From: DanielRenfro Date: Sat, 5 Jul 2014 03:29:11 +0000 (-0400) Subject: Breaking out disallowed CSS into a global variable X-Git-Tag: 1.31.0-rc.0~14899^2 X-Git-Url: http://git.heureux-cyclage.org/?a=commitdiff_plain;ds=sidebyside;h=ad4f512c7452d91c7743de1dbbfad470a1226b9f;p=lhc%2Fweb%2Fwiklou.git Breaking out disallowed CSS into a global variable Bug: 11106 Change-Id: Iac6e9a3b1d0265dbd159509dd8938bddeb6f3bba --- diff --git a/includes/DefaultSettings.php b/includes/DefaultSettings.php index 11196ae109..70978f1640 100644 --- a/includes/DefaultSettings.php +++ b/includes/DefaultSettings.php @@ -2981,6 +2981,20 @@ $wgUseSiteJs = true; */ $wgUseSiteCss = true; +/** + * CSS that is disallowed by the sanitizer, as a regular expression. + */ +$wgDisallowedCss = '! expression + | filter\s*: + | accelerator\s*: + | -o-link\s*: + | -o-link-source\s*: + | -o-replace\s*: + | url\s*\( + | image\s*\( + | image-set\s*\( +!ix'; + /** * Break out of framesets. This can be used to prevent clickjacking attacks, * or to prevent external sites from framing your site with ads. diff --git a/includes/Sanitizer.php b/includes/Sanitizer.php index 6a568c2d0c..75812f2f05 100644 --- a/includes/Sanitizer.php +++ b/includes/Sanitizer.php @@ -849,6 +849,8 @@ class Sanitizer { * @return string */ static function checkCss( $value ) { + global $wgDisallowedCss; + // Decode character references like { $value = Sanitizer::decodeCharReferences( $value ); @@ -937,18 +939,12 @@ class Sanitizer { // Reject problematic keywords and control characters if ( preg_match( '/[\000-\010\013\016-\037\177]/', $value ) ) { return '/* invalid control char */'; - } elseif ( preg_match( - '! expression - | filter\s*: - | accelerator\s*: - | -o-link\s*: - | -o-link-source\s*: - | -o-replace\s*: - | url\s*\( - | image\s*\( - | image-set\s*\( - !ix', $value ) ) { - return '/* insecure input */'; + } else { + if ( $wgDisallowedCss ) { + if ( preg_match( $wgDisallowedCss, $value ) ) { + return '/* insecure input */'; + } + } } return $value; }