SECURITY: blacklist CSS var()

[lhc/web/wiklou.git] / includes / parser / Sanitizer.php

diff --git a/includes/parser/Sanitizer.php b/includes/parser/Sanitizer.php
index 518846c..f76e3a9 100644 (file)
--- a/includes/parser/Sanitizer.php
+++ b/includes/parser/Sanitizer.php
@@ -1073,6 +1073,7 @@ class Sanitizer {
                                | image\s*\(
                                | image-set\s*\(
                                | attr\s*\([^)]+[\s,]+url
+                               | var\s*\(
                        !ix', $value ) ) {
                        return '/* insecure input */';
                }
@@ -1918,7 +1919,8 @@ class Sanitizer {
                        # such as <math> when it is rasterized, or if $wgAllowImageTag is
                        # true
                        'img'        => array_merge( $common, [ 'alt', 'src', 'width', 'height', 'srcset' ] ),
-
+                       # Attributes for A/V tags added in T163583 / T133673
+                       'audio'      => array_merge( $common, [ 'controls', 'preload', 'width', 'height' ] ),
                        'video'      => array_merge( $common, [ 'poster', 'controls', 'preload', 'width', 'height' ] ),
                        'source'     => array_merge( $common, [ 'type', 'src' ] ),
                        'track'      => array_merge( $common, [ 'type', 'src', 'srclang', 'kind', 'label' ] ),
@@ -1956,6 +1958,7 @@ class Sanitizer {
 
                        // HTML 5 section 4.5
                        'figure'     => $common,
+                       'figure-inline' => $common, # T118520
                        'figcaption' => $common,
 
                        # HTML 5 section 4.6