MediaWiki  1.23.8
Go to the documentation of this file.
1 <?php
9  protected function setUp() {
10  parent::setUp();
12  AutoLoader::loadClass( 'Sanitizer' );
13  }
18  public function testDecodeNamedEntities() {
19  $this->assertEquals(
20  "\xc3\xa9cole",
21  Sanitizer::decodeCharReferences( '&eacute;cole' ),
22  'decode named entities'
23  );
24  }
29  public function testDecodeNumericEntities() {
30  $this->assertEquals(
31  "\xc4\x88io bonas dans l'\xc3\xa9cole!",
32  Sanitizer::decodeCharReferences( "&#x108;io bonas dans l'&#233;cole!" ),
33  'decode numeric entities'
34  );
35  }
40  public function testDecodeMixedEntities() {
41  $this->assertEquals(
42  "\xc4\x88io bonas dans l'\xc3\xa9cole!",
43  Sanitizer::decodeCharReferences( "&#x108;io bonas dans l'&eacute;cole!" ),
44  'decode mixed numeric/named entities'
45  );
46  }
51  public function testDecodeMixedComplexEntities() {
52  $this->assertEquals(
53  "\xc4\x88io bonas dans l'\xc3\xa9cole! (mais pas &#x108;io dans l'&eacute;cole)",
55  "&#x108;io bonas dans l'&eacute;cole! (mais pas &amp;#x108;io dans l'&#38;eacute;cole)"
56  ),
57  'decode mixed complex entities'
58  );
59  }
64  public function testInvalidAmpersand() {
65  $this->assertEquals(
66  'a & b',
68  'Invalid ampersand'
69  );
70  }
75  public function testInvalidEntities() {
76  $this->assertEquals(
77  '&foo;',
79  'Invalid named entity'
80  );
81  }
86  public function testInvalidNumberedEntities() {
87  $this->assertEquals( UTF8_REPLACEMENT, Sanitizer::decodeCharReferences( "&#88888888888888;" ), 'Invalid numbered entity' );
88  }
97  public function testRemovehtmltagsOnHtml5Tags( $tag, $escaped ) {
98  $this->setMwGlobals( array(
99  'wgUseTidy' => false
100  ) );
102  if ( $escaped ) {
103  $this->assertEquals( "&lt;$tag&gt;",
104  Sanitizer::removeHTMLtags( "<$tag>" )
105  );
106  } else {
107  $this->assertEquals( "<$tag></$tag>\n",
108  Sanitizer::removeHTMLtags( "<$tag>" )
109  );
110  }
111  }
116  public static function provideHtml5Tags() {
117  $ESCAPED = true; # We want tag to be escaped
118  $VERBATIM = false; # We want to keep the tag
119  return array(
120  array( 'data', $VERBATIM ),
121  array( 'mark', $VERBATIM ),
122  array( 'time', $VERBATIM ),
123  array( 'video', $ESCAPED ),
124  );
125  }
127  function dataRemoveHTMLtags() {
128  return array(
129  // former testSelfClosingTag
130  array(
131  '<div>Hello world</div />',
132  '<div>Hello world</div>',
133  'Self-closing closing div'
134  ),
135  // Make sure special nested HTML5 semantics are not broken
136  //
137  array(
138  '<kbd><kbd>Shift</kbd>+<kbd>F3</kbd></kbd>',
139  '<kbd><kbd>Shift</kbd>+<kbd>F3</kbd></kbd>',
140  'Nested <kbd>.'
141  ),
142  //
143  array(
144  '<var>x<sub><var>i</var></sub></var>, <var>y<sub><var>i</var></sub></var>',
145  '<var>x<sub><var>i</var></sub></var>, <var>y<sub><var>i</var></sub></var>',
146  'Nested <var>.'
147  ),
148  //
149  array(
150  '<dfn><abbr title="Garage Door Opener">GDO</abbr></dfn>',
151  '<dfn><abbr title="Garage Door Opener">GDO</abbr></dfn>',
152  '<abbr> inside <dfn>',
153  ),
154  );
155  }
161  public function testRemoveHTMLtags( $input, $output, $msg = null ) {
162  $GLOBALS['wgUseTidy'] = false;
163  $this->assertEquals( $output, Sanitizer::removeHTMLtags( $input ), $msg );
164  }
170  public function testDecodeTagAttributes( $expected, $attributes, $message = '' ) {
171  $this->assertEquals( $expected,
172  Sanitizer::decodeTagAttributes( $attributes ),
173  $message
174  );
175  }
177  public static function provideTagAttributesToDecode() {
178  return array(
179  array( array( 'foo' => 'bar' ), 'foo=bar', 'Unquoted attribute' ),
180  array( array( 'foo' => 'bar' ), ' foo = bar ', 'Spaced attribute' ),
181  array( array( 'foo' => 'bar' ), 'foo="bar"', 'Double-quoted attribute' ),
182  array( array( 'foo' => 'bar' ), 'foo=\'bar\'', 'Single-quoted attribute' ),
183  array( array( 'foo' => 'bar', 'baz' => 'foo' ), 'foo=\'bar\' baz="foo"', 'Several attributes' ),
184  array( array( 'foo' => 'bar', 'baz' => 'foo' ), 'foo=\'bar\' baz="foo"', 'Several attributes' ),
185  array( array( 'foo' => 'bar', 'baz' => 'foo' ), 'foo=\'bar\' baz="foo"', 'Several attributes' ),
186  array( array( ':foo' => 'bar' ), ':foo=\'bar\'', 'Leading :' ),
187  array( array( '_foo' => 'bar' ), '_foo=\'bar\'', 'Leading _' ),
188  array( array( 'foo' => 'bar' ), 'Foo=\'bar\'', 'Leading capital' ),
189  array( array( 'foo' => 'BAR' ), 'FOO=BAR', 'Attribute keys are normalized to lowercase' ),
191  # Invalid beginning
192  array( array(), '-foo=bar', 'Leading - is forbidden' ),
193  array( array(), '.foo=bar', 'Leading . is forbidden' ),
194  array( array( 'foo-bar' => 'bar' ), 'foo-bar=bar', 'A - is allowed inside the attribute' ),
195  array( array( 'foo-' => 'bar' ), 'foo-=bar', 'A - is allowed inside the attribute' ),
196  array( array( '' => 'baz' ), '', 'A . is allowed inside the attribute' ),
197  array( array( 'foo.' => 'baz' ), 'foo.=baz', 'A . is allowed as last character' ),
198  array( array( 'foo6' => 'baz' ), 'foo6=baz', 'Numbers are allowed' ),
200  # This bit is more relaxed than XML rules, but some extensions use
201  # it, like ProofreadPage (see bug 27539)
202  array( array( '1foo' => 'baz' ), '1foo=baz', 'Leading numbers are allowed' ),
203  array( array(), 'foo$=baz', 'Symbols are not allowed' ),
204  array( array(), 'foo@=baz', 'Symbols are not allowed' ),
205  array( array(), 'foo~=baz', 'Symbols are not allowed' ),
206  array( array( 'foo' => '1[#^`*%w/(' ), 'foo=1[#^`*%w/(', 'All kind of characters are allowed as values' ),
207  array( array( 'foo' => '1[#^`*%\'w/(' ), 'foo="1[#^`*%\'w/("', 'Double quotes are allowed if quoted by single quotes' ),
208  array( array( 'foo' => '1[#^`*%"w/(' ), 'foo=\'1[#^`*%"w/(\'', 'Single quotes are allowed if quoted by double quotes' ),
209  array( array( 'foo' => '&"' ), 'foo=&amp;&quot;', 'Special chars can be provided as entities' ),
210  array( array( 'foo' => '&foobar;' ), 'foo=&foobar;', 'Entity-like items are accepted' ),
211  );
212  }
218  public function testDeprecatedAttributesUnaltered( $inputAttr, $inputEl, $message = '' ) {
219  $this->assertEquals( " $inputAttr",
220  Sanitizer::fixTagAttributes( $inputAttr, $inputEl ),
221  $message
222  );
223  }
225  public static function provideDeprecatedAttributes() {
227  return array(
228  array( 'clear="left"', 'br' ),
229  array( 'clear="all"', 'br' ),
230  array( 'width="100"', 'td' ),
231  array( 'nowrap="true"', 'td' ),
232  array( 'nowrap=""', 'td' ),
233  array( 'align="right"', 'td' ),
234  array( 'align="center"', 'table' ),
235  array( 'align="left"', 'tr' ),
236  array( 'align="center"', 'div' ),
237  array( 'align="left"', 'h1' ),
238  array( 'align="left"', 'p' ),
239  );
240  }
246  public function testCssCommentsChecking( $expected, $css, $message = '' ) {
247  $this->assertEquals( $expected,
249  $message
250  );
251  }
253  public static function provideCssCommentsFixtures() {
255  return array(
256  // Valid comments spanning entire input
257  array( '/**/', '/**/' ),
258  array( '/* comment */', '/* comment */' ),
259  // Weird stuff
260  array( ' ', '/****/' ),
261  array( ' ', '/* /* */' ),
262  array( 'display: block;', "display:/* foo */block;" ),
263  array( 'display: block;', "display:\\2f\\2a foo \\2a\\2f block;",
264  'Backslash-escaped comments must be stripped (bug 28450)' ),
265  array( '', '/* unfinished comment structure',
266  'Remove anything after a comment-start token' ),
267  array( '', "\\2f\\2a unifinished comment'",
268  'Remove anything after a backslash-escaped comment-start token' ),
269  array( '/* insecure input */', 'filter: progid:DXImageTransform.Microsoft.AlphaImageLoader(src=\'asdf.png\',sizingMethod=\'scale\');' ),
270  array( '/* insecure input */', '-ms-filter: "progid:DXImageTransform.Microsoft.AlphaImageLoader(src=\'asdf.png\',sizingMethod=\'scale\')";' ),
271  array( '/* insecure input */', 'width: expression(1+1);' ),
272  array( '/* insecure input */', 'background-image: image(asdf.png);' ),
273  array( '/* insecure input */', 'background-image: -webkit-image(asdf.png);' ),
274  array( '/* insecure input */', 'background-image: -moz-image(asdf.png);' ),
275  array( '/* insecure input */', 'background-image: image-set("asdf.png" 1x, "asdf.png" 2x);' ),
276  array( '/* insecure input */', 'background-image: -webkit-image-set("asdf.png" 1x, "asdf.png" 2x);' ),
277  array( '/* insecure input */', 'background-image: -moz-image-set("asdf.png" 1x, "asdf.png" 2x);' ),
278  );
279  }
284  public static function provideAttributeSupport() {
286  return array(
287  array( 'div', ' role="presentation"', ' role="presentation"', 'Support for WAI-ARIA\'s role="presentation".' ),
288  array( 'div', ' role="main"', '', "Other WAI-ARIA roles are currently not supported." ),
289  );
290  }
296  public function testAttributeSupport( $tag, $attributes, $expected, $message ) {
297  $this->assertEquals( $expected,
298  Sanitizer::fixTagAttributes( $attributes, $tag ),
299  $message
300  );
301  }
302 }
skin txt MediaWiki includes four core it has been set as the default in MediaWiki since the replacing Monobook it had been been the default skin since before being replaced by Vector largely rewritten in while keeping its appearance Several legacy skins were removed in the as the burden of supporting them became too heavy to bear Those in etc for skin dependent CSS etc for skin dependent JavaScript These can also be customised on a per user by etc This feature has led to a wide variety of user styles becoming that gallery is a good place to ending in php
Definition: skin.txt:62
static provideCssCommentsFixtures()
Definition: SanitizerTest.php:253
We use the convention $dbr for read and $dbw for write to help you keep track of whether the database object is a the world will explode Or to be a subsequent write query which succeeded on the master may fail when replicated to the slave due to a unique key collision Replication on the slave will stop and it may take hours to repair the database and get it back online Setting read_only in my cnf on the slave will avoid this but given the dire we prefer to have as many checks as possible We provide a but the wrapper functions like please read the documentation for except in special pages derived from QueryPage It s a common pitfall for new developers to submit code containing SQL queries which examine huge numbers of rows Remember that COUNT * is(N), counting rows in atable is like counting beans in a bucket.------------------------------------------------------------------------ Replication------------------------------------------------------------------------The largest installation of MediaWiki, Wikimedia, uses a large set ofslave MySQL servers replicating writes made to a master MySQL server. Itis important to understand the issues associated with this setup if youwant to write code destined for Wikipedia.It 's often the case that the best algorithm to use for a given taskdepends on whether or not replication is in use. Due to our unabashedWikipedia-centrism, we often just use the replication-friendly version, but if you like, you can use wfGetLB() ->getServerCount() > 1 tocheck to see if replication is in use.===Lag===Lag primarily occurs when large write queries are sent to the master.Writes on the master are executed in parallel, but they are executed inserial when they are replicated to the slaves. The master writes thequery to the binlog when the transaction is committed. The slaves pollthe binlog and start executing the query as soon as it appears. They canservice reads while they are performing a write query, but will not readanything more from the binlog and thus will perform no more writes. Thismeans that if the write query runs for a long time, the slaves will lagbehind the master for the time it takes for the write query to complete.Lag can be exacerbated by high read load. MediaWiki 's load balancer willstop sending reads to a slave when it is lagged by more than 30 seconds.If the load ratios are set incorrectly, or if there is too much loadgenerally, this may lead to a slave permanently hovering around 30seconds lag.If all slaves are lagged by more than 30 seconds, MediaWiki will stopwriting to the database. All edits and other write operations will berefused, with an error returned to the user. This gives the slaves achance to catch up. Before we had this mechanism, the slaves wouldregularly lag by several minutes, making review of recent editsdifficult.In addition to this, MediaWiki attempts to ensure that the user seesevents occurring on the wiki in chronological order. A few seconds of lagcan be tolerated, as long as the user sees a consistent picture fromsubsequent requests. This is done by saving the master binlog positionin the session, and then at the start of each request, waiting for theslave to catch up to that position before doing any reads from it. Ifthis wait times out, reads are allowed anyway, but the request isconsidered to be in "lagged slave mode". Lagged slave mode can bechecked by calling wfGetLB() ->getLaggedSlaveMode(). The onlypractical consequence at present is a warning displayed in the pagefooter.===Lag avoidance===To avoid excessive lag, queries which write large numbers of rows shouldbe split up, generally to write one row at a time. Multi-row INSERT ...SELECT queries are the worst offenders should be avoided altogether.Instead do the select first and then the insert.===Working with lag===Despite our best efforts, it 's not practical to guarantee a low-lagenvironment. Lag will usually be less than one second, but mayoccasionally be up to 30 seconds. For scalability, it 's very importantto keep load on the master low, so simply sending all your queries tothe master is not the answer. So when you have a genuine need forup-to-date data, the following approach is advised:1) Do a quick query to the master for a sequence number or timestamp 2) Run the full query on the slave and check if it matches the data you gotfrom the master 3) If it doesn 't, run the full query on the masterTo avoid swamping the master every time the slaves lag, use of thisapproach should be kept to a minimum. In most cases you should just readfrom the slave and let the user deal with the delay.------------------------------------------------------------------------ Lock contention------------------------------------------------------------------------Due to the high write rate on Wikipedia(and some other wikis), MediaWiki developers need to be very careful to structure their writesto avoid long-lasting locks. By default, MediaWiki opens a transactionat the first query, and commits it before the output is sent. Locks willbe held from the time when the query is done until the commit. So youcan reduce lock time by doing as much processing as possible before youdo your write queries.Often this approach is not good enough, and it becomes necessary toenclose small groups of queries in their own transaction. Use thefollowing syntax:$dbw=wfGetDB(DB_MASTER
testDeprecatedAttributesUnaltered( $inputAttr, $inputEl, $message='')
@dataProvider provideDeprecatedAttributes @covers Sanitizer::fixTagAttributes
Definition: SanitizerTest.php:218
@covers Sanitizer::decodeCharReferences
Definition: SanitizerTest.php:86
testDecodeTagAttributes( $expected, $attributes, $message='')
@dataProvider provideTagAttributesToDecode @covers Sanitizer::decodeTagAttributes
Definition: SanitizerTest.php:170
Definition: SanitizerTest.php:7
testCssCommentsChecking( $expected, $css, $message='')
@dataProvider provideCssCommentsFixtures @covers Sanitizer::checkCss
Definition: SanitizerTest.php:246
Definition: styleTest.css.php:50
setMwGlobals( $pairs, $value=null)
Definition: MediaWikiTestCase.php:302
Definition: MediaWikiTestCase.php:6
static provideHtml5Tags()
Provide HTML5 tags.
Definition: SanitizerTest.php:116
Definition: SanitizerTest.php:9
the array() calling protocol came about after MediaWiki 1.4rc1.
List of Api Query prop modules.
@covers Sanitizer::decodeCharReferences
Definition: SanitizerTest.php:51
Some information about database access in MediaWiki By Tim January Database layout For information about the MediaWiki database such as a description of the tables and their please see
Definition: database.txt:2
static loadClass( $class)
Force a class to be run through the autoloader, helpful for things like Sanitizer that have define()s...
Definition: AutoLoader.php:1264
I won t presume to tell you how to I m just describing the methods I chose to use for myself If you do choose to follow these it will probably be easier for you to collaborate with others on the but if you want to contribute without by all means do which work well I also use K &R brace matching style I know that s a religious issue for some
Definition: design.txt:79
@covers Sanitizer::decodeCharReferences
Definition: SanitizerTest.php:29
static provideTagAttributesToDecode()
Definition: SanitizerTest.php:177
@covers Sanitizer::decodeCharReferences
Definition: SanitizerTest.php:64
Definition: UtfNormalDefines.php:64
=Architecture==Two class hierarchies are used to provide the functionality associated with the different content models:*Content interface(and AbstractContent base class) define functionality that acts on the concrete content of a page, and *ContentHandler base class provides functionality specific to a content model, but not acting on concrete content. The most important function of ContentHandler is to act as a factory for the appropriate implementation of Content. These Content objects are to be used by MediaWiki everywhere, instead of passing page content around as text. All manipulation and analysis of page content must be done via the appropriate methods of the Content object. For each content model, a subclass of ContentHandler has to be registered with $wgContentHandlers. The ContentHandler object for a given content model can be obtained using ContentHandler::getForModelID($id). Also Title, WikiPage and Revision now have getContentHandler() methods for convenience. ContentHandler objects are singletons that provide functionality specific to the content type, but not directly acting on the content of some page. ContentHandler::makeEmptyContent() and ContentHandler::unserializeContent() can be used to create a Content object of the appropriate type. However, it is recommended to instead use WikiPage::getContent() resp. Revision::getContent() to get a page 's content as a Content object. These two methods should be the ONLY way in which page content is accessed. Another important function of ContentHandler objects is to define custom action handlers for a content model, see ContentHandler::getActionOverrides(). This is similar to what WikiPage::getActionOverrides() was already doing.==Serialization==With the ContentHandler facility, page content no longer has to be text based. Objects implementing the Content interface are used to represent and handle the content internally. For storage and data exchange, each content model supports at least one serialization format via ContentHandler::serializeContent($content). The list of supported formats for a given content model can be accessed using ContentHandler::getSupportedFormats(). Content serialization formats are identified using MIME type like strings. The following formats are built in:*text/x-wiki - wikitext *text/javascript - for js pages *text/css - for css pages *text/plain - for future use, e.g. with plain text messages. *text/html - for future use, e.g. with plain html messages. *application/vnd.php.serialized - for future use with the api and for extensions *application/json - for future use with the api, and for use by extensions *application/xml - for future use with the api, and for use by extensions In PHP, use the corresponding CONTENT_FORMAT_XXX constant. Note that when using the API to access page content, especially action=edit, action=parse and action=query &prop=revisions, the model and format of the content should always be handled explicitly. Without that information, interpretation of the provided content is not reliable. The same applies to XML dumps generated via maintenance/dumpBackup.php or Special:Export. Also note that the API will provide encapsulated, serialized content - so if the API was called with format=json, and contentformat is also json(or rather, application/json), the page content is represented as a string containing an escaped json structure. Extensions that use JSON to serialize some types of page content may provide specialized API modules that allow access to that content in a more natural form.==Compatibility==The ContentHandler facility is introduced in a way that should allow all existing code to keep functioning at least for pages that contain wikitext or other text based content. However, a number of functions and hooks have been deprecated in favor of new versions that are aware of the page 's content model, and will now generate warnings when used. Most importantly, the following functions have been deprecated:*Revisions::getText() and Revisions::getRawText() is deprecated in favor Revisions::getContent() *WikiPage::getText() is deprecated in favor WikiPage::getContent() Also, the old Article::getContent()(which returns text) is superceded by Article::getContentObject(). However, both methods should be avoided since they do not provide clean access to the page 's actual content. For instance, they may return a system message for non-existing pages. Use WikiPage::getContent() instead. Code that relies on a textual representation of the page content should eventually be rewritten. However, ContentHandler::getContentText() provides a stop-gap that can be used to get text for a page. Its behavior is controlled by $wgContentHandlerTextFallback it
Definition: contenthandler.txt:107
testAttributeSupport( $tag, $attributes, $expected, $message)
@dataProvider provideAttributeSupport @covers Sanitizer::fixTagAttributes
Definition: SanitizerTest.php:296
static provideDeprecatedAttributes()
Definition: SanitizerTest.php:225
For a write use something like
Definition: database.txt:26
static fixTagAttributes( $text, $element)
Take a tag soup fragment listing an HTML element's attributes and normalize it to well-formed XML,...
Definition: Sanitizer.php:1004
Definition: SanitizerTest.php:127
@covers Sanitizer::decodeCharReferences
Definition: SanitizerTest.php:40
& $output
Definition: hooks.txt:375
testRemovehtmltagsOnHtml5Tags( $tag, $escaped)
@covers Sanitizer::removeHTMLtags @dataProvider provideHtml5Tags
Definition: SanitizerTest.php:97
@covers Sanitizer::decodeCharReferences
Definition: SanitizerTest.php:18
static provideAttributeSupport()
Test for support or lack of support for specific attributes in the attribute whitelist.
Definition: SanitizerTest.php:284
static decodeTagAttributes( $text)
Return an associative array of attribute names and values from a partial tag string.
Definition: Sanitizer.php:1183
static decodeCharReferences( $text)
Decode any character references, numeric or named entities, in the text and return a UTF-8 string.
Definition: Sanitizer.php:1413
testRemoveHTMLtags( $input, $output, $msg=null)
@dataProvider dataRemoveHTMLtags @covers Sanitizer::removeHTMLtags
Definition: SanitizerTest.php:161
static checkCss( $value)
Pick apart some CSS and check it for forbidden or unsafe structures.
Definition: Sanitizer.php:938
Definition: ComposerHookHandler.php:6
static removeHTMLtags( $text, $processCallback=null, $args=array(), $extratags=array(), $removetags=array())
Cleans up HTML, removes dangerous tags and attributes, and removes HTML comments.
Definition: Sanitizer.php:366
@covers Sanitizer::decodeCharReferences
Definition: SanitizerTest.php:75