dépôts / lhc / web / wiklou.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Merge "Breaking out disallowed CSS into a global variable"
[lhc/web/wiklou.git] / includes / Sanitizer.php
diff --git a/includes/Sanitizer.php b/includes/Sanitizer.php
index ec17a08..b68889c 100644 (file)
--- a/includes/Sanitizer.php
+++ b/includes/Sanitizer.php
@@ -849,6 +849,8 @@ class Sanitizer {
         * @return string
         */
        static function checkCss( $value ) {
+               global $wgDisallowedCss;
+
                // Decode character references like {
                $value = Sanitizer::decodeCharReferences( $value );
 
@@ -937,18 +939,12 @@ class Sanitizer {
                // Reject problematic keywords and control characters
                if ( preg_match( '/[\000-\010\013\016-\037\177]/', $value ) ) {
                        return '/* invalid control char */';
-               } elseif ( preg_match(
-                       '! expression
-                               | filter\s*:
-                               | accelerator\s*:
-                               | -o-link\s*:
-                               | -o-link-source\s*:
-                               | -o-replace\s*:
-                               | url\s*\(
-                               | image\s*\(
-                               | image-set\s*\(
-                       !ix', $value ) ) {
-                       return '/* insecure input */';
+               } else {
+                       if ( $wgDisallowedCss ) {
+                               if ( preg_match( $wgDisallowedCss, $value ) ) {
+                                       return '/* insecure input */';
+                               }
+                       }
                }
                return $value;
        }
Wiklou, le Wiki du Wiklou