Sanitizer Class Reference
[Parser]

XHTML sanitizer for MediaWiki. More...

List of all members.

Static Public Member Functions

static removeHTMLtags ($text, $processCallback=null, $args=array(), $extratags=array())
 Cleans up HTML, removes dangerous tags and attributes, and removes HTML comments.
static removeHTMLcomments ($text)
 Remove '', and everything between.
static validateTagAttributes ($attribs, $element)
 Take an array of attribute names and values and normalize or discard illegal values for the given element type.
static validateAttributes ($attribs, $whitelist)
 Take an array of attribute names and values and normalize or discard illegal values for the given whitelist.
static mergeAttributes ($a, $b)
 Merge two sets of HTML attributes.
static checkCss ($value)
 Pick apart some CSS and check it for forbidden or unsafe structures.
static fixTagAttributes ($text, $element)
 Take a tag soup fragment listing an HTML element's attributes and normalize it to well-formed XML, discarding unwanted attributes.
static encodeAttribute ($text)
 Encode an attribute value for HTML output.
static safeEncodeAttribute ($text)
 Encode an attribute value for HTML tags, with extra armoring against further wiki processing.
static escapeId ($id, $options=array())
 Given a value escape it so that it can be used in an id attribute and return it, this does not validate the value however (see first link).
static escapeClass ($class)
 Given a value, escape it so that it can be used as a CSS class and return it.
static escapeHtmlAllowEntities ($html)
 Given HTML input, escape with htmlspecialchars but un-escape entites.
static decodeTagAttributes ($text)
 Return an associative array of attribute names and values from a partial tag string.
static normalizeCharReferences ($text)
 Ensure that any entities and character references are legal for XML and XHTML specifically.
static normalizeCharReferencesCallback ($matches)
static normalizeEntity ($name)
 If the named entity is defined in the HTML 4.0/XHTML 1.0 DTD, return the named entity reference as is.
static decCharReference ($codepoint)
static hexCharReference ($codepoint)
static decodeCharReferences ($text)
 Decode any character references, numeric or named entities, in the text and return a UTF-8 string.
static decodeCharReferencesCallback ($matches)
static decodeChar ($codepoint)
 Return UTF-8 string for a codepoint if that is a valid character reference, otherwise U+FFFD REPLACEMENT CHARACTER.
static decodeEntity ($name)
 If the named entity is defined in the HTML 4.0/XHTML 1.0 DTD, return the UTF-8 encoding of that character.
static attributeWhitelist ($element)
 Fetch the whitelist of acceptable attributes for a given element name.
static setupAttributeWhitelist ()
 Foreach array key (an allowed HTML element), return an array of allowed attributes.
static stripAllTags ($text)
 Take a fragment of (potentially invalid) HTML and return a version with any tags removed, encoded as plain text.
static hackDocType ()
 Hack up a private DOCTYPE with HTML's standard entity declarations.
static cleanUrl ($url)

Static Private Member Functions

static armorLinksCallback ($matches)
 Regex replace callback for armoring links against further processing.
static getTagAttributeCallback ($set)
 Pick the appropriate attribute value from a match set from the MW_ATTRIBS_REGEX matches.
static normalizeAttributeValue ($text)
 Normalize whitespace and character references in an XML source- encoded text for an attribute value.
static normalizeWhitespace ($text)
static validateCodepoint ($codepoint)
 Returns true if a given Unicode codepoint is a valid character in XML.


Detailed Description

XHTML sanitizer for MediaWiki.

Definition at line 331 of file Sanitizer.php.


Member Function Documentation

static Sanitizer::armorLinksCallback ( matches  )  [static, private]

Regex replace callback for armoring links against further processing.

Parameters:
array $matches
Returns:
string

Definition at line 871 of file Sanitizer.php.

static Sanitizer::attributeWhitelist ( element  )  [static]

Fetch the whitelist of acceptable attributes for a given element name.

Parameters:
string $element
Returns:
array

Definition at line 1139 of file Sanitizer.php.

static Sanitizer::checkCss ( value  )  [static]

Pick apart some CSS and check it for forbidden or unsafe structures.

Returns a sanitized string, or false if it was just too evil.

Currently URL references, 'expression', 'tps' are forbidden.

Parameters:
string $value
Returns:
mixed

Definition at line 658 of file Sanitizer.php.

static Sanitizer::cleanUrl ( url  )  [static]

Definition at line 1341 of file Sanitizer.php.

Referenced by Parser::makeFreeExternalLink(), and Parser::replaceExternalLinks().

static Sanitizer::decCharReference ( codepoint  )  [static]

Definition at line 1031 of file Sanitizer.php.

static Sanitizer::decodeChar ( codepoint  )  [static]

Return UTF-8 string for a codepoint if that is a valid character reference, otherwise U+FFFD REPLACEMENT CHARACTER.

Parameters:
int $codepoint
Returns:
string
Access:
private

Definition at line 1104 of file Sanitizer.php.

static Sanitizer::decodeCharReferences ( text  )  [static]

Decode any character references, numeric or named entities, in the text and return a UTF-8 string.

Parameters:
string $text
Returns:
string
Access:
public

Definition at line 1072 of file Sanitizer.php.

Referenced by CoreLinkFunctions::categoryLinkHook(), RecentChange::cleanupForIRC(), UploadForm::detectScript(), CoreParserFunctions::displaytitle(), WebRequest::getFileName(), Parser::guessSectionNameFromWikiText(), Title::newFromText(), ImageCleanup::processPage(), and Parser::replaceInternalLinks2().

static Sanitizer::decodeCharReferencesCallback ( matches  )  [static]

Parameters:
string $matches
Returns:
string

Definition at line 1083 of file Sanitizer.php.

static Sanitizer::decodeEntity ( name  )  [static]

If the named entity is defined in the HTML 4.0/XHTML 1.0 DTD, return the UTF-8 encoding of that character.

Otherwise, returns pseudo-entity source (eg )

Parameters:
string $name
Returns:
string

Definition at line 1120 of file Sanitizer.php.

static Sanitizer::decodeTagAttributes ( text  )  [static]

Return an associative array of attribute names and values from a partial tag string.

Attribute names are forces to lowercase, character references are decoded to UTF-8 text.

Parameters:
string 
Returns:
array

Definition at line 883 of file Sanitizer.php.

Referenced by Parser::extensionSubstitution(), and Linker::makeKnownLinkObj().

static Sanitizer::encodeAttribute ( text  )  [static]

Encode an attribute value for HTML output.

Parameters:
$text 
Returns:
HTML-encoded text fragment

Definition at line 721 of file Sanitizer.php.

Referenced by ApiFormatXml::doubleQuote(), and Xml::expandAttributes().

static Sanitizer::escapeClass ( class  )  [static]

Given a value, escape it so that it can be used as a CSS class and return it.

Todo:
For extra validity, input should be validated UTF-8.
See also:
http://www.w3.org/TR/CSS21/syndata.html Valid characters/format
Parameters:
string $class
Returns:
string

Definition at line 841 of file Sanitizer.php.

Referenced by getBodyOptions(), SpecialStatistics::getGroupStats(), getPageClasses(), and SkinTemplate::outputPage().

static Sanitizer::escapeHtmlAllowEntities ( html  )  [static]

Given HTML input, escape with htmlspecialchars but un-escape entites.

This allows (generally harmless) entities like   to survive.

Parameters:
string $html String to escape
Returns:
string Escaped input

Definition at line 856 of file Sanitizer.php.

Referenced by Linker::formatComment(), and wfMsgExt().

static Sanitizer::escapeId ( id,
options = array() 
) [static]

Given a value escape it so that it can be used in an id attribute and return it, this does not validate the value however (see first link).

See also:
http://www.w3.org/TR/html401/types.html#type-name Valid characters in the id and name attributes

http://www.w3.org/TR/html401/struct/links.html#h-12.2.3 Anchors with the id attribute

Parameters:
string $id Id to validate
mixed $options String or array of strings (default is array()): 'noninitial': This is a non-initial fragment of an id, not a full id, so don't pay attention if the first character isn't valid at the beginning of an id. 'xml': Don't restrict the id to be HTML4-compatible. This option allows any alphabetic character to be used, per the XML standard. Therefore, it also completely changes the type of escaping: instead of weird dot-encoding, runs of invalid characters (mostly whitespace) are just compressed into a single underscore.
Returns:
string

Definition at line 790 of file Sanitizer.php.

Referenced by Title::escapeFragmentForURL(), MonoBookTemplate::execute(), ModernTemplate::execute(), Parser::formatHeadings(), and ImagePage::makeMetadataTable().

static Sanitizer::fixTagAttributes ( text,
element 
) [static]

Take a tag soup fragment listing an HTML element's attributes and normalize it to well-formed XML, discarding unwanted attributes.

Output is safe for further wikitext processing, with escaping of values that could trigger problems.

  • Normalizes attribute names to lowercase
  • Discards attributes not on a whitelist for the given element
  • Turns broken or invalid entities into plaintext
  • Double-quotes all attribute values
  • Attributes without values are given the name as attribute
  • Double attributes are discarded
  • Unsafe style attributes are discarded
  • Prepends space if there are attributes.

Parameters:
string $text
string $element
Returns:
string

Definition at line 698 of file Sanitizer.php.

static Sanitizer::getTagAttributeCallback ( set  )  [static, private]

Pick the appropriate attribute value from a match set from the MW_ATTRIBS_REGEX matches.

Parameters:
array $set
Returns:
string

Definition at line 921 of file Sanitizer.php.

static Sanitizer::hackDocType (  )  [static]

Hack up a private DOCTYPE with HTML's standard entity declarations.

PHP 4 seemed to know these if you gave it an HTML doctype, but PHP 5.1 doesn't.

Use for passing XHTML fragments to PHP's XML parsing functions

Returns:
string

Definition at line 1331 of file Sanitizer.php.

Referenced by HTMLDiffer::htmlDiff(), and ParserTest::wellFormed().

static Sanitizer::hexCharReference ( codepoint  )  [static]

Definition at line 1040 of file Sanitizer.php.

static Sanitizer::mergeAttributes ( a,
b 
) [static]

Merge two sets of HTML attributes.

Conflicting items in the second set will override those in the first, except for 'class' attributes which will be combined (if they're both strings).

Todo:
implement merging for other attributes such as style
Parameters:
array $a
array $b
Returns:
array

Definition at line 637 of file Sanitizer.php.

Referenced by MathRenderer::_attribs(), Linker::linkAttribs(), Linker::makeKnownLinkObj(), and ImageGallery::toHTML().

static Sanitizer::normalizeAttributeValue ( text  )  [static, private]

Normalize whitespace and character references in an XML source- encoded text for an attribute value.

See http://www.w3.org/TR/REC-xml/#AVNormalize for background, but note that we're not returning the value, but are returning XML source fragments that will be slapped into output.

Parameters:
string $text
Returns:
string

Definition at line 955 of file Sanitizer.php.

static Sanitizer::normalizeCharReferences ( text  )  [static]

Ensure that any entities and character references are legal for XML and XHTML specifically.

Any stray bits will be &-escaped to result in a valid text fragment.

a. any named char refs must be known in XHTML b. any numeric char refs must be legal chars, not invalid or forbidden c. use &x, not &X d. fix or reject non-valid attributes

Parameters:
string $text
Returns:
string
Access:
private

Definition at line 982 of file Sanitizer.php.

Referenced by Parser::parse().

static Sanitizer::normalizeCharReferencesCallback ( matches  )  [static]

Parameters:
string $matches
Returns:
string

Definition at line 992 of file Sanitizer.php.

static Sanitizer::normalizeEntity ( name  )  [static]

If the named entity is defined in the HTML 4.0/XHTML 1.0 DTD, return the named entity reference as is.

If the entity is a MediaWiki-specific alias, returns the HTML equivalent. Otherwise, returns HTML-escaped text of pseudo-entity source (eg &foo;)

Parameters:
string $name
Returns:
string

Definition at line 1020 of file Sanitizer.php.

static Sanitizer::normalizeWhitespace ( text  )  [static, private]

Definition at line 961 of file Sanitizer.php.

static Sanitizer::removeHTMLcomments ( text  )  [static]

Remove '', and everything between.

To avoid leaving blank lines, when a comment is both preceded and followed by a newline (ignoring spaces), trim leading and trailing spaces and one of the newlines.

Access:
private
Parameters:
string $text
Returns:
string

Definition at line 527 of file Sanitizer.php.

static Sanitizer::removeHTMLtags ( text,
processCallback = null,
args = array(),
extratags = array() 
) [static]

Cleans up HTML, removes dangerous tags and attributes, and removes HTML comments.

Access:
private
Parameters:
string $text
callback $processCallback to do any variable or parameter replacements in HTML attribute values
array $args for the processing callback
Returns:
string

Definition at line 341 of file Sanitizer.php.

Referenced by Parser::internalParse(), and Parser::testSrvus().

static Sanitizer::safeEncodeAttribute ( text  )  [static]

Encode an attribute value for HTML tags, with extra armoring against further wiki processing.

Parameters:
$text 
Returns:
HTML-encoded text fragment

Definition at line 742 of file Sanitizer.php.

static Sanitizer::setupAttributeWhitelist (  )  [static]

Foreach array key (an allowed HTML element), return an array of allowed attributes.

Returns:
array

Definition at line 1154 of file Sanitizer.php.

static Sanitizer::stripAllTags ( text  )  [static]

Take a fragment of (potentially invalid) HTML and return a version with any tags removed, encoded as plain text.

Warning: this return value must be further escaped for literal inclusion in HTML output as of 1.10!

Parameters:
string $text HTML fragment
Returns:
string

Definition at line 1310 of file Sanitizer.php.

Referenced by Parser::stripAltText().

static Sanitizer::validateAttributes ( attribs,
whitelist 
) [static]

Take an array of attribute names and values and normalize or discard illegal values for the given whitelist.

  • Discards attributes not the given whitelist
  • Unsafe style attributes are discarded
  • Invalid id attributes are reencoded

Parameters:
array $attribs
array $whitelist list of allowed attribute names
Returns:
array
Todo:
Check for legal values where the DTD limits things.

Check for unique id attribute :P

Definition at line 597 of file Sanitizer.php.

static Sanitizer::validateCodepoint ( codepoint  )  [static, private]

Returns true if a given Unicode codepoint is a valid character in XML.

Parameters:
int $codepoint
Returns:
bool

Definition at line 1054 of file Sanitizer.php.

static Sanitizer::validateTagAttributes ( attribs,
element 
) [static]

Take an array of attribute names and values and normalize or discard illegal values for the given element type.

  • Discards attributes not on a whitelist for the given element
  • Unsafe style attributes are discarded
  • Invalid id attributes are reencoded

Parameters:
array $attribs
string $element
Returns:
array
Todo:
Check for legal values where the DTD limits things.

Check for unique id attribute :P

Definition at line 577 of file Sanitizer.php.

Referenced by MathRenderer::_attribs(), Parser::renderImageGallery(), and Parser::renderPreTag().


The documentation for this class was generated from the following file:

Generated on Sat Sep 5 02:08:46 2009 for MediaWiki by  doxygen 1.5.9