From d0662487e683d602d08f3c3875797e850ad7210c Mon Sep 17 00:00:00 2001
From: Brian Wolff <bawolff+wn@gmail.com>
Date: Wed, 20 Apr 2016 13:41:20 -0400
Subject: [PATCH] SECURITY: Escape '<' and ']]>' in inline <style> blocks

This is to prevent people from closing the <style> tag, and
then doing arbitrary js-y things. In particular, this is needed
for when previewing user css pages.

This does not escape '>' since its used as the child selector
in css, and generally speaking, '>' is safe inside the contents
of elements.

Bug: T133147
Change-Id: If024398d7bd4b578ad7f8c74367787f5b19eb9d7
---
 includes/Html.php | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/includes/Html.php b/includes/Html.php
index 7cb75bba91..8c01448749 100644
--- a/includes/Html.php
+++ b/includes/Html.php
@@ -627,6 +627,17 @@ class Html {
 	 * @return string Raw HTML
 	 */
 	public static function inlineStyle( $contents, $media = 'all' ) {
+		// Don't escape '>' since that is used
+		// as direct child selector.
+		// Remember, in css, there is no "x" for hexadecimal escapes, and
+		// the space immediately after an escape sequence is swallowed.
+		$contents = strtr( $contents, [
+			'<' => '\3C ',
+			// CDATA end tag for good measure, but the main security
+			// is from escaping the '<'.
+			']]>' => '\5D\5D\3E '
+		] );
+
 		if ( preg_match( '/[<&]/', $contents ) ) {
 			$contents = "/*<![CDATA[*/$contents/*]]>*/";
 		}
-- 
2.20.1