Merge commit from fork

* Don't parse translations if they're used in attributes
* Sanitize URLs in parsed links

T14555

Author: SomeMWDev

404.php

@@ -3,6 +3,7 @@
 require_once __DIR__ . '/getTranslations.php';
 
 $getTranslation = 'getTranslation';
+$getParsedTranslation = 'getParsedTranslation';
 
 header( 'Content-Type: text/html; charset=utf-8' );
 header( 'Cache-Control: s-maxage=2678400, max-age=2678400' );
@@ -33,13 +34,13 @@
 						</p>
 					</a>
 				</p>
-				<h1><b>{$getTranslation( 'page-not-found' )}</b></h1>
-				<p>{$getTranslation( 'page-not-found-more' )}</p>
+				<h1><b>{$getParsedTranslation( 'page-not-found' )}</b></h1>
+				<p>{$getParsedTranslation( 'page-not-found-more' )}</p>
 			</div>
 		</div>
 		<div class="bottom-links">
-			<a href="#" onClick="history.go(-1); return false;">&larr; {$getTranslation( 'wiki-not-found-goback' )}</a>
-			<a href="/">{$getTranslation( 'page-not-found-mainpage' )}</a>
+			<a href="#" onClick="history.go(-1); return false;">&larr; {$getParsedTranslation( 'wiki-not-found-goback' )}</a>
+			<a href="/">{$getParsedTranslation( 'page-not-found-mainpage' )}</a>
 		</div>
 	</html>
 EOF;

DeletedWiki.php

@@ -14,6 +14,7 @@
 
 	$getLanguageCode = 'getLanguageCode';
 	$getTranslation = 'getTranslation';
+	$getParsedTranslation = 'getParsedTranslation';
 
 	header( 'Cache-control: no-cache' );
 
@@ -139,17 +140,17 @@
 							</g>
 							</svg>
 					</p>
-					<h1><b>{$getTranslation( 'deletedwiki' )}</b></h1>
-					<p class="lead">{$getTranslation( 'deletedwiki-body' )}</p>
+					<h1><b>{$getParsedTranslation( 'deletedwiki' )}</b></h1>
+					<p class="lead">{$getParsedTranslation( 'deletedwiki-body' )}</p>
 					<p>
-						<a href="https://meta.miraheze.org/wiki/Special:MyLanguage/Deleted_wikis" class="btn btn-lg btn-outline-primary" role="button">{$getTranslation( 'page-not-found-learnmore' )}</a>
+						<a href="https://meta.miraheze.org/wiki/Special:MyLanguage/Deleted_wikis" class="btn btn-lg btn-outline-primary" role="button">{$getParsedTranslation( 'page-not-found-learnmore' )}</a>
 					</p>
 				</div>
 			</div>
 			<div class="bottom-links">
-				<a href="#" onClick="history.go(-1); return false;">&larr; {$getTranslation( 'wiki-not-found-goback' )}</a>
+				<a href="#" onClick="history.go(-1); return false;">&larr; {$getParsedTranslation( 'wiki-not-found-goback' )}</a>
 				<a href="https://miraheze.org">Miraheze</a>
-				<a href="https://meta.miraheze.org/wiki/Special:WikiDiscover">{$getTranslation( 'wiki-directory' )} &rarr;</a>
+				<a href="https://meta.miraheze.org/wiki/Special:WikiDiscover">{$getParsedTranslation( 'wiki-directory' )} &rarr;</a>
 			</div>
 		</html>
 	EOF;

MissingWiki.php

@@ -14,10 +14,13 @@
 	} else {
 		require_once __DIR__ . '/getTranslations.php';
 
-		$requestWikiUrl = 'https://meta.miraheze.org/wiki/Special:RequestWiki?wpsubdomain=' . substr($wgDBname, 0, -4);
+		$escapedRequestWikiUrl = htmlspecialchars(
+			'https://meta.miraheze.org/wiki/Special:RequestWiki?wpsubdomain=' . substr($wgDBname, 0, -4)
+		);
 
 		$getLanguageCode = 'getLanguageCode';
 		$getTranslation = 'getTranslation';
+		$getParsedTranslation = 'getParsedTranslation';
 
 		http_response_code( 404 );
 
@@ -143,17 +146,17 @@
 									style="stroke-width:3.86688" />
 								</svg>
 						</p>
-						<h1><b>{$getTranslation( 'missingwiki' )}</b></h1>
-						<p class="lead">{$getTranslation( 'wiki-not-found' )}</p>
+						<h1><b>{$getParsedTranslation( 'missingwiki' )}</b></h1>
+						<p class="lead">{$getParsedTranslation( 'wiki-not-found' )}</p>
 						<p>
-							<a href="{$requestWikiUrl}" class="btn btn-lg btn-outline-primary" role="button">{$getTranslation( 'wiki-not-found-startwiki' )}</a>
+							<a href="{$escapedRequestWikiUrl}" class="btn btn-lg btn-outline-primary" role="button">{$getParsedTranslation( 'wiki-not-found-startwiki' )}</a>
 						</p>
 					</div>
 				</div>
 				<div class="bottom-links">
-					<a href="#" onClick="history.go(-1); return false;">&larr; {$getTranslation( 'wiki-not-found-goback' )}</a>
+					<a href="#" onClick="history.go(-1); return false;">&larr; {$getParsedTranslation( 'wiki-not-found-goback' )}</a>
 					<a href="https://miraheze.org">Miraheze</a>
-					<a href="https://meta.miraheze.org/wiki/Special:WikiDiscover">{$getTranslation( 'wiki-directory' )} &rarr;</a>
+					<a href="https://meta.miraheze.org/wiki/Special:WikiDiscover">{$getParsedTranslation( 'wiki-directory' )} &rarr;</a>
 				</div>
 			</html>
 		EOF;

UnknownWiki.php

@@ -4,6 +4,7 @@
 
 $getLanguageCode = 'getLanguageCode';
 $getTranslation = 'getTranslation';
+$getParsedTranslation = 'getParsedTranslation';
 
 header( 'Cache-control: no-cache' );
 
@@ -136,18 +137,18 @@
 						</g>
 						</svg>
 				</p>
-				<h1><b>{$getTranslation( 'unknownwiki' )}</b></h1>
-				<p class="lead">{$getTranslation( 'unknownwiki-body' )}</p>
+				<h1><b>{$getParsedTranslation( 'unknownwiki' )}</b></h1>
+				<p class="lead">{$getParsedTranslation( 'unknownwiki-body' )}</p>
 				<p>
-					<a href="https://meta.miraheze.org/wiki/Special:MyLanguage/Help_center" class="btn btn-lg btn-outline-primary" role="button">{$getTranslation( 'get-help' )}</a>
-					<a href="https://meta.miraheze.org/wiki/Special:MyLanguage/Custom_domains" class="btn btn-lg btn-outline-info" role="button">{$getTranslation( 'custom-domain-instructions' )}</a>
+					<a href="https://meta.miraheze.org/wiki/Special:MyLanguage/Help_center" class="btn btn-lg btn-outline-primary" role="button">{$getParsedTranslation( 'get-help' )}</a>
+					<a href="https://meta.miraheze.org/wiki/Special:MyLanguage/Custom_domains" class="btn btn-lg btn-outline-info" role="button">{$getParsedTranslation( 'custom-domain-instructions' )}</a>
 				</p>
 			</div>
 		</div>
 		<div class="bottom-links">
-			<a href="#" onClick="history.go(-1); return false;">&larr; {$getTranslation( 'wiki-not-found-goback' )}</a>
+			<a href="#" onClick="history.go(-1); return false;">&larr; {$getParsedTranslation( 'wiki-not-found-goback' )}</a>
 			<a href="https://miraheze.org">Miraheze</a>
-			<a href="https://meta.miraheze.org/wiki/Special:WikiDiscover">{$getTranslation( 'wiki-directory' )} &rarr;</a>
+			<a href="https://meta.miraheze.org/wiki/Special:WikiDiscover">{$getParsedTranslation( 'wiki-directory' )} &rarr;</a>
 		</div>
 	</html>
 EOF;

databaseMaintenance.php

@@ -4,6 +4,7 @@
 
 $getLanguageCode = 'getLanguageCode';
 $getTranslation = 'getTranslation';
+$getParsedTranslation = 'getParsedTranslation';
 
 http_response_code( 503 );
 
@@ -129,17 +130,17 @@
 						style="fill:#3366cc" />
 					</g>
 					</svg>
-				<h1><b>{$getTranslation( 'database-maintenance' )}</b></h1>
-				<p class="lead">{$getTranslation( 'wiki-unscheduled-database-maintenance' )}</p>
+				<h1><b>{$getParsedTranslation( 'database-maintenance' )}</b></h1>
+				<p class="lead">{$getParsedTranslation( 'wiki-unscheduled-database-maintenance' )}</p>
 				<p>
-					<a href="https://miraheze.org/discord" class="btn btn-lg btn-outline-primary" role="button">{$getTranslation( 'database-maintenance-join-discord' )}</a>
+					<a href="https://miraheze.org/discord" class="btn btn-lg btn-outline-primary" role="button">{$getParsedTranslation( 'database-maintenance-join-discord' )}</a>
 				</p>
 				<!--<small>Maintenance has been extended for this database cluster to 12:00 UTC, Monday, 19 December, 2022. Please check back soon.</small>-->
 			</div>
 		</div>
 		<div class="bottom-links">
-			<a href="#" onClick="history.go(-1); return false;">&larr; {$getTranslation( 'wiki-not-found-goback' )}</a>
-			<!--<a href="https://meta.miraheze.org/wiki/Special:MyLanguage/Miraheze">{$getTranslation( 'wiki-not-found-meta' )}</a>-->
+			<a href="#" onClick="history.go(-1); return false;">&larr; {$getParsedTranslation( 'wiki-not-found-goback' )}</a>
+			<!--<a href="https://meta.miraheze.org/wiki/Special:MyLanguage/Miraheze">{$getParsedTranslation( 'wiki-not-found-meta' )}</a>-->
 		</div>
 	</html>
 EOF;

getTranslations.php

@@ -5,10 +5,23 @@ function getTranslation( $key ) {
 		return "({$key})";
 	}
 
-	return preg_replace( '/\[(.*?)[\|| ](.*?)\]/', '<a href="$1">$2</a>',
-		nl2br( htmlspecialchars(
-			getLocalisation()[$key] ?? getFallback()[$key] ?? getDefault()[$key]
-		) )
+	return htmlspecialchars( getLocalisation()[$key] ?? getFallback()[$key] ?? getDefault()[$key] );
+}
+
+function getParsedTranslation( $key ) {
+	return preg_replace_callback(
+		'/\[(.*?)[\|| ](.*?)\]/',
+		function ( $matches ) {
+			$url = $matches[1];
+			$text = $matches[2];
+
+			if ( !preg_match( '#^(?:https?://|/)#', $url ) ) {
+				return '<!--Invalid URL-->';
+			}
+
+			return '<a href="' . $url . '">' . $text . '</a>';
+		},
+		nl2br( getTranslation( $key ) ),
 	);
 }