From 284173282d4fc25031b6ded0f696c46ecbf97338 Mon Sep 17 00:00:00 2001 From: csteipp Date: Wed, 11 Jun 2014 16:29:33 -0700 Subject: [PATCH] Disallow css attr() with url type MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit CSS3 seems like it will extend the attr() function which can interpret attribute as different types, including 'url', which "...is interpreted as a quoted string within the ‘url()’ notation." Currently no browsers support this syntax yet, so submitting this as a normal non-security patch. Bug: T68404 Change-Id: Icdae989764754c985a9292d62efae7cc47009df5 --- includes/Sanitizer.php | 1 + tests/phpunit/includes/SanitizerTest.php | 2 ++ 2 files changed, 3 insertions(+) diff --git a/includes/Sanitizer.php b/includes/Sanitizer.php index 8f1fc99fcd..7cd21d81e2 100644 --- a/includes/Sanitizer.php +++ b/includes/Sanitizer.php @@ -1015,6 +1015,7 @@ class Sanitizer { | url\s*\( | image\s*\( | image-set\s*\( + | attr\s*\([^)]+[\s,]+url !ix', $value ) ) { return '/* insecure input */'; } diff --git a/tests/phpunit/includes/SanitizerTest.php b/tests/phpunit/includes/SanitizerTest.php index 26529e871c..c915b70e1d 100644 --- a/tests/phpunit/includes/SanitizerTest.php +++ b/tests/phpunit/includes/SanitizerTest.php @@ -314,6 +314,8 @@ class SanitizerTest extends MediaWikiTestCase { '/* insecure input */', 'background-image: -moz-image-set("asdf.png" 1x, "asdf.png" 2x);' ], + [ '/* insecure input */', 'foo: attr( title, url );' ], + [ '/* insecure input */', 'foo: attr( title url );' ], ]; } -- 2.20.1