diff options
| author |   Alex Legler <alex@a3li.li> | 2015-08-15 13:30:05 +0200 |
|---|---|---|
| committer | Alex Legler <alex@a3li.li> | 2015-08-15 13:30:05 +0200 |
| commit | ac7ffacc49f3e722f68fd5ef486fc67157041a25 (patch) | |
| tree | 6de930d89a7cd6bd26ab9d3fe4582c05937e89e3 /Widgets/WidgetRenderer.php | |
| parent | GentooToolbox: Update deprecated wfMsg* functions (diff) | |
| download | extensions-ac7ffacc49f3e722f68fd5ef486fc67157041a25.tar.gz extensions-ac7ffacc49f3e722f68fd5ef486fc67157041a25.tar.bz2 extensions-ac7ffacc49f3e722f68fd5ef486fc67157041a25.zip | |
Update Widgets
Diffstat (limited to 'Widgets/WidgetRenderer.php')
| -rw-r--r-- | Widgets/WidgetRenderer.php | 38 |
1 files changed, 22 insertions, 16 deletions
diff --git a/Widgets/WidgetRenderer.php b/Widgets/WidgetRenderer.php index e5a96474..b460ae92 100644 --- a/Widgets/WidgetRenderer.php +++ b/Widgets/WidgetRenderer.php @@ -4,15 +4,18 @@ */ class WidgetRenderer { + // The prefix and suffix for the widget strip marker. + private static $markerPrefix = "START_WIDGET"; + private static $markerSuffix = "END_WIDGET"; - // A randomly-generated string, used to prevent malicious users from - // spoofing the output of #widget in order to have arbitrary - // JavaScript show up in the page's output. - static $mRandomString; + // Stores the compiled widgets for after the parser has run. + // Must be public for use in anonymous callback function in PHP 5.3 + public static $widgets = array(); public static function initRandomString() { - // Set the random string, used in both encoding and decoding. - self::$mRandomString = substr( base64_encode( rand() ), 0, 7 ); + // Add a random string to the prefix to ensure no conflicts + // with normal content. + self::$markerPrefix .= wfRandomString( 16 ); } public static function renderWidget( &$parser, $widgetName ) { @@ -127,20 +130,22 @@ class WidgetRenderer { try { $output = $smarty->fetch( "wiki:$widgetName" ); } catch ( Exception $e ) { - return '<div class=\"error\">' . wfMsgExt( 'widgets-error', array( 'parsemag' ), htmlentities( $widgetName ) ) . '</div>'; + return '<div class="error">' . wfMessage( 'widgets-error', htmlentities( $widgetName ) )->text() . '</div>'; } - // Hide the widget from the parser. - $output = 'ENCODED_CONTENT ' . self::$mRandomString . base64_encode($output) . ' END_ENCODED_CONTENT'; - return array( $output, 'noparse' => true, 'isHTML' => true ); + // To prevent the widget output from being tampered with, the + // compiled HTML is stored and a strip marker with an index to + // retrieve it later is returned. + $index = array_push( self::$widgets, $output ) - 1; + return self::$markerPrefix . '-' . $index . self::$markerSuffix; } - public static function processEncodedWidgetOutput( &$out, &$text ) { - // Find all hidden content and restore to normal + public static function outputCompiledWidget( &$out, &$text ) { $text = preg_replace_callback( - '/ENCODED_CONTENT ' . self::$mRandomString . '([0-9a-zA-Z\/+]+=*)* END_ENCODED_CONTENT/', + '/' . self::$markerPrefix . '-(\d+)' . self::$markerSuffix . '/S', function( $matches ) { - return base64_decode( $matches[1]); + // Can't use self:: in an anonymous function pre PHP 5.4 + return WidgetRenderer::$widgets[$matches[1]]; }, $text ); @@ -148,10 +153,11 @@ class WidgetRenderer { return true; } - // the following four functions are all registered with Smarty + // The following four functions are all registered with Smarty. + public static function wiki_get_template( $widgetName, &$widgetCode, $smarty_obj ) { global $wgWidgetsUseFlaggedRevs; - + $widgetTitle = Title::newFromText( $widgetName, NS_WIDGET ); if ( $widgetTitle && $widgetTitle->exists() ) { |