| Index: branches/wmf/1.16wmf4/includes/Sanitizer.php |
| — | — | @@ -644,10 +644,6 @@ |
| 645 | 645 | # http://msdn.microsoft.com/workshop/author/dhtml/overview/recalc.asp |
| 646 | 646 | if( $attribute == 'style' ) { |
| 647 | 647 | $value = Sanitizer::checkCss( $value ); |
| 648 | | - if( $value === false ) { |
| 649 | | - # haxx0r |
| 650 | | - continue; |
| 651 | | - } |
| 652 | 648 | } |
| 653 | 649 | |
| 654 | 650 | if ( $attribute === 'id' ) { |
| — | — | @@ -744,10 +740,8 @@ |
| 745 | 741 | $value = StringUtils::delimiterReplace( '/*', '*/', ' ', $value ); |
| 746 | 742 | |
| 747 | 743 | // Decode escape sequences and line continuation |
| 748 | | - // See the grammar in the CSS 2 spec, appendix D, Mozilla implements it accurately. |
| 749 | | - // IE 8 doesn't implement it at all, but there's no way to introduce url() into |
| 750 | | - // IE that doesn't hit Mozilla also. |
| 751 | | - static $decodeRegex; |
| | 744 | + // See the grammar in the CSS 2 spec, appendix D. |
| | 745 | + static $decodeRegex, $reencodeTable; |
| 752 | 746 | if ( !$decodeRegex ) { |
| 753 | 747 | $space = '[\\x20\\t\\r\\n\\f]'; |
| 754 | 748 | $nl = '(?:\\n|\\r\\n|\\r|\\f)'; |
| — | — | @@ -756,30 +750,41 @@ |
| 757 | 751 | (?: |
| 758 | 752 | ($nl) | # 1. Line continuation |
| 759 | 753 | ([0-9A-Fa-f]{1,6})$space? | # 2. character number |
| 760 | | - (.) # 3. backslash cancelling special meaning |
| | 754 | + (.) | # 3. backslash cancelling special meaning |
| | 755 | + () | # 4. backslash at end of string |
| 761 | 756 | )/xu"; |
| 762 | 757 | } |
| 763 | | - $decoded = preg_replace_callback( $decodeRegex, |
| | 758 | + $value = preg_replace_callback( $decodeRegex, |
| 764 | 759 | array( __CLASS__, 'cssDecodeCallback' ), $value ); |
| 765 | | - if ( preg_match( '!expression|https?://|url\s*\(!i', $decoded ) ) { |
| 766 | | - // Not allowed |
| 767 | | - return false; |
| 768 | | - } else { |
| 769 | | - // Allowed, return CSS with comments stripped |
| 770 | | - return $value; |
| | 760 | + |
| | 761 | + // Reject problematic keywords and control characters |
| | 762 | + if ( preg_match( '/[\000-\010\016-\037\177]/', $value ) ) { |
| | 763 | + return '/* invalid control char */'; |
| | 764 | + } elseif ( preg_match( '! expression | filter\s*: | accelerator\s*: | url\s*\( !ix', $value ) ) { |
| | 765 | + return '/* insecure input */'; |
| 771 | 766 | } |
| | 767 | + return $value; |
| 772 | 768 | } |
| 773 | 769 | |
| 774 | 770 | static function cssDecodeCallback( $matches ) { |
| 775 | 771 | if ( $matches[1] !== '' ) { |
| | 772 | + // Line continuation |
| 776 | 773 | return ''; |
| 777 | 774 | } elseif ( $matches[2] !== '' ) { |
| 778 | | - return codepointToUtf8( hexdec( $matches[2] ) ); |
| | 775 | + $char = codepointToUtf8( hexdec( $matches[2] ) ); |
| 779 | 776 | } elseif ( $matches[3] !== '' ) { |
| 780 | | - return $matches[3]; |
| | 777 | + $char = $matches[3]; |
| 781 | 778 | } else { |
| 782 | | - throw new MWException( __METHOD__.': invalid match' ); |
| | 779 | + $char = '\\'; |
| 783 | 780 | } |
| | 781 | + if ( $char == "\n" || $char == '"' || $char == "'" || $char == '\\' ) { |
| | 782 | + // These characters need to be escaped in strings |
| | 783 | + // Clean up the escape sequence to avoid parsing errors by clients |
| | 784 | + return '\\' . dechex( ord( $char ) ) . ' '; |
| | 785 | + } else { |
| | 786 | + // Decode unnecessary escape |
| | 787 | + return $char; |
| | 788 | + } |
| 784 | 789 | } |
| 785 | 790 | |
| 786 | 791 | /** |
| Property changes on: branches/wmf/1.16wmf4/includes/Sanitizer.php |
| ___________________________________________________________________ |
| Name: svn:mergeinfo |
| 787 | 792 | + /branches/REL1_15/phase3/includes/Sanitizer.php:51646 |
| /branches/sqlite/includes/Sanitizer.php:58211-58321 |
| /branches/wmf-deployment/includes/Sanitizer.php:53381,60970 |
| /trunk/phase3/includes/Sanitizer.php:63549,63764,63897-63901,64113,64509,65387,65391,65555,65590,65650,65816,66990 |