(bug 42202) Validate editfont before embedding it in CSS

If the editfont preference somehow had a value like "foo; color: blue",
we have a CSS injection problem. Normally preference validation should
protect against that, but the API module for setting preferences doesn't
perform any validation.

Change-Id: I5c12aa9a48bf4f6ea4a8fb44554d13189e7757fb

diff --git a/includes/resourceloader/ResourceLoaderUserCSSPrefsModule.php b/includes/resourceloader/ResourceLoaderUserCSSPrefsModule.php
index d90e8c4..bdb240e 100644 (file)
--- a/includes/resourceloader/ResourceLoaderUserCSSPrefsModule.php
+++ b/includes/resourceloader/ResourceLoaderUserCSSPrefsModule.php
@@ -81,7 +81,10 @@ class ResourceLoaderUserCSSPrefsModule extends ResourceLoaderModule {
                                $rules[] = ".editsection { display: none; }\n";
                        }
                        if ( $options['editfont'] !== 'default' ) {
-                               $rules[] = "textarea { font-family: {$options['editfont']}; }\n";
+                               // Double-check that $options['editfont'] consists of safe characters only
+                               if ( preg_match( '/^[a-zA-Z0-9_, -]+$/', $options['editfont'] ) ) {
+                                       $rules[] = "textarea { font-family: {$options['editfont']}; }\n";
+                               }
                        }
                        $style = implode( "\n", $rules );
                        if ( $this->getFlip( $context ) ) {