X-Git-Url: https://git.heureux-cyclage.org/?a=blobdiff_plain;f=includes%2Fparser%2FSanitizer.php;h=d8e5e3e321e7bbc5741b7be398773c59834cd6f8;hb=110a5877e9e6ebe7a6ecd758f5812f32fc4ef57e;hp=abf071414b163a804596b2b2e3c2f17bad0f68b5;hpb=1d1bb122942d2ca6e557dc13e2d198276ce65ba6;p=lhc%2Fweb%2Fwiklou.git

diff --git a/includes/parser/Sanitizer.php b/includes/parser/Sanitizer.php
index abf071414b..d8e5e3e321 100644
--- a/includes/parser/Sanitizer.php
+++ b/includes/parser/Sanitizer.php
@@ -1073,6 +1073,7 @@ class Sanitizer {
 				| image\s*\(
 				| image-set\s*\(
 				| attr\s*\([^)]+[\s,]+url
+				| var\s*\(
 			!ix', $value ) ) {
 			return '/* insecure input */';
 		}
@@ -1244,7 +1245,7 @@ class Sanitizer {
 	 *   HTML5 definition of id attribute
 	 *
 	 * @param string $id Id to escape
-	 * @param string|array $options String or array of strings (default is array()):
+	 * @param string|array $options String or array of strings (default is []):
 	 *   'noninitial': This is a non-initial fragment of an id, not a full id,
 	 *       so don't pay attention if the first character isn't valid at the
 	 *       beginning of an id.
@@ -1947,7 +1948,7 @@ class Sanitizer {
 			# rbc
 			'rb'         => $common,
 			'rp'         => $common,
-			'rt'         => $common, # array_merge( $common, array( 'rbspan' ) ),
+			'rt'         => $common, # array_merge( $common, [ 'rbspan' ] ),
 			'rtc'        => $common,
 
 			# MathML root element, where used for extensions