` wiki markup, validates against the configured whitelist, sanitizes attributes, and returns safe HTML. Demonstrates creating links, semantic containers, and styled elements.
```wikitext
// Wiki markup example 1: Creating a custom link
Click here for more information
// Rendered output:
// Click here for more information
// Wiki markup example 2: Semantic container with styling
This is an important notice with custom styling.
// Rendered output:
// This is an important notice with custom styling.
// Wiki markup example 3: Inline styled text
Important text
```
--------------------------------
### Configure Allowed HTML Tags and Attributes (PHP)
Source: https://context7.com/wikimedia/mediawiki-extensions-htmltags/llms.txt
Defines the global variable `$wgHTMLTagsAttributes` in LocalSettings.php to specify which HTML tags and their corresponding attributes are permitted. This whitelist approach is key to the extension's security.
```php
// In LocalSettings.php
$wgHTMLTagsAttributes['a'] = array( 'href', 'class', 'title' );
$wgHTMLTagsAttributes['span'] = array( 'class', 'id', 'style' );
$wgHTMLTagsAttributes['div'] = array( 'class', 'id' );
```
--------------------------------
### Register HTML Tags Parser Hook (PHP)
Source: https://context7.com/wikimedia/mediawiki-extensions-htmltags/llms.txt
Registers the `` parser hook with MediaWiki's parser during extension initialization. This hook is essential for the extension to process and render custom HTML tags.
```php
// In extension.json
"Hooks": {
"ParserFirstCallInit": "HTMLTags::register"
}
// Implementation in includes/HTMLTags.php
public static function register( $parser ) {
$parser->setHook( 'htmltag', [ __CLASS__, 'render' ] );
}
```
--------------------------------
### HTMLTags Extension Security Features and Sanitization
Source: https://context7.com/wikimedia/mediawiki-extensions-htmltags/llms.txt
Details the security features of the HTMLTags extension, focusing on XSS prevention. It outlines the process of parsing wiki variables, escaping HTML special characters using htmlspecialchars(), unescaping ampersands for URLs, and rendering HTML safely via MediaWiki's Html::element().
```php
// From includes/HTMLTags.php:48-61
// Step 1: Parse wiki variables in attribute values
$value = $parser->replaceVariables( $value, $frame );
// Step 2: Escape all HTML special characters to prevent XSS
$value = htmlspecialchars( $value, ENT_QUOTES );
// Example: href="javascript:alert('xss')" becomes href="javascript:alert('xss')"
// Step 3: Undo ampersand escaping for proper URL functionality
$value = str_replace( '&', '&', $value );
// Example: href="page?id=1&type=2" becomes href="page?id=1&type=2"
// Step 4: Build attributes array with sanitized values
$attributes[$key] = $value;
// Step 5: Use MediaWiki's safe HTML generation
// Html::element() provides additional XSS protection
if ( class_exists( 'MediaWiki\Html\Html' ) ) {
$htmlClass = 'MediaWiki\Html\Html'; // MW 1.40+
} else {
$htmlClass = 'Html'; // Earlier versions
}
return $htmlClass::element( $tagName, $attributes, $input );
// Real-world security test cases:
// Input: Click
// Output: Safe rendering with escaped JavaScript
// Input: Text
// Output: onclick attribute is completely ignored (not in whitelist)
// Input: Link
// Output: Link (ampersands preserved)
```
=== COMPLETE CONTENT === This response contains all available snippets from this library. No additional content exists. Do not make further requests.