94f193a894
CVE-2025-32699 Ensure that Unicode NFC normalization can be applied to our HTML output safely. Even though the W3C officially recommends against normalizing HTML https://www.w3.org/International/questions/qa-html-css-normalization#converting this is still easily done inadvertently, especially when using the MediaWiki action API which normalizes parameters and results by default. See also I671648603c4635a35585c860b4857f5ea085e47f in Parsoid, and T266140 / I2e78e660ba1867744e34eda7d00ea527ec016b71 for another similar issue. The following changes are made: * The various HTML serializers (Remex/Tidy-derived, as well as the Html::* helpers) are tweaked to entity-escape U+0338 wherever it appears. * Similarly, Message::escaped() is tweaked to entity-escape U+0338. * Finally, a post-processing pass is added to the OutputTransform pipeline to catch any remaining U+0338 and entity-escape them. This catches U+0338 added during any of the previous OutputTransform stages (like TOC insertion, section edit links, etc). *When backporting* this code will likely need to be moved to ParserOutput::getText(), as the OutputTransform pipeline wasn't added until MW 1.42. Bug: T387130 Change-Id: I66564e14e730f5393f4fa5780b80f24de6075af5 |
||
|---|---|---|
| .. | ||
| AnsiTermColorer.php | ||
| badCharacters.txt | ||
| comments.txt | ||
| DbTestPreviewer.php | ||
| DbTestRecorder.php | ||
| definitionLists.txt | ||
| DjVuSupport.php | ||
| DummyTermColorer.php | ||
| editTests.php | ||
| extLinks.txt | ||
| fuzzTest.php | ||
| headings.txt | ||
| indentPre.txt | ||
| indicators.txt | ||
| interlanguageLinks.txt | ||
| interwikiLinks.txt | ||
| langParserTests.txt | ||
| legacyHeadings.txt | ||
| legacyMedia.txt | ||
| magicLinks.txt | ||
| magicWords.txt | ||
| media.txt | ||
| MultiTestRecorder.php | ||
| ParserTestMockParser.php | ||
| ParserTestParserHook.php | ||
| ParserTestPrinter.php | ||
| ParserTestResult.php | ||
| ParserTestResultNormalizer.php | ||
| ParserTestRunner.php | ||
| parserTests.php | ||
| parserTests.txt | ||
| pfeqParserTests.txt | ||
| PhpunitTestRecorder.php | ||
| preprocessor.txt | ||
| preTags.txt | ||
| pst.txt | ||
| pWrapping.txt | ||
| quotes.txt | ||
| README | ||
| redirects.txt | ||
| tables.txt | ||
| TestFileEditor.php | ||
| TestRecorder.php | ||
| wtEscaping.txt | ||
Parser tests can be run either via PHPUnit or by using the standalone parserTests.php in this directory. The standalone version provides more options. To run parser tests via PHPUnit: $ composer phpunit -- --testsuite parsertests You can optionally filter by title using --filter, e.g. composer phpunit -- --testsuite parsertests --filter="T6400"