帮助:解析函数/css

/** https://github.com/wikimedia/mediawiki-extensions-CSS/blob/REL1_37/CSS.class.php
 * @param Parser &$parser
 * @param string $css
 * @return string
 */
public function cssRender( Parser $parser, string $css ): string {
	$css = trim( $css );
	if ( $css === '' ) {
		return '';
	}
	$title = $this->titleFactory->newFromText( $css );
	$identifier = $this->config->get( 'CSSIdentifier' );
	$rawProtection = [ $identifier => '1' ];
	$headItem = '<!-- Begin Extension:CSS -->';

	if ( $title && $title->exists() ) {
		# Article actually in the db
		$params = [
			'action' => 'raw',
			'ctype' => 'text/css',
		] + $rawProtection;
		$url = $title->getLocalURL( $params );
		$headItem .= Html::linkedStyle( $url );
	} elseif ( $css[0] === '/' ) {
		# Regular file
		$base = $this->config->get( 'CSSPath' ) === false ?
			$this->config->get( MainConfigNames::StylePath ) :
			$this->config->get( 'CSSPath' );
		// The replacement for \ to / is to workaround a path traversal,
		// per T369486.
		// TODO: Implement a proper URL parser. There may be more niche URL
		// shenanigans one could get up to that MediaWiki's parser does not
		// handle, but which the browser does. The most surefire way to
		// guarantee that no tomfoolery happens is to 100% replicate what
		// the browser does and not only like 90% of it.
		$path = str_replace( '\\', '/', $css );
		$url = wfAppendQuery( $base . $path, $rawProtection );

		# Verify the expanded URL is still using the base URL
		$expandedUrl = $this->urlUtils->expand( $url );
		$expandedBase = $this->urlUtils->expand( $base );
		if ( $expandedUrl && $expandedBase && strpos( $expandedUrl, $expandedBase ) === 0 ) {
			$headItem .= Html::linkedStyle( $url );
		} else {
			$headItem .= '<!-- Invalid/malicious path  -->';
		}
	} else {
		# sanitized user CSS
		$css = $this->sanitizeCSS( $css );

		# Encode data URI and append link tag
		$dataPrefix = 'data:text/css;charset=UTF-8;base64,';
		$url = $dataPrefix . base64_encode( $css );

		$headItem .= Html::linkedStyle( $url );
	}

	$headItem .= '<!-- End Extension:CSS -->';
	$parser->getOutput()->addHeadItem( $headItem );
	return '';
}




/** mediawiki-1.37.0\includes\parser\Sanitizer.php
* Pick apart some CSS and check it for forbidden or unsafe structures.
* Returns a sanitized string. This sanitized string will have
* character references and escape sequences decoded and comments
* stripped (unless it is itself one valid comment, in which case the value
* will be passed through). If the input is just too evil, only a comment
* complaining about evilness will be returned.
*
* Currently URL references, 'expression', 'tps' are forbidden.
*
* NOTE: Despite the fact that character references are decoded, the
* returned string may contain character references given certain
* clever input strings. These character references must
* be escaped before the return value is embedded in HTML.
*
* @param string $value
* @return string
*/
public static function checkCss( $value ) {
	$value = self::normalizeCss( $value );

	// Reject problematic keywords and control characters
	if ( preg_match( '/[\000-\010\013\016-\037\177]/', $value ) ||
		strpos( $value, UtfNormal\Constants::UTF8_REPLACEMENT ) !== false ) {
		return '/* invalid control char */';
	} elseif ( preg_match(
		'! expression
			| filter\s*:
			| accelerator\s*:
			| -o-link\s*:
			| -o-link-source\s*:
			| -o-replace\s*:
			| url\s*\(
			| image\s*\(
			| image-set\s*\(
			| attr\s*\([^)]+[\s,]+url
			| var\s*\(
		!ix', $value ) ) {
		return '/* insecure input */';
	}
	return $value;
}

/** mediawiki-1.37.0\includes\parser\Sanitizer.php
* Normalize CSS into a format we can easily search for hostile input
*  - decode character references
*  - decode escape sequences
*  - remove comments, unless the entire value is one single comment
* @param string $value the css string
* @return string normalized css
*/
public static function normalizeCss( $value ) {
	// Decode character references like &#123;
	$value = self::decodeCharReferences( $value );

	// Decode escape sequences and line continuation
	// See the grammar in the CSS 2 spec, appendix D.
	// This has to be done AFTER decoding character references.
	// This means it isn't possible for this function to return
	// unsanitized escape sequences. It is possible to manufacture
	// input that contains character references that decode to
	// escape sequences that decode to character references, but
	// it's OK for the return value to contain character references
	// because the caller is supposed to escape those anyway.
	static $decodeRegex;
	if ( !$decodeRegex ) {
		$space = '[\\x20\\t\\r\\n\\f]';
		$nl = '(?:\\n|\\r\\n|\\r|\\f)';
		$backslash = '\\\\';
		$decodeRegex = "/ $backslash
			(?:
				($nl) |  # 1. Line continuation
				([0-9A-Fa-f]{1,6})$space? |  # 2. character number
				(.) | # 3. backslash cancelling special meaning
				() | # 4. backslash at end of string
			)/xu";
	}
	$value = preg_replace_callback( $decodeRegex,
		[ __CLASS__, 'cssDecodeCallback' ], $value );

	// Let the value through if it's nothing but a single comment, to
	// allow other functions which may reject it to pass some error
	// message through.
	if ( !preg_match( '! ^ \s* /\* [^*\\/]* \*/ \s* $ !x', $value ) ) {
		// Remove any comments; IE gets token splitting wrong
		// This must be done AFTER decoding character references and
		// escape sequences, because those steps can introduce comments
		// This step cannot introduce character references or escape
		// sequences, because it replaces comments with spaces rather
		// than removing them completely.
		$value = StringUtils::delimiterReplace( '/*', '*/', ' ', $value );

		// Remove anything after a comment-start token, to guard against
		// incorrect client implementations.
		$commentPos = strpos( $value, '/*' );
		if ( $commentPos !== false ) {
			$value = substr( $value, 0, $commentPos );
		}
	}

	return $value;
}