[Pkg-mediawiki-commits] r414 - mediawiki-extensions/branches/wheezy/debian/patches
Thorsten Glaser
tg at alioth.debian.org
Wed Dec 19 13:30:25 UTC 2012
Author: tg
Date: 2012-12-19 13:30:24 +0000 (Wed, 19 Dec 2012)
New Revision: 414
Modified:
mediawiki-extensions/branches/wheezy/debian/patches/fix_rssreader.patch
Log:
draft using MediaWiki Sanitizer::removeHTMLtags in favour
of $rss->unhtmlentities and actually dropping the latter totally
as it?\226?\128?\153s problematic with double quotes
By the way:
root at evolvis-51:/usr/share/mediawiki # php
<?php
$x="'";
$y=html_entity_decode($x,ENT_QUOTES, "UTF-8");
echo "< $y >\n";
< ' >
Is this right? According to the docs, it should print < ' >
see http://de3.php.net/manual/en/function.html-entity-decode.php
Available flags constants
Constant Name Description
ENT_COMPAT Will convert double-quotes and leave single-quotes alone.
ENT_QUOTES Will convert both double and single quotes.
ENT_NOQUOTES Will leave both double and single quotes unconverted.
ENT_HTML401 Handle code as HTML 4.01.
ENT_XML1 Handle code as XML 1.
ENT_XHTML Handle code as XHTML.
ENT_HTML5 Handle code as HTML 5.
Modified: mediawiki-extensions/branches/wheezy/debian/patches/fix_rssreader.patch
===================================================================
--- mediawiki-extensions/branches/wheezy/debian/patches/fix_rssreader.patch 2012-12-17 16:49:02 UTC (rev 413)
+++ mediawiki-extensions/branches/wheezy/debian/patches/fix_rssreader.patch 2012-12-19 13:30:24 UTC (rev 414)
@@ -11,6 +11,7 @@
* XHTML/1.0 Transitional validity of output
* fix a bunch of PHP warnings
* fix a user security issue wrt. HTML in RSS <title>s
+* stop using $rss->unhtmlentities and sanitise RSS bodies correctly
Also add documentation of these changes as README.Debian and point to
upstream's documentation in form of a wikipage.
@@ -98,17 +99,24 @@
if ($dispTitle) { //check if title should be displayed
$output .=
'<div class="RSSReader-head">'.
-@@ -209,7 +215,9 @@ function efCreateRSSReader($input, $argv
+@@ -209,10 +215,15 @@ function efCreateRSSReader($input, $argv
$output .= '<a href="'.$item['link'].'" ';
//decide if nofollow is needed
if ($egNoFollow) $output .= 'rel="nofollow"';
- $item_title=preg_replace("|\[rsslist:.+?\]|", "", $rss->unhtmlentities($item['title']));
+ $item_title=preg_replace("|\[rsslist:.+?\]|", "",
-+ htmlspecialchars(html_entity_decode($rss->unhtmlentities($item['title']),
-+ ENT_QUOTES, "UTF-8"), ENT_QUOTES, "UTF-8"));
++ htmlspecialchars(html_entity_decode(html_entity_decode($item['title'],
++ ENT_QUOTES, "UTF-8"), ENT_QUOTES, "UTF-8"), ENT_QUOTES, "UTF-8"));
$output .= '>'.$item_title.'</a>';
if ($text) {
- $desc = preg_replace("|\[rsslist:.+?\]|", "", $rss->unhtmlentities($item['description']));
+- $desc = preg_replace("|\[rsslist:.+?\]|", "", $rss->unhtmlentities($item['description']));
++ $desc = preg_replace("|\[rsslist:.+?\]|", "",
++ Sanitizer::removeHTMLtags(html_entity_decode($item['description'],
++ ENT_QUOTES, "UTF-8"), null, array(),
++ array('a', /* does not work */ 'img')));
+ $output .= "</h3>\n$desc</div>\n";
+ } else $output .= "</li>\n";
+ /*if reached the number of desired display items stop working on
--- a/dist/mediawiki-extensions-base/usr/share/mediawiki-extensions/base/RSS_Reader/lastRSS.php
+++ b/dist/mediawiki-extensions-base/usr/share/mediawiki-extensions/base/RSS_Reader/lastRSS.php
@@ -149,14 +149,14 @@ class lastRSS {
More information about the Pkg-mediawiki-commits
mailing list