: http://www.w3.org/TR/html4/
        $whitelist = array(
            # 7.5.4
            'div'        => $block,
            'center'     => $common, # deprecated
            'span'       => $block, # ??

            # 7.5.5
            'h1'         => $block,
            'h2'         => $block,
            'h3'         => $block,
            'h4'         => $block,
            'h5'         => $block,
            'h6'         => $block,

            # 7.5.6
            # address

            # 8.2.4
            # bdo

            # 9.2.1
            'em'         => $common,
            'strong'     => $common,
            'cite'       => $common,
            # dfn
            'code'       => $common,
            # samp
            # kbd
            'var'        => $common,
            # abbr
            # acronym

            # 9.2.2
            'blockquote' => array_merge($common, array( 'cite' )),
            # q

            # 9.2.3
            'sub'        => $common,
            'sup'        => $common,

            # 9.3.1
            'p'          => $block,

            # 9.3.2
            'br'         => array( 'id', 'class', 'title', 'style', 'clear' ),

            # 9.3.4
            'pre'        => array_merge($common, array( 'width' )),

            # 9.4
            'ins'        => array_merge($common, array( 'cite', 'datetime' )),
            'del'        => array_merge($common, array( 'cite', 'datetime' )),

            # 10.2
            'ul'         => array_merge($common, array( 'type' )),
            'ol'         => array_merge($common, array( 'type', 'start' )),
            'li'         => array_merge($common, array( 'type', 'value' )),

            # 10.3
            'dl'         => $common,
            'dd'         => $common,
            'dt'         => $common,

            # 11.2.1
            'table'      => array_merge(
                $common,
                array( 'summary', 'width', 'border', 'frame',
                                        'rules', 'cellspacing', 'cellpadding',
                                        'align', 'bgcolor',
                                )
            ),

            # 11.2.2
            'caption'    => array_merge($common, array( 'align' )),

            # 11.2.3
            'thead'      => array_merge($common, $tablealign),
            'tfoot'      => array_merge($common, $tablealign),
            'tbody'      => array_merge($common, $tablealign),

            # 11.2.4
            'colgroup'   => array_merge($common, array( 'span', 'width' ), $tablealign),
            'col'        => array_merge($common, array( 'span', 'width' ), $tablealign),

            # 11.2.5
            'tr'         => array_merge($common, array( 'bgcolor' ), $tablealign),

            # 11.2.6
            'td'         => array_merge($common, $tablecell, $tablealign),
            'th'         => array_merge($common, $tablecell, $tablealign),

            # 15.2.1
            'tt'         => $common,
            'b'          => $common,
            'i'          => $common,
            'big'        => $common,
            'small'      => $common,
            'strike'     => $common,
            's'          => $common,
            'u'          => $common,

            # 15.2.2
            'font'       => array_merge($common, array( 'size', 'color', 'face' )),
            # basefont

            # 15.3
            'hr'         => array_merge($common, array( 'noshade', 'size', 'width' )),

            # XHTML Ruby annotation text module, simple ruby only.
            # http://www.w3c.org/TR/ruby/
            'ruby'       => $common,
            # rbc
            # rtc
            'rb'         => $common,
            'rt'         => $common, #array_merge( $common, array( 'rbspan' ) ),

Here is the caller graph for this function:

stripAllTags()

static Sanitizer::stripAllTags (   $text )

static

Take a fragment of (potentially invalid) HTML and return a version with any tags removed, encoded as plain text.

Warning: this return value must be further escaped for literal inclusion in HTML output as of 1.10!

Parameters

string

$text

HTML fragment

Returns

string

Definition at line 1255 of file Sanitizer.php.

Referenced by Parser\fetchScaryTemplateMaybeFromCache(), and hexCharReference().

    {
        # Actual <tags>
        $text = StringUtils::delimiterReplace('<', '>', '', $text);

        # Normalize &entities and whitespace
        $text = self::decodeCharReferences($text);

Here is the caller graph for this function:

validateCodepoint()

static Sanitizer::validateCodepoint (   $codepoint )

staticprivate

Returns true if a given Unicode codepoint is a valid character in XML.

Parameters

int

$codepoint

Returns

bool

Definition at line 999 of file Sanitizer.php.

Referenced by decCharReference(), and hexCharReference().

    {
        return ($codepoint ==    0x09)
            || ($codepoint ==    0x0a)
            || ($codepoint ==    0x0d)

Here is the caller graph for this function:

validateTagAttributes()

static Sanitizer::validateTagAttributes (   $attribs,   $element  )

static

Take an array of attribute names and values and normalize or discard illegal values for the given element type.

• Discards attributes not on a whitelist for the given element
• Unsafe style attributes are discarded

Parameters

array	$attribs
string	$element

Returns

array

Todo:

Check for legal values where the DTD limits things.

Check for unique id attribute :P

Definition at line 583 of file Sanitizer.php.

Referenced by Parser\fetchScaryTemplateMaybeFromCache().

                                           :P
     */
    public static function validateTagAttributes($attribs, $element)
    {
        $whitelist = array_flip(Sanitizer::attributeWhitelist($element));
        $out = array();
        foreach ($attribs as $attribute => $value) {
            if (!isset($whitelist[$attribute])) {
                continue;
            }
            # Strip javascript "expression" from stylesheets.
            # http://msdn.microsoft.com/workshop/author/dhtml/overview/recalc.asp
            if ($attribute == 'style') {
                $value = Sanitizer::checkCss($value);
                if ($value === false) {
                    # haxx0r
                    continue;
                }
            }

            if ($attribute === 'id') {
                $value = Sanitizer::escapeId($value);
            }

            // If this attribute was previously set, override it.
            // Output should only have one attribute of each name.

Here is the caller graph for this function:

---

The documentation for this class was generated from the following file:

• Services/Utilities/classes/Sanitizer.php