Only affects wikis with $wgWellFormedXml = false. In principle, the old
behavior might have permitted XSS in IE if that setting is false (which
is not the default), but I haven't checked. See
<http://code.google.com/p/html5lib/issues/detail?id=92>.
Some attributes that have defaults in HTML5 don't have defaults in
XHTML1, particularly type="" on scripts and styles (bug 20713). There's
not much point in trying to maintain two separate sets of defaults,
so I've just kept the HTML5 ones and haven't tried to strip any defaults
in XHTML1 mode.
This fixes some possible XML invalidity from r54767: CDATA stuff was
being added only if $wgHtml5 was false, instead of whenever
$wgWellFormedXml is true. Also, it uses CDATA for script as well as
style, but in both cases only uses it if there's a & or < somewhere.
This fixes r54567. That made the password fields on Special:ResetPass
always required, but in fact the current password should never be
required (existing users always might have empty passwords), and the new
password is only required if $wgMinimalPasswordLength > 0.
This commit also permits passing array( 'required' ) to
Html::(rawE|e)lement() instead of array( 'required' => 'meaningless' ),
for boolean attribs only. This syntax is used in SpecialResetpass.
On second thought, if you're outputting user-supplied JS without careful
validation, it doesn't really matter if it's HTML-escaped or not. :D
CSS has expr() and such too.
Split the giant arrays of attributes/values to one item per line, which makes them easier to look at, easier to grep, and easier to see what's happening when they're changed in diffs.
We're not printing; vertical space isn't at a premium. ;)
Added rawElement() to allow unescaped input (like Xml::tags() but
better-named :) ). This makes sure the easier case is the safer one as
well, and trades a risk of XSS for a risk of double-escaping. After
discussion in #mediawiki a few days ago.
This time done in a nice, centralized fashion, reducing LOC for callers
even if HTML 5 is disabled. The implementation is a new Html class,
similar to Xml but intended to be HTML-specific from the beginning
instead of half-heartedly attempting to provide generic XML services but
actually with lots of HTML-specific stuff tacked on.
As part of the new Html class, a global config option $wgWellFormedXml
is added. It's set to true by default, but if set to false, the Html
class will drop some things that HTML 5 doesn't require, like
self-closing " />" syntax and attribute quotation marks (sometimes).
