From 832948bb192319c2af426c1af929749d6c56a132 Mon Sep 17 00:00:00 2001
From: Thomas Gries <wikinaut@users.mediawiki.org>
Date: Wed, 7 Mar 2012 21:06:35 +0000
Subject: [PATCH] fix for bug34763 'RSS feed items (HTML) are not rendered as
 HTML but htmlescaped'; tolerated controlled regression bug30377 'feed item
 length limitation', because this now becomes very tricky when we allow some
 tags in order to close bug 34763.

---
 RELEASE-NOTES |   7 ++++
 RSS.php       |  13 +++++--
 RSSParser.php | 105 ++++++++++++++++++++++++++++++++------------------
 3 files changed, 84 insertions(+), 41 deletions(-)

diff --git a/RELEASE-NOTES b/RELEASE-NOTES
index 322460e..14bd3ba 100644
--- a/RELEASE-NOTES
+++ b/RELEASE-NOTES
@@ -11,6 +11,13 @@ http://www.mediawiki.org/wiki/Extension:RSS
   (otherwise using the defaults - PHP will abort the entire program when your
   memory usage gets too high)
 
+=== Version 2.12 2012-03-07 ===
+* bug fix 34763 "RSS feed items (HTML) are not rendered as HTML but htmlescaped"
+* regression bug 30377 "Add a new parameter to limit the number of characters 
+  when rendering the channel item <description>". Feed item string length
+  limitation is difficult when we allow HTML <a> or <img> tags, because a mere
+  content-unaware limitation breaks (can break) tags which results in disastrous
+  rendering results.
 
 === Version 2.11 2012-02-29 ===
 * function name typo correction
diff --git a/RSS.php b/RSS.php
index fa90104..976edcf 100644
--- a/RSS.php
+++ b/RSS.php
@@ -4,7 +4,7 @@
  *
  * @file
  * @ingroup Extensions
- * @version 2.11
+ * @version 2.12
  * @author mutante, Daniel Kinzler, Rdb, Mafs, Thomas Gries, Alxndr, Chris Reigrut, K001
  * @author Kellan Elliott-McCrea <kellan@protest.net> -- author of MagpieRSS
  * @author Jeroen De Dauw
@@ -14,7 +14,7 @@
  * @link http://www.mediawiki.org/wiki/Extension:RSS Documentation
  */
 
-define( "EXTENSION_RSS_VERSION", "2.11 20120229" );
+define( "EXTENSION_RSS_VERSION", "2.12 20120307" );
 
 if ( !defined( 'MEDIAWIKI' ) ) {
 	die( "This is not a valid entry point.\n" );
@@ -93,5 +93,12 @@ $wgRSSDateDefaultFormat = "(Y-m-d H:i:s)";
 
 // limit the number of characters in the item description
 // or set to false for unlimited length.
-// $wgRSSItemMaxLength = false;
+// THIS IS CURRENTLY NOT WORKING (bug 30377)
 $wgRSSItemMaxLength = false;
+
+// You can choose to allow active links in feed items; default: false
+$wgRSSAllowLinkTag = false;
+
+// If you want to see images in feed items, then you need to globally allow
+// image tags in your wiki by using the MediaWiki parameter; default: false
+// $wgAllowImageTag = true;
diff --git a/RSSParser.php b/RSSParser.php
index e6d51aa..092ff61 100644
--- a/RSSParser.php
+++ b/RSSParser.php
@@ -312,6 +312,14 @@ class RSSParser {
 		return $ret;
 	}
 
+	function sandboxParse($wikiText) {
+		global $wgTitle, $wgUser;
+		$myParser = new Parser();
+		$myParserOptions = ParserOptions::newFromUser($wgUser);
+		$result = $myParser->parse($wikiText, $wgTitle, $myParserOptions);
+		return $result->getText();
+	}
+
 	/**
 	 * Render the entire feed so that each item is passed to the
 	 * template which the MediaWiki then displays.
@@ -320,7 +328,7 @@ class RSSParser {
 	 * @param $frame the frame param to pass to recursiveTagParse()
 	 */
 	function renderFeed( $parser, $frame ) {
-	
+
 		$renderedFeed = '';
 		
 		if ( isset( $this->itemTemplate ) && isset( $parser ) && isset( $frame ) ) {
@@ -336,15 +344,15 @@ class RSSParser {
 				}
 
 				if ( $this->canDisplay( $item ) ) {
-					$renderedFeed .= $this->renderItem( $item ) . "\n";
+					$renderedFeed .= $this->renderItem( $item, $parser ) . "\n";
 					$headcnt++;
 				}
 			}
 
-			$renderedFeed = $parser->recursiveTagParse( $renderedFeed, $frame );
+			$renderedFeed = $this->sandboxParse( $renderedFeed );
+
+		}
 
-        	}
-        	
 		return $renderedFeed;
 	}
 
@@ -353,7 +361,7 @@ class RSSParser {
 	 *
 	 * @param $item Array: an array produced by RSSData where keys are the names of the RSS elements
 	 */
-	protected function renderItem( $item ) {
+	protected function renderItem( $item, $parser ) {
 
 		$renderedItem = $this->itemTemplate;
 
@@ -385,12 +393,14 @@ class RSSParser {
 				$renderedItem = str_replace( '{{{date}}}', $txt, $renderedItem );
 				break;
 			default:
-				$str = $this->escapeTemplateParameter( $item[$info] ); 
+				$str = $this->escapeTemplateParameter( $item[$info] );
+				/***
 				if ( mb_strlen( $str ) > $this->ItemMaxLength ) {
 					$str = mb_substr( $str, 0, $this->ItemMaxLength ) . " ...";
 				}
+				***/
 				$txt = $this->highlightTerms(  $str );
-				$renderedItem = str_replace( '{{{' . $info . '}}}', $txt, $renderedItem );
+				$renderedItem = str_replace( '{{{' . $info . '}}}', $parser->insertStripItem( $str ), $renderedItem );
 			}
 		}
 
@@ -434,41 +444,60 @@ class RSSParser {
 	 * to the other kinds of markup, to avoid user input ending a template 
 	 * invocation.
 	 *
-	 * We change differently flavoured <p> and <br> tags to effective <br> tags,
-	 * other tags such as <a> will be rendered html-escaped.
+	 * If you want to allow clickable link Urls (HTML <a> tag) in RSS feeds:
+	 * $wgRSSAllowLinkTag = true;
+	 *
+	 * If you want to allow images (HTML <img> tag) in RSS feeds:
+	 * $wgAllowImageTag = true;
 	 *
 	 */
 	protected function escapeTemplateParameter( $text ) {
-		$text = str_replace(
-			array( '[',     '|',      ']',     '\'',    'ISBN ',     
-				'RFC ',     '://',     "\n=",     '{{',           '}}',
-			),
-			array( '&#91;', '&#124;', '&#93;', '&#39;', 'ISBN&#32;', 
-				'RFC&#32;', '&#58;//', "\n&#61;", '&#123;&#123;', '&#125;&#125;',
-			),
-			htmlspecialchars( str_replace( "\n", "", $text ) )
-		);
+		global $wgRSSAllowLinkTag, $wgAllowImageTag;
 
-		// keep some basic layout tags
-		$text = str_replace(
-			array( '&lt;p&gt;', '&lt;/p&gt;',
-				'&lt;br/&gt;', '&lt;br&gt;', '&lt;/br&gt;',
-				'&lt;b&gt;', '&lt;/b&gt;',
-				'&lt;i&gt;', '&lt;/i&gt;',
-				'&lt;u&gt;', '&lt;/u&gt;',
-				'&lt;s&gt;', '&lt;/s&gt;',
-			),
-			array( "", "<br/>",
-				"<br/>", "<br/>", "<br/>",
-				"'''", "'''",
-				"''", "''",
-				"<u>", "</u>",
-				"<s>", "</s>",
-			),
-			$text
-		);
+		if ( isset( $wgRSSAllowLinkTag ) && $wgRSSAllowLinkTag ) {
+			$extra = array( "a" );
+		} else {
+			$extra = array();
+		}
 
-		return $text;
+		if ( ( isset( $wgRSSAllowLinkTag ) && $wgRSSAllowLinkTag )
+			|| ( isset( $wgAllowImageTag ) && $wgAllowImageTag ) ) {
+
+			$ret = Sanitizer::removeHTMLtags( $text, null, array(), $extra, array( "iframe" ) );
+
+		} else { // use the old escape method for a while
+
+			$text = str_replace(
+				array( '[',     '|',      ']',     '\'',    'ISBN ',     
+					'RFC ',     '://',     "\n=",     '{{',           '}}',
+				),
+				array( '&#91;', '&#124;', '&#93;', '&#39;', 'ISBN&#32;', 
+					'RFC&#32;', '&#58;//', "\n&#61;", '&#123;&#123;', '&#125;&#125;',
+				),
+				htmlspecialchars( str_replace( "\n", "", $text ) )
+			);
+
+			// keep some basic layout tags
+			$ret = str_replace(
+				array( '&lt;p&gt;', '&lt;/p&gt;',
+					'&lt;br/&gt;', '&lt;br&gt;', '&lt;/br&gt;',
+					'&lt;b&gt;', '&lt;/b&gt;',
+					'&lt;i&gt;', '&lt;/i&gt;',
+					'&lt;u&gt;', '&lt;/u&gt;',
+					'&lt;s&gt;', '&lt;/s&gt;',
+				),
+				array( "", "<br/>",
+					"<br/>", "<br/>", "<br/>",
+					"'''", "'''",
+					"''", "''",
+					"<u>", "</u>",
+					"<s>", "</s>",
+				),
+				$text
+			);
+		}
+
+		return $ret;
 	}
 
 	/**