X-Git-Url: https://git.heureux-cyclage.org/?a=blobdiff_plain;f=includes%2FSanitizer.php;h=40696583760d9b3b8ce518da1011365e89a3d4e9;hb=5412c2f4a16bf3ee420f4f621a2821899b692434;hp=8f1fc99fcde07fec42629d7b934960a3154891fd;hpb=b8804f6b841053d04236e2f135d0a9c06ab74a4e;p=lhc%2Fweb%2Fwiklou.git

diff --git a/includes/Sanitizer.php b/includes/Sanitizer.php
index 8f1fc99fcd..4069658376 100644
--- a/includes/Sanitizer.php
+++ b/includes/Sanitizer.php
@@ -1015,6 +1015,7 @@ class Sanitizer {
 				| url\s*\(
 				| image\s*\(
 				| image-set\s*\(
+				| attr\s*\([^)]+[\s,]+url
 			!ix', $value ) ) {
 			return '/* insecure input */';
 		}
@@ -1867,7 +1868,7 @@ class Sanitizer {
 			list( /* $whole */, $protocol, $host, $rest ) = $matches;
 
 			// Characters that will be ignored in IDNs.
-			// http://tools.ietf.org/html/3454#section-3.1
+			// https://tools.ietf.org/html/rfc3454#section-3.1
 			// Strip them before further processing so blacklists and such work.
 			$strip = "/
 				\\s|          # general whitespace