Drop deprecated config $wgAllowImageTag
Soft-deprecated since 1.35 and hard-deprecated since at least I9776d11d4e2d184 (1.39). Not set in production. Change-Id: I68b68ffcdff22daafad34c186d1cc609dcecbf32
This commit is contained in:
Amir Sarabadani
Ladsgroup
parent
0dbddfe9f8
commit
4c68983623
9 changed files with 6 additions and 77 deletions
|
|
@ -58,6 +58,8 @@ For notes on 1.41.x and older releases, see HISTORY.
|
|||
No longer customizable.
|
||||
* $wgSquidPurgeUseHostHeader, deprecated since 1.33, has been removed.
|
||||
No longer customizable and always true.
|
||||
* $wgAllowImageTag, deprecated since 1.35, has been removed.
|
||||
Register an extension tag named <img> instead.
|
||||
* …
|
||||
|
||||
=== New user-facing features in 1.42 ===
|
||||
|
|
|
|||
|
|
@ -4154,17 +4154,6 @@ config-schema:
|
|||
Set this to true to enable the on-wiki allow list (MediaWiki:External image whitelist)
|
||||
Or false to disable it
|
||||
@since 1.14
|
||||
AllowImageTag:
|
||||
default: false
|
||||
deprecated: 'since 1.35; register an extension tag named <img> instead.'
|
||||
description: |-
|
||||
A different approach to the above: simply allow the "<img>" tag to be used.
|
||||
This allows you to specify alt text and other attributes, copy-paste HTML to
|
||||
your wiki more easily, etc. However, allowing external images in any manner
|
||||
will allow anyone with editing rights to snoop on your visitors' IP
|
||||
addresses and so forth, if they wanted to, by inserting links to images on
|
||||
sites they control.
|
||||
@deprecated since 1.35; register an extension tag named <img> instead.
|
||||
TidyConfig:
|
||||
default: { }
|
||||
type: object
|
||||
|
|
|
|||
|
|
@ -2337,13 +2337,6 @@ $wgAllowExternalImagesFrom = null;
|
|||
*/
|
||||
$wgEnableImageWhitelist = null;
|
||||
|
||||
/**
|
||||
* Config variable stub for the AllowImageTag setting, for use by phpdoc and IDEs.
|
||||
* @see MediaWiki\MainConfigSchema::AllowImageTag
|
||||
* @deprecated since 1.35; register an extension tag named <img> instead.
|
||||
*/
|
||||
$wgAllowImageTag = null;
|
||||
|
||||
/**
|
||||
* Config variable stub for the TidyConfig setting, for use by phpdoc and IDEs.
|
||||
* @see MediaWiki\MainConfigSchema::TidyConfig
|
||||
|
|
|
|||
|
|
@ -2352,13 +2352,6 @@ class MainConfigNames {
|
|||
*/
|
||||
public const EnableImageWhitelist = 'EnableImageWhitelist';
|
||||
|
||||
/**
|
||||
* Name constant for the AllowImageTag setting, for use with Config::get()
|
||||
* @see MainConfigSchema::AllowImageTag
|
||||
* @deprecated since 1.35; register an extension tag named <img> instead.
|
||||
*/
|
||||
public const AllowImageTag = 'AllowImageTag';
|
||||
|
||||
/**
|
||||
* Name constant for the TidyConfig setting, for use with Config::get()
|
||||
* @see MainConfigSchema::TidyConfig
|
||||
|
|
|
|||
|
|
@ -6499,22 +6499,6 @@ class MainConfigSchema {
|
|||
'default' => false,
|
||||
];
|
||||
|
||||
/**
|
||||
* A different approach to the above: simply allow the "<img>" tag to be used.
|
||||
*
|
||||
* This allows you to specify alt text and other attributes, copy-paste HTML to
|
||||
* your wiki more easily, etc. However, allowing external images in any manner
|
||||
* will allow anyone with editing rights to snoop on your visitors' IP
|
||||
* addresses and so forth, if they wanted to, by inserting links to images on
|
||||
* sites they control.
|
||||
*
|
||||
* @deprecated since 1.35; register an extension tag named <img> instead.
|
||||
*/
|
||||
public const AllowImageTag = [
|
||||
'default' => false,
|
||||
'deprecated' => 'since 1.35; register an extension tag named <img> instead.',
|
||||
];
|
||||
|
||||
/**
|
||||
* Configuration for HTML postprocessing tool. Set this to a configuration
|
||||
* array to enable an external tool. By default, we now use the RemexHtml
|
||||
|
|
|
|||
|
|
@ -246,7 +246,6 @@ class ContentSecurityPolicy {
|
|||
// CSP puts on external images.
|
||||
if ( $mwConfig->get( MainConfigNames::AllowExternalImages )
|
||||
|| $mwConfig->get( MainConfigNames::AllowExternalImagesFrom )
|
||||
|| $mwConfig->get( MainConfigNames::AllowImageTag )
|
||||
) {
|
||||
$imgSrc = [ '*', 'data:', 'blob:' ];
|
||||
} elseif ( $mwConfig->get( MainConfigNames::EnableImageWhitelist ) ) {
|
||||
|
|
|
|||
|
|
@ -794,7 +794,6 @@ return [
|
|||
'AllowExternalImages' => false,
|
||||
'AllowExternalImagesFrom' => '',
|
||||
'EnableImageWhitelist' => false,
|
||||
'AllowImageTag' => false,
|
||||
'TidyConfig' => [
|
||||
],
|
||||
'ParsoidSettings' => [
|
||||
|
|
@ -3277,9 +3276,6 @@ return [
|
|||
'LegalTitleChars' => [
|
||||
'deprecated' => 'since 1.41; use Extension:TitleBlacklist to customize',
|
||||
],
|
||||
'AllowImageTag' => [
|
||||
'deprecated' => 'since 1.35; register an extension tag named <img> instead.',
|
||||
],
|
||||
'ParserEnableLegacyMediaDOM' => [
|
||||
'deprecated' => 'since 1.41',
|
||||
],
|
||||
|
|
|
|||
|
|
@ -153,10 +153,9 @@ class Sanitizer {
|
|||
* @internal
|
||||
*/
|
||||
public static function getRecognizedTagData( array $extratags = [], array $removetags = [] ): array {
|
||||
global $wgAllowImageTag;
|
||||
static $commonCase, $staticInitialised;
|
||||
$isCommonCase = ( $extratags === [] && $removetags === [] );
|
||||
if ( $staticInitialised === $wgAllowImageTag && $isCommonCase && $commonCase ) {
|
||||
if ( $staticInitialised === false && $isCommonCase && $commonCase ) {
|
||||
return $commonCase;
|
||||
}
|
||||
|
||||
|
|
@ -165,8 +164,7 @@ class Sanitizer {
|
|||
|
||||
// Base our staticInitialised variable off of the global config state so that if the globals
|
||||
// are changed (like in the screwed up test system) we will re-initialise the settings.
|
||||
$globalContext = $wgAllowImageTag;
|
||||
if ( !$staticInitialised || $staticInitialised !== $globalContext ) {
|
||||
if ( !$staticInitialised ) {
|
||||
$htmlpairsStatic = [ # Tags that must be closed
|
||||
'b', 'bdi', 'del', 'i', 'ins', 'u', 'font', 'big', 'small', 'sub', 'sup', 'h1',
|
||||
'h2', 'h3', 'h4', 'h5', 'h6', 'cite', 'code', 'em', 's',
|
||||
|
|
@ -206,13 +204,6 @@ class Sanitizer {
|
|||
'li',
|
||||
];
|
||||
|
||||
if ( $wgAllowImageTag ) {
|
||||
wfDeprecatedMsg( 'Setting $wgAllowImageTag to true ' .
|
||||
'is deprecated since MediaWiki 1.35', '1.35', false, false );
|
||||
$htmlsingle[] = 'img';
|
||||
$htmlsingleonly[] = 'img';
|
||||
}
|
||||
|
||||
$htmlsingleallowed = array_unique( array_merge( $htmlsingle, $tabletags ) );
|
||||
$htmlelementsStatic = array_unique( array_merge( $htmlsingle, $htmlpairsStatic, $htmlnest ) );
|
||||
|
||||
|
|
@ -222,15 +213,13 @@ class Sanitizer {
|
|||
foreach ( $vars as $var ) {
|
||||
$$var = array_fill_keys( $$var, true );
|
||||
}
|
||||
$staticInitialised = $globalContext;
|
||||
$staticInitialised = false;
|
||||
}
|
||||
|
||||
# Populate $htmlpairs and $htmlelements with the $extratags and $removetags arrays
|
||||
$extratags = array_fill_keys( $extratags, true );
|
||||
$removetags = array_fill_keys( $removetags, true );
|
||||
// @phan-suppress-next-line PhanTypeMismatchArgumentNullableInternal The static var is always set
|
||||
$htmlpairs = array_merge( $extratags, $htmlpairsStatic );
|
||||
// @phan-suppress-next-line PhanTypeMismatchArgumentNullableInternal The static var is always set
|
||||
$htmlelements = array_diff_key( array_merge( $extratags, $htmlelementsStatic ), $removetags );
|
||||
|
||||
$result = [
|
||||
|
|
@ -1572,8 +1561,7 @@ class Sanitizer {
|
|||
|
||||
# 13.2
|
||||
# Not usually allowed, but may be used for extension-style hooks
|
||||
# such as <math> when it is rasterized, or if $wgAllowImageTag is
|
||||
# true
|
||||
# such as <math> when it is rasterized
|
||||
'img' => $merge( $common, [ 'alt', 'src', 'width', 'height', 'srcset' ] ),
|
||||
# Attributes for A/V tags added in T163583 / T133673
|
||||
'audio' => $merge( $common, [ 'controls', 'preload', 'width', 'height' ] ),
|
||||
|
|
|
|||
|
|
@ -17,7 +17,6 @@ class ContentSecurityPolicyTest extends MediaWikiIntegrationTestCase {
|
|||
$this->overrideConfigValues( [
|
||||
MainConfigNames::AllowExternalImages => false,
|
||||
MainConfigNames::AllowExternalImagesFrom => [],
|
||||
MainConfigNames::AllowImageTag => false,
|
||||
MainConfigNames::EnableImageWhitelist => false,
|
||||
MainConfigNames::LoadScript => false,
|
||||
MainConfigNames::ExtensionAssetsPath => false,
|
||||
|
|
@ -265,20 +264,6 @@ class ContentSecurityPolicyTest extends MediaWikiIntegrationTestCase {
|
|||
// phpcs:enable
|
||||
}
|
||||
|
||||
/**
|
||||
* @covers MediaWiki\Request\ContentSecurityPolicy::makeCSPDirectives
|
||||
*/
|
||||
public function testMakeCSPDirectivesImage() {
|
||||
global $wgAllowImageTag;
|
||||
$origImg = wfSetVar( $wgAllowImageTag, true );
|
||||
|
||||
$actual = $this->csp->makeCSPDirectives( true, ContentSecurityPolicy::FULL_MODE );
|
||||
|
||||
$wgAllowImageTag = $origImg;
|
||||
$expected = "script-src 'unsafe-eval' blob: 'self' 'unsafe-inline' sister-site.somewhere.com *.wikipedia.org; default-src * data: blob:; style-src * data: blob: 'unsafe-inline'; object-src 'none'; report-uri /w/api.php?action=cspreport&format=json";
|
||||
$this->assertSame( $expected, $actual );
|
||||
}
|
||||
|
||||
/**
|
||||
* @covers MediaWiki\Request\ContentSecurityPolicy::makeCSPDirectives
|
||||
*/
|
||||
|
|
|
|||
Loading…
Reference in a new issue