Swapped some "$var type" to "type $var" or added missing types
before the $var. Changed some other types to match the more common
spelling. Makes beginning of some text in captial.
Also added some missing @param.
Change-Id: Ic8aaf0a93796b97d0fa4617c1f86ff59f4b36131
* Add the global attributes to <bdo> and <q> and add "cite" to <q>. This
is to make these elements actually usable: <bdo> needs a "dir" attribute
to be useful for anything, and the whole point of <q> compared to
hard-coded quotation marks is its support for the "lang" and "cite"
attributes.
* Drop the "align" attribute from <span> because it was never standards-
compliant and does not work in browsers either, unless one constructs
such unlikely things as <span align="center" style="display:block;">.
* Drop the obsolete "char" and "charoff" attributes from <tr>, <td>, <th>.
These have not been implemented in browsers anyway.
* Drop the obsolete presentational attributes "align", "valign" and "width"
from <colgroup>, <col>, <thead>, <tfoot> and <tbody>. These elements are
currently not accepted in wikitext anyway, but removing these attributes
from the whitelist ensures that they are not accidentally enabled in the
future.
* Drop the obsolete presentational attributes "noshade" and "size" from <hr>.
They have been overridden by skin-specific CSS for a long time anyway.
* Allow all global attributes on <br> and <wbr>. Not allowing "dir" and "lang"
on <br> was a restriction in HTML 4.01, presumably copied to <wbr>, that
has been lifted in HTML5. Allowing these may not be particularly useful,
but simplifies the code.
Bug: 55582
Change-Id: I1c3289ef51a449a7837af28d9906701534175896
$wgRestrictDisplayTitle is intended to make it possible to simply
copy-and-paste the title text even if it requires some styling like
subscript or superscript. Using a <span style="display: none;" />
broke that expectation, as the text hidden in such way becomes
completely invisible and unselectable. This patch rejects such styles.
Also disallowed 'user-select' and 'visibility', since they both
prevent the user from selecting and/or copying the text as well.
Minor changes in Sanitizer:
* checkCss() was made to pass through values which consist of nothing
but a single comment, to allow this rejection to display some sort
of a notification to the user.
* encodeTagAttributes() was added as a counterpart to
decodeTagAttributes(), pulling some code out of fixTagAttributes().
Bug: 26547
Change-Id: Ie162535b6bcbebce4ee69f6dcc1957ccccc3c672
* $wgHtml5 = false; is now ignored completely.
* $wgDocType and $wgDTD have been removed.
* $wgXhtmlDefaultNamespace is now ignored.
* XHTML5 will be output if $wgMimeType is set to an XML mime type (according to HTML5's rules).
* For backwards compatibility with extensions $wgHtml5 and $wgXhtmlDefaultNamespace are set
in Setup.php but depending on them is deprecated.
Change-Id: Iad9634e2ee420b5a3bbffe550421fde4fa1819b0
HTML5 has various semantics that allow -- or rather require --
<kbd> and <samp> and even <var> to be nested.
eg: <kbd><kbd>Shift</kbd>+<kbd>F3</kbd></kbd>
eg: <var>x<sub><var>i</var></sub></var>, <var>y<sub><var>i</var></sub></var>
This fixes the sanitizer to permit their nesting and adds test cases to ensure that some
of HTML5's special semantics are permitted by our sanitizer and not broken.
Change-Id: I6ad64e6eb4c9b5bdc15be513f55c58f6717c3939
- role="presentation" is the standard way to mark some element as presentational for assistive technologies, etc...
Such as presentational tables. Something we have a lot of and need the ability to mark as presentational.
- Other ARIA roles need more thought so for now they are not supported.
Change-Id: I426ea04a8bc48181a71a308753525f3964201748
Fix almost all occurences of the following sniffs:
Generic.CodeAnalysis.UselessOverridingMethod.Found
Generic.Formatting.NoSpaceAfterCast.SpaceFound
Generic.Functions.FunctionCallArgumentSpacing.SpaceBeforeComma
Generic.Functions.OpeningFunctionBraceKernighanRitchie.BraceOnNewLine
Generic.PHP.LowerCaseConstant.Found
PSR2.Classes.PropertyDeclaration.ScopeMissing
PSR2.Files.EndFileNewline.TooMany
PSR2.Methods.MethodDeclaration.StaticBeforeVisibility
Change-Id: I96aacef5bafe5a2bca659744fba1380999cfc37d
We had a huge pile of assertEquals in a single test function, this patch
convert the mess in a nicer dataprovider.
The parameters passed to assertEquals() were mixed up, the expected
values should be passed as the first argument, I thus exchange the first
two parameters in each case.
Change-Id: Ib74804a7aa84a1e59fffb8c85abbf0b95995d897
* @cover let us mention which function the test is using, help out when
building coverage report to make sure we only record traces for that
function.
* Normalized test functions so they look alike and make use of an
optional message.
Change-Id: I3e431b28e377f2ca21d06300537f63b2df4a3a99
testRemovehtmltagsOnHtml5Tags needs wgUseTidy = false;
3) SanitizerTest::testRemovehtmltagsOnHtml5Tags with data set #2
('time', false)
Failed asserting that two strings are equal.
--- Expected
+++ Actual
@@ @@
-'<time></time>
-'
+'<time>'
Change-Id: Ib7e156293e2efae053b055e40393e442719eb5bd
Removed $wgCleanupPresentationalAttributes, the associated
code it toggles and references to those in src and tests.
Also fixes bug 40329.
This was originally introduced in r94465 (released in REL1_19) but
disabled by default. Then enabled in r98053, after which several
bugs were filed and eventually the decision was made to remove
this feature.
Removed obsolete release-note entry, as this is to be backported
to REL1_20.
Change-Id: I4e86305520a3b22ef88381caab55d24abac932e3
WebKit's -webkit-image-set() requires a url() to work however css4-images'
version of image-set permits strings such that image-set( 'asdf.png' 1x ) would be permitted
and would bypass our filters.
Change-Id: I366d04807f66df449f791a5e8e2cb58768124a9a
This commit depends on the introduction of
MediaWikiTestCase::setMwGlobals in change Iccf6ea81f4.
Various tests already set their globals, but forgot to restore
them afterwards, or forgot to call the parent setUp, tearDown...
Either way they won't have to anymore with setMwGlobals.
Consistent use of function characteristics:
* protected function setUp
* protected function tearDown
* public static function (provide..)
(Matching the function signature with PHPUnit/Framework/TestCase.php)
Replaces:
* public function (setUp|tearDown)\(
* protected function $1(
* \tfunction (setUp|tearDown)\(
* \tprotected function $1(
* \tfunction (data|provide)\(
* \tpublic static function $1\(
Also renamed a few "data#", "provider#" and "provides#" functions
to "provide#" for consistency. This also removes confusion where
the /media tests had a few private methods called dataFile(),
which were sometimes expected to be data providers.
Fixes:
TimestampTest often failed due to a previous test setting a
different language (it tests "1 hour ago" so need to make sure
it is set to English).
MWNamespaceTest became a lot cleaner now that it executes with
a known context. Though the now-redundant code that was removed
didn't work anyway because wgContentNamespaces isn't keyed by
namespace id, it had them was values...
FileBackendTest:
* Fixed: "PHP Fatal: Using $this when not in object context"
HttpTest
* Added comment about:
"PHP Fatal: Call to protected MWHttpRequest::__construct()"
(too much unrelated code to fix in this commit)
ExternalStoreTest
* Add an assertTrue as well, without it the test is useless
because regardless of whether wgExternalStores is true or false
it only uses it if it is an array.
Change-Id: I9d2b148e57bada64afeb7d5a99bec0e58f8e1561
- Adding this now even though no browser supports it so that when one does it doesn't become a way to bypass our url() filter.
- Including missing tests for all of our insecure input filters.
- Also make sure that vendor prefixed versions like -webkit-image() are caught because most browsers are probably going to go and implement a vendor prefixed version first.
Change-Id: If73aa98b8accdb7621b0e4ff0615b61d530fa547
Align should be converted to text-align for all the elements specified
in $presentationalAttribs mapping. Table however is an exception, it
applies to alignment of the block (instead of the content).
Follow up I108cbd10 / 27a4d74bd7.
Change-Id: Iee17d4ef1a6a9b46d88a330cfc9179bccfe93247
r85856 fixed a CSS injection issue but lacked testing. This
test verify we properly strip out CSS comments even when the
token delimiter '/*' is backslash-escaped : \2f\2a
Its removal in r70849 breaks ProofreadPage extension.
Restricted r82475 relaxation to just numbers.
Added tests.
This only affects wikitext (tag hooks).
MW_ATTRIBS_REGEX is only used through decodeTagAttributes() calls.
fixTagAttributes() calls decodeTagAttributes(), and would be nastier to
fix, since it is called with HTML parameters (eg. by removeHTMLtags)
but such incorrect parameters grabbed would be removed by validateTagAttributes()
