X-Git-Url: https://git.heureux-cyclage.org/?a=blobdiff_plain;f=includes%2FSanitizer.php;h=8919f10ad60e0935f9a105d8d5e07807d6b1daa0;hb=759518bdde8825dc414c1ff0cf99a9dc84088ae6;hp=a0c77da758b5b1dfdd02281313810542c0f2c1b9;hpb=d266f40a2f828810d0249de1fdd7107a026066d4;p=lhc%2Fweb%2Fwiklou.git

diff --git a/includes/Sanitizer.php b/includes/Sanitizer.php
index a0c77da758..8919f10ad6 100644
--- a/includes/Sanitizer.php
+++ b/includes/Sanitizer.php
@@ -692,7 +692,9 @@ class Sanitizer {
 				}
 			}
 
-			if ( $attribute === 'align' && !in_array( $element, $cells ) ) {
+			// Table align is special, it's about block alignment instead of
+			// content align (see also bug 40306)
+			if ( $attribute === 'align' && in_array( $element, $table ) ) {
 				if ( $value === 'center' ) {
 					$style .= ' margin-left: auto;';
 					$property = 'margin-right';
@@ -910,7 +912,7 @@ class Sanitizer {
 		// Reject problematic keywords and control characters
 		if ( preg_match( '/[\000-\010\016-\037\177]/', $value ) ) {
 			return '/* invalid control char */';
-		} elseif ( preg_match( '! expression | filter\s*: | accelerator\s*: | url\s*\( !ix', $value ) ) {
+		} elseif ( preg_match( '! expression | filter\s*: | accelerator\s*: | url\s*\( | image\s*\( !ix', $value ) ) {
 			return '/* insecure input */';
 		}
 		return $value;
@@ -1026,7 +1028,7 @@ class Sanitizer {
 
 		# Stupid hack
 		$encValue = preg_replace_callback(
-			'/(' . wfUrlProtocols() . ')/',
+			'/((?i)' . wfUrlProtocols() . ')/',
 			array( 'Sanitizer', 'armorLinksCallback' ),
 			$encValue );
 		return $encValue;
@@ -1181,6 +1183,7 @@ class Sanitizer {
 	 * attribs regex matches.
 	 *
 	 * @param $set Array
+	 * @throws MWException
 	 * @return String
 	 */
 	private static function getTagAttributeCallback( $set ) {