r64377 MediaWiki - Code Review archive

Repository:MediaWiki
Revision:r64376‎ | r64377 | r64378 >
Date:04:25, 30 March 2010
Author:tstarling
Status:deferred
Tags:
Comment:
MFT r64375: CSS injection
Modified paths:
  • /branches/REL1_15/extensions/InputBox (modified) (history)
  • /branches/REL1_15/extensions/InputBox/InputBox.classes.php (modified) (history)

Diff [purge]

Index: branches/REL1_15/extensions/InputBox/InputBox.classes.php
@@ -501,7 +501,28 @@
502502 // Validate the width; make sure it's a valid, positive integer
503503 $this->mWidth = intval( $this->mWidth <= 0 ? 50 : $this->mWidth );
504504
 505+ // Validate background color
 506+ if ( !$this->isValidColor( $this->mBGColor ) ) {
 507+ $this->mBGColor = 'transparent';
 508+ }
505509 wfProfileOut( __METHOD__ );
506510 }
507511
 512+ /**
 513+ * Do a security check on the bgcolor parameter
 514+ */
 515+ public function isValidColor( $color ) {
 516+ $regex = <<<REGEX
 517+ /^ (
 518+ [a-zA-Z]* | # color names
 519+ \# [0-9a-f]{3} | # short hexadecimal
 520+ \# [0-9a-f]{6} | # long hexadecimal
 521+ rgb \s* \( \s* (
 522+ \d+ \s* , \s* \d+ \s* , \s* \d+ | # rgb integer
 523+ [0-9.]+% \s* , \s* [0-9.]+% \s* , \s* [0-9.]+% # rgb percent
 524+ ) \s* \)
 525+ ) $ /xi
 526+REGEX;
 527+ return (bool) preg_match( $regex, $color );
 528+ }
508529 }
Property changes on: branches/REL1_15/extensions/InputBox
___________________________________________________________________
Name: svn:mergeinfo
509530 + /trunk/extensions/InputBox:64375

Past revisions this follows-up on

RevisionCommit summaryAuthorDate
r64375Validate background colour to avoid arbitrary style attribute injection. Lead...tstarling03:59, 30 March 2010

Status & tagging log