dépôts / lhc / web / wiklou.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 81c291f) | patch
SECURITY: Escape '<' and ']]>' in inline <style> blocks
authorBrian Wolff <bawolff+wn@gmail.com>
Wed, 20 Apr 2016 17:41:20 +0000 (13:41 -0400)
committerChad <chadh@wikimedia.org>
Tue, 23 Aug 2016 03:34:22 +0000 (03:34 +0000)
commitd0662487e683d602d08f3c3875797e850ad7210c
treeb93bde45775aa4c6662183960d544ef28efc072btree | snapshot
parent81c291f2658836c83eb45fd958f2e54c854b4d23commit | diff
SECURITY: Escape '<' and ']]>' in inline <style> blocks

This is to prevent people from closing the <style> tag, and
then doing arbitrary js-y things. In particular, this is needed
for when previewing user css pages.

This does not escape '>' since its used as the child selector
in css, and generally speaking, '>' is safe inside the contents
of elements.

Bug: T133147
Change-Id: If024398d7bd4b578ad7f8c74367787f5b19eb9d7
includes/Html.php diff | blob | history
Wiklou, le Wiki du Wiklou