X-Git-Url: https://git.heureux-cyclage.org/?a=blobdiff_plain;f=includes%2FSanitizer.php;h=3384af0a6e4ef1383d13ad4b464fc96ee7212947;hb=c01fb8e3c401630832504e5c8a8b8da6c49862c9;hp=4dbc9dd9db5367a54d0286cf7b5b86463a5ab79e;hpb=9ac64761a4ed4893be96af05184cf8e8fdc57fba;p=lhc%2Fweb%2Fwiklou.git diff --git a/includes/Sanitizer.php b/includes/Sanitizer.php index 4dbc9dd9db..3384af0a6e 100644 --- a/includes/Sanitizer.php +++ b/includes/Sanitizer.php @@ -865,6 +865,27 @@ class Sanitizer { $value = preg_replace_callback( $decodeRegex, array( __CLASS__, 'cssDecodeCallback' ), $value ); + // Normalize Halfwidth and Fullwidth Unicode block that IE6 might treat as ascii + $value = preg_replace_callback( + '/[!-z]/u', // U+FF01 to U+FF5A + function ( $matches ) { + $cp = utf8ToCodepoint( $matches[0] ); + if ( $cp === false ) { + return ''; + } + return chr( $cp - 65248 ); // ASCII range \x21-\x7A + }, + $value + ); + + // Convert more characters IE6 might treat as ascii + // U+0280, U+0274, U+207F, U+029F, U+026A, U+207D, U+208D + $value = str_replace( + array( 'ʀ', 'ɴ', 'ⁿ', 'ʟ', 'ɪ', '⁽', '₍' ), + array( 'r', 'n', 'n', 'l', 'i', '(', '(' ), + $value + ); + // Let the value through if it's nothing but a single comment, to // allow other functions which may reject it to pass some error // message through. @@ -885,8 +906,24 @@ class Sanitizer { } } + // S followed by repeat, iteration, or prolonged sound marks, + // which IE will treat as "ss" + $value = preg_replace( + '/s(?: + \xE3\x80\xB1 | # U+3031 + \xE3\x82\x9D | # U+309D + \xE3\x83\xBC | # U+30FC + \xE3\x83\xBD | # U+30FD + \xEF\xB9\xBC | # U+FE7C + \xEF\xB9\xBD | # U+FE7D + \xEF\xBD\xB0 # U+FF70 + )/ix', + 'ss', + $value + ); + // Reject problematic keywords and control characters - if ( preg_match( '/[\000-\010\016-\037\177]/', $value ) ) { + if ( preg_match( '/[\000-\010\013\016-\037\177]/', $value ) ) { return '/* invalid control char */'; } elseif ( preg_match( '! expression | filter\s*: | accelerator\s*: | url\s*\( | image\s*\( | image-set\s*\( !ix', $value ) ) { return '/* insecure input */';