MediaWiki  master
Sanitizer Class Reference

HTML sanitizer for MediaWiki. More...

Static Public Member Functions

static attributeWhitelist ($element)
 Fetch the whitelist of acceptable attributes for a given element name. More...
 
static checkCss ($value)
 Pick apart some CSS and check it for forbidden or unsafe structures. More...
 
static cleanUrl ($url)
 
static cleanUrlCallback ($matches)
 
static cssDecodeCallback ($matches)
 
static decCharReference ($codepoint)
 
static decodeChar ($codepoint)
 Return UTF-8 string for a codepoint if that is a valid character reference, otherwise U+FFFD REPLACEMENT CHARACTER. More...
 
static decodeCharReferences ($text)
 Decode any character references, numeric or named entities, in the text and return a UTF-8 string. More...
 
static decodeCharReferencesAndNormalize ($text)
 Decode any character references, numeric or named entities, in the next and normalize the resulting string. More...
 
static decodeCharReferencesCallback ($matches)
 
static decodeEntity ($name)
 If the named entity is defined in the HTML 4.0/XHTML 1.0 DTD, return the UTF-8 encoding of that character. More...
 
static decodeTagAttributes ($text)
 Return an associative array of attribute names and values from a partial tag string. More...
 
static encodeAttribute ($text)
 Encode an attribute value for HTML output. More...
 
static escapeClass ($class)
 Given a value, escape it so that it can be used as a CSS class and return it. More...
 
static escapeHtmlAllowEntities ($html)
 Given HTML input, escape with htmlspecialchars but un-escape entities. More...
 
static escapeId ($id, $options=[])
 Given a value, escape it so that it can be used in an id attribute and return it. More...
 
static escapeIdForAttribute ($id, $mode=self::ID_PRIMARY)
 Given a section name or other user-generated or otherwise unsafe string, escapes it to be a valid HTML id attribute. More...
 
static escapeIdForExternalInterwiki ($id)
 Given a section name or other user-generated or otherwise unsafe string, escapes it to be a valid URL fragment for external interwikis. More...
 
static escapeIdForLink ($id)
 Given a section name or other user-generated or otherwise unsafe string, escapes it to be a valid URL fragment. More...
 
static escapeIdReferenceList ($referenceString, $options=[])
 Given a string containing a space delimited list of ids, escape each id to match ids escaped by the escapeId() function. More...
 
static fixTagAttributes ($text, $element, $sorted=false)
 Take a tag soup fragment listing an HTML element's attributes and normalize it to well-formed XML, discarding unwanted attributes. More...
 
static getAttribsRegex ()
 Regular expression to match HTML/XML attribute pairs within a tag. More...
 
static getRecognizedTagData ($extratags=[], $removetags=[])
 Return the various lists of recognized tags. More...
 
static hackDocType ()
 Hack up a private DOCTYPE with HTML's standard entity declarations. More...
 
static hexCharReference ($codepoint)
 
static isReservedDataAttribute ($attr)
 Given an attribute name, checks whether it is a reserved data attribute (such as data-mw-foo) which is unavailable to user-generated HTML so MediaWiki core and extension code can safely use it to communicate with frontend code. More...
 
static mergeAttributes ($a, $b)
 Merge two sets of HTML attributes. More...
 
static normalizeCharReferences ($text)
 Ensure that any entities and character references are legal for XML and XHTML specifically. More...
 
static normalizeCharReferencesCallback ($matches)
 
static normalizeCss ($value)
 Normalize CSS into a format we can easily search for hostile input. More...
 
static normalizeEntity ($name)
 If the named entity is defined in the HTML 4.0/XHTML 1.0 DTD, return the equivalent numeric entity reference (except for the core < > & "). More...
 
static normalizeSectionNameWhitespace ($section)
 Normalizes whitespace in a section name, such as might be returned by Parser::stripSectionName(), for use in the id's that are used for section links. More...
 
static removeHTMLcomments ($text)
 Remove '', and everything between. More...
 
static removeHTMLtags ($text, $processCallback=null, $args=[], $extratags=[], $removetags=[], $warnCallback=null)
 Cleans up HTML, removes dangerous tags and attributes, and removes HTML comments. More...
 
static safeEncodeAttribute ($text)
 Encode an attribute value for HTML tags, with extra armoring against further wiki processing. More...
 
static safeEncodeTagAttributes ($assoc_array)
 Build a partial tag string from an associative array of attribute names and values as returned by decodeTagAttributes. More...
 
static setupAttributeWhitelist ()
 Foreach array key (an allowed HTML element), return an array of allowed attributes. More...
 
static stripAllTags ($text)
 Take a fragment of (potentially invalid) HTML and return a version with any tags removed, encoded as plain text. More...
 
static validateAttributes ($attribs, $whitelist)
 Take an array of attribute names and values and normalize or discard illegal values for the given whitelist. More...
 
static validateEmail ($addr)
 Does a string look like an e-mail address? More...
 
static validateTag ($params, $element)
 Takes attribute names and values for a tag and the tag name and validates that the tag is allowed to be present. More...
 
static validateTagAttributes ($attribs, $element)
 Take an array of attribute names and values and normalize or discard illegal values for the given element type. More...
 

Public Attributes

const CHAR_REFS_REGEX
 Regular expression to match various types of character references in Sanitizer::normalizeCharReferences and Sanitizer::decodeCharReferences. More...
 
const ELEMENT_BITS_REGEX = '!^(/?)([A-Za-z][^\t\n\v />\0]*+)([^>]*?)(/?>)([^<]*)$!'
 Acceptable tag name charset from HTML5 parsing spec https://www.w3.org/TR/html5/syntax.html#tag-open-state. More...
 
const EVIL_URI_PATTERN = '!(^|\s|\*/\s*)(javascript|vbscript)([^\w]|$)!i'
 Blacklist for evil uris like javascript: WARNING: DO NOT use this in any place that actually requires blacklisting for security reasons. More...
 
const ID_FALLBACK = 1
 Tells escapeUrlForHtml() to encode the ID using the fallback encoding, or return false if no fallback is configured. More...
 
const ID_PRIMARY = 0
 Tells escapeUrlForHtml() to encode the ID using the wiki's primary encoding. More...
 
const XMLNS_ATTRIBUTE_PATTERN = "/^xmlns:[:A-Z_a-z-.0-9]+$/"
 

Static Private Member Functions

static armorLinksCallback ($matches)
 Regex replace callback for armoring links against further processing. More...
 
static escapeIdInternal ($id, $mode)
 Helper for escapeIdFor*() functions. More...
 
static getTagAttributeCallback ($set)
 Pick the appropriate attribute value from a match set from the attribs regex matches. More...
 
static normalizeWhitespace ($text)
 
static validateCodepoint ($codepoint)
 Returns true if a given Unicode codepoint is a valid character in both HTML5 and XML. More...
 

Static Private Attributes

static static static $attribsRegex
 Lazy-initialised attributes regex, see getAttribsRegex() More...
 
static $htmlEntities
 List of all named character entities defined in HTML 4.01 https://www.w3.org/TR/html4/sgml/entities.html As well as ' which is only defined starting in XHTML1. More...
 
static static $htmlEntityAliases
 Character entity aliases accepted by MediaWiki. More...
 

Detailed Description

HTML sanitizer for MediaWiki.

Definition at line 31 of file Sanitizer.php.

Member Function Documentation

static Sanitizer::armorLinksCallback (   $matches)
staticprivate

Regex replace callback for armoring links against further processing.

Parameters
array$matches
Returns
string

Definition at line 1414 of file Sanitizer.php.

References $matches.

static Sanitizer::attributeWhitelist (   $element)
static

Fetch the whitelist of acceptable attributes for a given element name.

Parameters
string$element
Returns
array

Definition at line 1729 of file Sanitizer.php.

static Sanitizer::checkCss (   $value)
static

Pick apart some CSS and check it for forbidden or unsafe structures.

Returns a sanitized string. This sanitized string will have character references and escape sequences decoded and comments stripped (unless it is itself one valid comment, in which case the value will be passed through). If the input is just too evil, only a comment complaining about evilness will be returned.

Currently URL references, 'expression', 'tps' are forbidden.

NOTE: Despite the fact that character references are decoded, the returned string may contain character references given certain clever input strings. These character references must be escaped before the return value is embedded in HTML.

Parameters
string$value
Returns
string

Definition at line 1030 of file Sanitizer.php.

References $value, and UTF8_REPLACEMENT.

Referenced by CoreParserFunctions\displaytitle(), and SanitizerTest\testCssCommentsChecking().

static Sanitizer::cleanUrl (   $url)
static
Parameters
string$url
Returns
mixed|string

Definition at line 2006 of file Sanitizer.php.

References $matches, and list.

Referenced by Parser\makeFreeExternalLink(), and Parser\replaceExternalLinks().

static Sanitizer::cleanUrlCallback (   $matches)
static
Parameters
array$matches
Returns
string

Definition at line 2060 of file Sanitizer.php.

References $matches.

static Sanitizer::cssDecodeCallback (   $matches)
static
Parameters
array$matches
Returns
string

Definition at line 1058 of file Sanitizer.php.

References $matches, and codepointToUtf8().

static Sanitizer::decCharReference (   $codepoint)
static
Parameters
int$codepoint
Returns
null|string

Definition at line 1592 of file Sanitizer.php.

static Sanitizer::decodeChar (   $codepoint)
static

Return UTF-8 string for a codepoint if that is a valid character reference, otherwise U+FFFD REPLACEMENT CHARACTER.

Parameters
int$codepoint
Returns
string
Access:
private

Definition at line 1696 of file Sanitizer.php.

References codepointToUtf8(), and UTF8_REPLACEMENT.

static Sanitizer::decodeCharReferencesAndNormalize (   $text)
static

Decode any character references, numeric or named entities, in the next and normalize the resulting string.

(T16952)

This is useful for page titles, not for text to be displayed, MediaWiki allows HTML entities to escape normalization as a feature.

Parameters
string$textAlready normalized, containing entities
Returns
string Still normalized, without entities

Definition at line 1656 of file Sanitizer.php.

References $wgContLang, and global.

Referenced by Title\newFromTextThrow().

static Sanitizer::decodeCharReferencesCallback (   $matches)
static
Parameters
string$matches
Returns
string

Definition at line 1677 of file Sanitizer.php.

References $matches.

static Sanitizer::decodeEntity (   $name)
static

If the named entity is defined in the HTML 4.0/XHTML 1.0 DTD, return the UTF-8 encoding of that character.

Otherwise, returns pseudo-entity source (eg "&foo;")

Parameters
string$name
Returns
string

Definition at line 1712 of file Sanitizer.php.

References $name, and codepointToUtf8().

static Sanitizer::decodeTagAttributes (   $text)
static

Return an associative array of attribute names and values from a partial tag string.

Attribute names are forced to lowercase, character references are decoded to UTF-8 text.

Parameters
string$text
Returns
array

Definition at line 1426 of file Sanitizer.php.

References $attribs, $value, and as.

Referenced by MediaWiki\Tidy\Balancer\advance(), LanguageConverter\autoConvert(), CoreParserFunctions\displaytitle(), Parser\extensionSubstitution(), Parser\extractTagsAndParams(), and SanitizerTest\testDecodeTagAttributes().

static Sanitizer::encodeAttribute (   $text)
static

Encode an attribute value for HTML output.

Parameters
string$text
Returns
string HTML-encoded text fragment

Definition at line 1120 of file Sanitizer.php.

Referenced by MediaWiki\Tidy\BalanceElement\__toString(), and Xml\expandAttributes().

static Sanitizer::escapeClass (   $class)
static
static Sanitizer::escapeHtmlAllowEntities (   $html)
static

Given HTML input, escape with htmlspecialchars but un-escape entities.

This allows (generally harmless) entities like &#160; to survive.

Parameters
string$htmlHTML to escape
Returns
string Escaped input

Definition at line 1400 of file Sanitizer.php.

References $html.

Referenced by Linker\formatComment(), AllMessagesTablePager\formatValue(), SearchHighlighter\removeWiki(), and SanitizerTest\testEscapeHtmlAllowEntities().

static Sanitizer::escapeId (   $id,
  $options = [] 
)
static

Given a value, escape it so that it can be used in an id attribute and return it.

This will use HTML5 validation if $wgExperimentalHtmlIds is true, allowing anything but ASCII whitespace. Otherwise it will use HTML 4 rules, which means a narrow subset of ASCII, with bad characters escaped with lots of dots.

To ensure we don't have to bother escaping anything, we also strip ', ", & even if $wgExperimentalIds is true. TODO: Is this the best tactic? We also strip # because it upsets IE, and % because it could be ambiguous if it's part of something that looks like a percent escape (which don't work reliably in fragments cross-browser).

Deprecated:
since 1.30, use one of this class' escapeIdFor*() functions
See also
https://www.w3.org/TR/html401/types.html#type-name Valid characters in the id and name attributes
https://www.w3.org/TR/html401/struct/links.html#h-12.2.3 Anchors with the id attribute
https://www.w3.org/TR/html5/dom.html#the-id-attribute HTML5 definition of id attribute
Parameters
string$idId to escape
string | array$optionsString or array of strings (default is array()): 'noninitial': This is a non-initial fragment of an id, not a full id, so don't pay attention if the first character isn't valid at the beginning of an id. Only matters if $wgExperimentalHtmlIds is false. 'legacy': Behave the way the old HTML 4-based ID escaping worked even if $wgExperimentalHtmlIds is used, so we can generate extra anchors and links won't break.
Returns
string

Definition at line 1202 of file Sanitizer.php.

References $options, $wgExperimentalHtmlIds, array(), and global.

Referenced by Title\escapeFragmentForURL(), and SanitizerTest\testEscapeId().

static Sanitizer::escapeIdForAttribute (   $id,
  $mode = self::ID_PRIMARY 
)
static

Given a section name or other user-generated or otherwise unsafe string, escapes it to be a valid HTML id attribute.

WARNING: unlike escapeId(), the output of this function is not guaranteed to be HTML safe, be sure to use proper escaping.

Parameters
string$idString to escape
int$modeOne of ID_* constants, specifying whether the primary or fallback encoding should be used.
Returns
string|bool Escaped ID or false if fallback encoding is requested but it's not configured.
Since
1.30

Definition at line 1248 of file Sanitizer.php.

References $wgFragmentMode, and global.

Referenced by Skin\addToSidebarPlain(), HTMLFormFieldCloner\createFieldsForKey(), HTMLForm\displaySection(), SpecialListGrants\execute(), SpecialListGroupRights\execute(), Parser\formatHeadings(), HTMLRadioField\formatOptions(), OOUIHTMLForm\formatSection(), HTMLForm\formatSection(), SpecialVersion\getCreditsForExtension(), BaseTemplate\getFooter(), BaseTemplate\getIndicators(), HTMLFormFieldCloner\getInputHTML(), HTMLFormFieldCloner\getInputHTMLForKey(), AllMessagesTablePager\getRowAttrs(), Parser\guessLegacySectionNameFromWikiText(), InfoAction\makeHeader(), ApiMain\modifyHelp(), SanitizerTest\testEscapeIdReferenceList(), SanitizerTest\testInvalidFragmentThrows(), and SanitizerTest\testNoPrimaryFragmentModeThrows().

static Sanitizer::escapeIdForExternalInterwiki (   $id)
static

Given a section name or other user-generated or otherwise unsafe string, escapes it to be a valid URL fragment for external interwikis.

Parameters
string$idString to escape
Returns
string Escaped ID
Since
1.30

Definition at line 1298 of file Sanitizer.php.

References $wgExternalInterwikiFragmentMode, and global.

Referenced by Title\getFragmentForURL().

static Sanitizer::escapeIdForLink (   $id)
static

Given a section name or other user-generated or otherwise unsafe string, escapes it to be a valid URL fragment.

WARNING: unlike escapeId(), the output of this function is not guaranteed to be HTML safe, be sure to use proper escaping.

Parameters
string$idString to escape
Returns
string Escaped ID
Since
1.30

Definition at line 1275 of file Sanitizer.php.

References $wgFragmentMode, and global.

Referenced by Parser\formatHeadings(), Title\getFragmentForURL(), Parser\guessLegacySectionNameFromWikiText(), Parser\guessSectionNameFromWikiText(), and SanitizerTest\testNoPrimaryFragmentModeThrows2().

static Sanitizer::escapeIdInternal (   $id,
  $mode 
)
staticprivate

Helper for escapeIdFor*() functions.

Performs most of the actual escaping.

Parameters
string$idString to escape
string$modeOne of modes from $wgFragmentMode
Returns
string

Definition at line 1313 of file Sanitizer.php.

static Sanitizer::escapeIdReferenceList (   $referenceString,
  $options = [] 
)
static

Given a string containing a space delimited list of ids, escape each id to match ids escaped by the escapeId() function.

Todo:
remove $options completely in 1.32
Since
1.27
Parameters
string$referenceStringSpace delimited list of ids
string | array$optionsDeprecated and does nothing.
Returns
string

Definition at line 1355 of file Sanitizer.php.

References $options, as, and wfDeprecated().

Referenced by SanitizerTest\testEscapeIdReferenceList().

static Sanitizer::fixTagAttributes (   $text,
  $element,
  $sorted = false 
)
static

Take a tag soup fragment listing an HTML element's attributes and normalize it to well-formed XML, discarding unwanted attributes.

Output is safe for further wikitext processing, with escaping of values that could trigger problems.

  • Normalizes attribute names to lowercase
  • Discards attributes not on a whitelist for the given element
  • Turns broken or invalid entities into plaintext
  • Double-quotes all attribute values
  • Attributes without values are given the name as attribute
  • Double attributes are discarded
  • Unsafe style attributes are discarded
  • Prepends space if there are attributes.
  • (Optionally) Sorts attributes by name.
Parameters
string$text
string$element
bool$sortedWhether to sort the attributes (default: false)
Returns
string

Definition at line 1100 of file Sanitizer.php.

Referenced by Parser\doTableStuff(), and SanitizerTest\testDeprecatedAttributesUnaltered().

static Sanitizer::getAttribsRegex ( )
static

Regular expression to match HTML/XML attribute pairs within a tag.

Allows some... latitude. Based on, https://www.w3.org/TR/html5/syntax.html#before-attribute-value-state Used in Sanitizer::fixTagAttributes and Sanitizer::decodeTagAttributes

Returns
string

Definition at line 355 of file Sanitizer.php.

static Sanitizer::getRecognizedTagData (   $extratags = [],
  $removetags = [] 
)
static

Return the various lists of recognized tags.

Parameters
array$extratagsFor any extra tags to include
array$removetagsFor any tags (default or extra) to exclude
Returns
array

Definition at line 380 of file Sanitizer.php.

References $vars, as, by, global, in, list, table, that, them, used, and will.

Referenced by ResourceLoaderJqueryMsgModule\getScript().

static Sanitizer::getTagAttributeCallback (   $set)
staticprivate

Pick the appropriate attribute value from a match set from the attribs regex matches.

Parameters
array$set
Exceptions
MWExceptionWhen tag conditions are not met.
Returns
string

Definition at line 1481 of file Sanitizer.php.

static Sanitizer::hackDocType ( )
static

Hack up a private DOCTYPE with HTML's standard entity declarations.

PHP 4 seemed to know these if you gave it an HTML doctype, but PHP 5.1 doesn't.

Use for passing XHTML fragments to PHP's XML parsing functions

Returns
string

Definition at line 1993 of file Sanitizer.php.

References $out, and as.

Referenced by Xml\isWellFormedXmlFragment(), and ParserTestPrinter\wellFormed().

static Sanitizer::hexCharReference (   $codepoint)
static
Parameters
int$codepoint
Returns
null|string

Definition at line 1605 of file Sanitizer.php.

static Sanitizer::isReservedDataAttribute (   $attr)
static

Given an attribute name, checks whether it is a reserved data attribute (such as data-mw-foo) which is unavailable to user-generated HTML so MediaWiki core and extension code can safely use it to communicate with frontend code.

Parameters
string$attrAttribute name.
Returns
bool

Definition at line 880 of file Sanitizer.php.

Referenced by EnhancedChangesList\recentChangesBlockLine(), and SanitizerTest\testIsReservedDataAttribute().

static Sanitizer::mergeAttributes (   $a,
  $b 
)
static

Merge two sets of HTML attributes.

Conflicting items in the second set will override those in the first, except for 'class' attributes which will be combined (if they're both strings).

Todo:
implement merging for other attributes such as style
Parameters
array$a
array$b
Returns
array

Definition at line 901 of file Sanitizer.php.

References $out.

Referenced by OutputPage\headElement(), MediaWiki\Linker\LinkRenderer\mergeAttribs(), and TraditionalImageGallery\toHTML().

static Sanitizer::normalizeCharReferences (   $text)
static

Ensure that any entities and character references are legal for XML and XHTML specifically.

Any stray bits will be &-escaped to result in a valid text fragment.

a. named char refs can only be < > & ", others are numericized (this way we're well-formed even without a DTD) b. any numeric char refs must be legal chars, not invalid or forbidden c. use lower cased "&#x", not "&#X" d. fix or reject non-valid attributes

Parameters
string$text
Returns
string
Access:
private

Definition at line 1539 of file Sanitizer.php.

Referenced by CoreParserFunctions\displaytitle(), Parser\internalParseHalfParsed(), and OutputPage\setPageTitle().

static Sanitizer::normalizeCharReferencesCallback (   $matches)
static
Parameters
string$matches
Returns
string

Definition at line 1550 of file Sanitizer.php.

References $matches, and $ret.

static Sanitizer::normalizeCss (   $value)
static

Normalize CSS into a format we can easily search for hostile input.

  • decode character references
  • decode escape sequences
  • convert characters that IE6 interprets into ascii
  • remove comments, unless the entire value is one single comment
    Parameters
    string$valuethe css string
    Returns
    string normalized css

Definition at line 923 of file Sanitizer.php.

References $matches, $value, StringUtils\delimiterReplace(), and utf8ToCodepoint().

Referenced by UploadBase\checkSvgScriptCallback().

static Sanitizer::normalizeEntity (   $name)
static

If the named entity is defined in the HTML 4.0/XHTML 1.0 DTD, return the equivalent numeric entity reference (except for the core < > & ").

If the entity is a MediaWiki-specific alias, returns the HTML equivalent. Otherwise, returns HTML-escaped text of pseudo-entity source (eg &foo;)

Parameters
string$name
Returns
string

Definition at line 1576 of file Sanitizer.php.

References $name.

static Sanitizer::normalizeSectionNameWhitespace (   $section)
static

Normalizes whitespace in a section name, such as might be returned by Parser::stripSectionName(), for use in the id's that are used for section links.

Parameters
string$section
Returns
string

Definition at line 1520 of file Sanitizer.php.

References $section.

Referenced by ApiFeedWatchlist\createFeedItem(), Linker\formatAutocomments(), Parser\formatHeadings(), Parser\guessLegacySectionNameFromWikiText(), and Parser\guessSectionNameFromWikiText().

static Sanitizer::normalizeWhitespace (   $text)
staticprivate
Parameters
string$text
Returns
string

Definition at line 1505 of file Sanitizer.php.

static Sanitizer::removeHTMLcomments (   $text)
static

Remove '', and everything between.

To avoid leaving blank lines, when a comment is both preceded and followed by a newline (ignoring spaces), trim leading and trailing spaces and one of the newlines.

Parameters
string$text
Returns
string

Definition at line 681 of file Sanitizer.php.

static Sanitizer::removeHTMLtags (   $text,
  $processCallback = null,
  $args = [],
  $extratags = [],
  $removetags = [],
  $warnCallback = null 
)
static

Cleans up HTML, removes dangerous tags and attributes, and removes HTML comments.

Parameters
string$text
callable$processCallbackCallback to do any variable or parameter replacements in HTML attribute values
array | bool$argsArguments for the processing callback
array$extratagsFor any extra tags to include
array$removetagsFor any tags (default or extra) to exclude
callable$warnCallback(Deprecated) Callback allowing the addition of a tracking category when bad input is encountered. DO NOT ADD NEW PARAMETERS AFTER $warnCallback, since it will be removed shortly.
Returns
string

Definition at line 477 of file Sanitizer.php.

References $args, $params, $t, as, MWTidy\isEnabled(), and list.

Referenced by CoreParserFunctions\displaytitle(), Parser\internalParse(), OutputPage\setPageTitle(), SanitizerTest\testRemoveHTMLtags(), SanitizerTest\testRemovehtmltagsOnHtml5Tags(), and Parser\testSrvus().

static Sanitizer::safeEncodeAttribute (   $text)
static

Encode an attribute value for HTML tags, with extra armoring against further wiki processing.

Parameters
string$text
Returns
string HTML-encoded text fragment

Definition at line 1141 of file Sanitizer.php.

References wfUrlProtocols().

static Sanitizer::safeEncodeTagAttributes (   $assoc_array)
static

Build a partial tag string from an associative array of attribute names and values as returned by decodeTagAttributes.

Parameters
array$assoc_array
Returns
string

Definition at line 1462 of file Sanitizer.php.

References $attribs, $value, and as.

Referenced by CoreParserFunctions\displaytitle().

static Sanitizer::setupAttributeWhitelist ( )
static

Foreach array key (an allowed HTML element), return an array of allowed attributes.

Returns
array

Definition at line 1741 of file Sanitizer.php.

References array().

static Sanitizer::stripAllTags (   $text)
static

Take a fragment of (potentially invalid) HTML and return a version with any tags removed, encoded as plain text.

Warning: this return value must be further escaped for literal inclusion in HTML output as of 1.10!

Parameters
string$textHTML fragment
Returns
string

Definition at line 1973 of file Sanitizer.php.

References StringUtils\delimiterReplace().

Referenced by LocalizedException\__construct(), MWDebug\appendDebugInfoToApiResult(), CoreParserFunctions\displaytitle(), WikiTextStructure\extractHeadingBeforeFirstHeading(), WikiTextStructure\extractWikitextParts(), ChangesListSpecialPage\getChangeTagList(), CliInstaller\getMessageText(), WikiTextStructure\headings(), OutputPage\setPageTitle(), Parser\stripAltText(), and ApiErrorFormatter\stripMarkup().

static Sanitizer::validateAttributes (   $attribs,
  $whitelist 
)
static

Take an array of attribute names and values and normalize or discard illegal values for the given whitelist.

  • Discards attributes not on the given whitelist
  • Unsafe style attributes are discarded
  • Invalid id attributes are re-encoded
Parameters
array$attribs
array$whitelistList of allowed attribute names
Returns
array
Todo:

Check for legal values where the DTD limits things.

Check for unique id attribute :P

Definition at line 783 of file Sanitizer.php.

References $attribs, $out, $value, as, and wfUrlProtocols().

static Sanitizer::validateCodepoint (   $codepoint)
staticprivate

Returns true if a given Unicode codepoint is a valid character in both HTML5 and XML.

Parameters
int$codepoint
Returns
bool

Definition at line 1620 of file Sanitizer.php.

static Sanitizer::validateEmail (   $addr)
static

Does a string look like an e-mail address?

This validates an email address using an HTML5 specification found at: http://www.whatwg.org/html/states-of-the-type-attribute.html#valid-e-mail-address Which as of 2011-01-24 says:

A valid e-mail address is a string that matches the ABNF production 1*( atext / "." ) "@" ldh-str *( "." ldh-str ) where atext is defined in RFC 5322 section 3.2.3, and ldh-str is defined in RFC 1034 section 3.5.

This function is an implementation of the specification as requested in T24449.

Client-side forms will use the same standard validation rules via JS or HTML 5 validation; additional restrictions can be enforced server-side by extensions via the 'isValidEmailAddr' hook.

Note that this validation doesn't 100% match RFC 2822, but is believed to be liberal enough for wide use. Some invalid addresses will still pass validation here.

Since
1.18
Parameters
string$addrE-mail address
Returns
bool

Definition at line 2092 of file Sanitizer.php.

References Hooks\run().

Referenced by SpecialChangeEmail\attemptChange(), Autopromote\checkCondition(), SanitizerValidateEmailTest\checkEmail(), RemoveInvalidEmails\execute(), ResetUserEmail\execute(), EmailConfirmation\execute(), PasswordReset\execute(), LoginSignupSpecialPage\getFieldDefinitions(), User\isEmailConfirmed(), MediaWiki\Auth\UserDataAuthenticationRequest\populateUser(), and WebInstallerName\submit().

static Sanitizer::validateTag (   $params,
  $element 
)
static

Takes attribute names and values for a tag and the tag name and validates that the tag is allowed to be present.

This DOES NOT validate the attributes, nor does it validate the tags themselves. This method only handles the special circumstances where we may want to allow a tag within content but ONLY when it has specific attributes set.

Parameters
string$params
string$element
Returns
bool

Definition at line 727 of file Sanitizer.php.

References $params.

Referenced by MediaWiki\Tidy\Balancer\advance().

static Sanitizer::validateTagAttributes (   $attribs,
  $element 
)
static

Take an array of attribute names and values and normalize or discard illegal values for the given element type.

  • Discards attributes not on a whitelist for the given element
  • Unsafe style attributes are discarded
  • Invalid id attributes are re-encoded
Parameters
array$attribs
string$element
Returns
array
Todo:

Check for legal values where the DTD limits things.

Check for unique id attribute :P

Definition at line 763 of file Sanitizer.php.

References $attribs.

Referenced by MediaWiki\Tidy\Balancer\advance(), CoreTagHooks\pre(), and Parser\renderImageGallery().

Member Data Documentation

static static Sanitizer::$attribsRegex
staticprivate
Initial value:
=> 'rlm',
]

Lazy-initialised attributes regex, see getAttribsRegex()

Definition at line 340 of file Sanitizer.php.

Sanitizer::$htmlEntities
staticprivate
Initial value:
= [
'Aacute' => 193

List of all named character entities defined in HTML 4.01 https://www.w3.org/TR/html4/sgml/entities.html As well as ' which is only defined starting in XHTML1.

Definition at line 79 of file Sanitizer.php.

static Sanitizer::$htmlEntityAliases
staticprivate
Initial value:
= [
'רלמ' => 'rlm'

Character entity aliases accepted by MediaWiki.

Definition at line 338 of file Sanitizer.php.

const Sanitizer::CHAR_REFS_REGEX
Initial value:
=
'/&([A-Za-z0-9\x80-\xff]+);
|&\#([0-9]+);
|&\#[xX]([0-9A-Fa-f]+);
|(&)/x'

Regular expression to match various types of character references in Sanitizer::normalizeCharReferences and Sanitizer::decodeCharReferences.

Definition at line 36 of file Sanitizer.php.

const Sanitizer::ELEMENT_BITS_REGEX = '!^(/?)([A-Za-z][^\t\n\v />\0]*+)([^>]*?)(/?>)([^<]*)$!'

Acceptable tag name charset from HTML5 parsing spec https://www.w3.org/TR/html5/syntax.html#tag-open-state.

Definition at line 46 of file Sanitizer.php.

Referenced by MediaWiki\Tidy\Balancer\advance().

const Sanitizer::EVIL_URI_PATTERN = '!(^|\s|\*/\s*)(javascript|vbscript)([^\w]|$)!i'

Blacklist for evil uris like javascript: WARNING: DO NOT use this in any place that actually requires blacklisting for security reasons.

There are NUMEROUS1 ways to bypass blacklisting, the only way to be secure from javascript: uri based xss vectors is to whitelist things that you know are safe and deny everything else.

Definition at line 56 of file Sanitizer.php.

const Sanitizer::ID_FALLBACK = 1

Tells escapeUrlForHtml() to encode the ID using the fallback encoding, or return false if no fallback is configured.

Since
1.30

Definition at line 72 of file Sanitizer.php.

Referenced by Parser\formatHeadings(), Parser\guessLegacySectionNameFromWikiText(), ApiMain\modifyHelp(), and SanitizerTest\provideEscapeIdForStuff().

const Sanitizer::ID_PRIMARY = 0

Tells escapeUrlForHtml() to encode the ID using the wiki's primary encoding.

Since
1.30

Definition at line 64 of file Sanitizer.php.

Referenced by Parser\formatHeadings(), ApiMain\modifyHelp(), and SanitizerTest\provideEscapeIdForStuff().

const Sanitizer::XMLNS_ATTRIBUTE_PATTERN = "/^xmlns:[:A-Z_a-z-.0-9]+$/"

Definition at line 57 of file Sanitizer.php.


The documentation for this class was generated from the following file: