X-Git-Url: https://git.heureux-cyclage.org/?a=blobdiff_plain;f=includes%2FSanitizer.php;h=8919f10ad60e0935f9a105d8d5e07807d6b1daa0;hb=759518bdde8825dc414c1ff0cf99a9dc84088ae6;hp=734c4ec9de319a5ac0a050178e91bdc201f20dc6;hpb=410d1617dbb245d351a85eac9391c0b73960e691;p=lhc%2Fweb%2Fwiklou.git

diff --git a/includes/Sanitizer.php b/includes/Sanitizer.php
index 734c4ec9de..8919f10ad6 100644
--- a/includes/Sanitizer.php
+++ b/includes/Sanitizer.php
@@ -692,7 +692,9 @@ class Sanitizer {
 				}
 			}
 
-			if ( $attribute === 'align' && !in_array( $element, $cells ) ) {
+			// Table align is special, it's about block alignment instead of
+			// content align (see also bug 40306)
+			if ( $attribute === 'align' && in_array( $element, $table ) ) {
 				if ( $value === 'center' ) {
 					$style .= ' margin-left: auto;';
 					$property = 'margin-right';
@@ -910,7 +912,7 @@ class Sanitizer {
 		// Reject problematic keywords and control characters
 		if ( preg_match( '/[\000-\010\016-\037\177]/', $value ) ) {
 			return '/* invalid control char */';
-		} elseif ( preg_match( '! expression | filter\s*: | accelerator\s*: | url\s*\( !ix', $value ) ) {
+		} elseif ( preg_match( '! expression | filter\s*: | accelerator\s*: | url\s*\( | image\s*\( !ix', $value ) ) {
 			return '/* insecure input */';
 		}
 		return $value;
@@ -1181,6 +1183,7 @@ class Sanitizer {
 	 * attribs regex matches.
 	 *
 	 * @param $set Array
+	 * @throws MWException
 	 * @return String
 	 */
 	private static function getTagAttributeCallback( $set ) {