Export allowed tags from Sanitizer to mediawiki.jqueryMsg

Specifically, we export only those that are allowed to be paired, because its parser doesn't handle self-closing tags. Bug: T66740 Change-Id: I9944f9af915715c57a7d9ce3c62c3e61e54a75ba
2015-05-23 08:48:55 +02:00 · 2015-05-23 08:48:55 +02:00 · 4a3e50a541
commit 4a3e50a541
parent 5dfb04f8e3
5 changed files with 114 additions and 12 deletions
--- a/autoload.php
+++ b/autoload.php
@ -995,6 +995,7 @@ $wgAutoloadLocalClasses = array(
 	'ResourceLoaderFilePath' => __DIR__ . '/includes/resourceloader/ResourceLoaderFilePath.php',
 	'ResourceLoaderImage' => __DIR__ . '/includes/resourceloader/ResourceLoaderImage.php',
 	'ResourceLoaderImageModule' => __DIR__ . '/includes/resourceloader/ResourceLoaderImageModule.php',
+	'ResourceLoaderJqueryMsgDataModule' => __DIR__ . '/includes/resourceloader/ResourceLoaderJqueryMsgDataModule.php',
 	'ResourceLoaderLanguageDataModule' => __DIR__ . '/includes/resourceloader/ResourceLoaderLanguageDataModule.php',
 	'ResourceLoaderLanguageNamesModule' => __DIR__ . '/includes/resourceloader/ResourceLoaderLanguageNamesModule.php',
 	'ResourceLoaderModule' => __DIR__ . '/includes/resourceloader/ResourceLoaderModule.php',
--- a/includes/Sanitizer.php
+++ b/includes/Sanitizer.php
@ -359,20 +359,13 @@ class Sanitizer {
 	}

 	/**
-	 * Cleans up HTML, removes dangerous tags and attributes, and
-	 * removes HTML comments
-	 * @param string $text
-	 * @param callable $processCallback Callback to do any variable or parameter
-	 *   replacements in HTML attribute values
-	 * @param array|bool $args Arguments for the processing callback
+	 * Return the various lists of recognized tags
 	 * @param array $extratags For any extra tags to include
 	 * @param array $removetags For any tags (default or extra) to exclude
-	 * @return string
+	 * @return array
 	 */
-	public static function removeHTMLtags( $text, $processCallback = null,
-		$args = array(), $extratags = array(), $removetags = array()
-	) {
-		global $wgUseTidy, $wgAllowMicrodataAttributes, $wgAllowImageTag;
+	public static function getRecognizedTagData( $extratags = array(), $removetags = array() ) {
+		global $wgAllowMicrodataAttributes, $wgAllowImageTag;

 		static $htmlpairsStatic, $htmlsingle, $htmlsingleonly, $htmlnest, $tabletags,
 			$htmllist, $listtags, $htmlsingleallowed, $htmlelementsStatic, $staticInitialised;
@ -431,12 +424,44 @@ class Sanitizer {
 			}
 			$staticInitialised = $globalContext;
 		}
+
 		# Populate $htmlpairs and $htmlelements with the $extratags and $removetags arrays
 		$extratags = array_flip( $extratags );
 		$removetags = array_flip( $removetags );
 		$htmlpairs = array_merge( $extratags, $htmlpairsStatic );
 		$htmlelements = array_diff_key( array_merge( $extratags, $htmlelementsStatic ), $removetags );

+		return array(
+			'htmlpairs' => $htmlpairs,
+			'htmlsingle' => $htmlsingle,
+			'htmlsingleonly' => $htmlsingleonly,
+			'htmlnest' => $htmlnest,
+			'tabletags' => $tabletags,
+			'htmllist' => $htmllist,
+			'listtags' => $listtags,
+			'htmlsingleallowed' => $htmlsingleallowed,
+			'htmlelements' => $htmlelements,
+		);
+	}
+
+	/**
+	 * Cleans up HTML, removes dangerous tags and attributes, and
+	 * removes HTML comments
+	 * @param string $text
+	 * @param callable $processCallback Callback to do any variable or parameter
+	 *   replacements in HTML attribute values
+	 * @param array|bool $args Arguments for the processing callback
+	 * @param array $extratags For any extra tags to include
+	 * @param array $removetags For any tags (default or extra) to exclude
+	 * @return string
+	 */
+	public static function removeHTMLtags( $text, $processCallback = null,
+		$args = array(), $extratags = array(), $removetags = array()
+	) {
+		global $wgUseTidy;
+
+		extract( self::getRecognizedTagData( $extratags, $removetags ) );
+
 		# Remove HTML comments
 		$text = Sanitizer::removeHTMLcomments( $text );
 		$bits = explode( '<', $text );
--- a/includes/resourceloader/ResourceLoaderJqueryMsgDataModule.php
+++ b/includes/resourceloader/ResourceLoaderJqueryMsgDataModule.php
@ -0,0 +1,62 @@
+<?php
+/**
+ * Resource loader module for populating mediawiki.jqueryMsg data.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+ * http://www.gnu.org/copyleft/gpl.html
+ *
+ * @file
+ * @author Brad Jorsch
+ */
+
+/**
+ * ResourceLoader module for populating mediawiki.jqueryMsg data.
+ */
+class ResourceLoaderJqueryMsgDataModule extends ResourceLoaderModule {
+
+	protected $targets = array( 'desktop', 'mobile' );
+
+	/**
+	 * @param ResourceLoaderContext $context
+	 * @return string JavaScript code
+	 */
+	public function getScript( ResourceLoaderContext $context ) {
+		$jsData = array();
+
+		$tagData = Sanitizer::getRecognizedTagData();
+		$jsData['allowedHtmlElements'] = array_merge(
+			array_keys( $tagData['htmlpairs'] ),
+			array_diff(
+				array_keys( $tagData['htmlsingle'] ),
+				array_keys( $tagData['htmlsingleonly'] )
+			)
+		);
+
+		return "if ( !mw.jqueryMsg ) {\n" .
+			"\tmw.jqueryMsg = {};\n" .
+			"}\n" .
+			"mw.jqueryMsg.data = " . Xml::encodeJsVar( $jsData ) . ";\n";
+	}
+
+	/**
+	 * @param ResourceLoaderContext $context
+	 * @return array|null
+	 */
+	public function getDefinitionSummary( ResourceLoaderContext $context ) {
+		$ret = parent::getDefinitionSummary( $context );
+		$ret['hash'] = md5( $this->getScript( $context ) );
+		return $ret;
+	}
+}
--- a/resources/Resources.php
+++ b/resources/Resources.php
@ -58,6 +58,9 @@ return array(
 	// Scripts for the dynamic language specific data, like grammar forms.
 	'mediawiki.language.data' => array( 'class' => 'ResourceLoaderLanguageDataModule' ),

+	// Dynamic data for mediawiki.jqueryMsg, such as allowed tags
+	'mediawiki.jqueryMsg.data' => array( 'class' => 'ResourceLoaderJqueryMsgDataModule' ),
+
 	/* MediaWiki base skinning modules */

 	/**
@ -1270,6 +1273,7 @@ return array(
 	'mediawiki.jqueryMsg' => array(
 		'scripts' => 'resources/src/mediawiki/mediawiki.jqueryMsg.js',
 		'dependencies' => array(
+			'mediawiki.jqueryMsg.data',
 			'mediawiki.util',
 			'mediawiki.language',
 			'dom-level2-shim',
--- a/resources/src/mediawiki/mediawiki.jqueryMsg.js
+++ b/resources/src/mediawiki/mediawiki.jqueryMsg.js
@ -17,8 +17,10 @@
 			magic: {
 				'SITENAME': mw.config.get( 'wgSiteName' )
 			},
-			// This is a whitelist based on, but simpler than, Sanitizer.php.
+			// This is a whitelist like Sanitizer.php.
 			// Self-closing tags are not currently supported.
+			// The simplified default here is overridden below by data supplied
+			// by the mediawiki.jqueryMsg.data module.
 			allowedHtmlElements: [
 				'b',
 				'i'
@ -130,6 +132,14 @@
 		};
 	}

+	// Use data from mediawiki.jqueryMsg.data to override defaults, if
+	// available
+	if ( mw.jqueryMsg && mw.jqueryMsg.data ) {
+		if ( mw.jqueryMsg.data.allowedHtmlElements ) {
+			parserDefaults.allowedHtmlElements = mw.jqueryMsg.data.allowedHtmlElements;
+		}
+	}
+
 	mw.jqueryMsg = {};

 	/**