SECURITY: Escape '<' and ']]>' in inline <style> blocks

This is to prevent people from closing the <style> tag, and
then doing arbitrary js-y things. In particular, this is needed
for when previewing user css pages.

This does not escape '>' since its used as the child selector
in css, and generally speaking, '>' is safe inside the contents
of elements.

Bug: T133147
Change-Id: If024398d7bd4b578ad7f8c74367787f5b19eb9d7

diff --git a/includes/Html.php b/includes/Html.php
index 7cb75bb..8c01448 100644 (file)
--- a/includes/Html.php
+++ b/includes/Html.php
@@ -627,6 +627,17 @@ class Html {
         * @return string Raw HTML
         */
        public static function inlineStyle( $contents, $media = 'all' ) {
+               // Don't escape '>' since that is used
+               // as direct child selector.
+               // Remember, in css, there is no "x" for hexadecimal escapes, and
+               // the space immediately after an escape sequence is swallowed.
+               $contents = strtr( $contents, [
+                       '<' => '\3C ',
+                       // CDATA end tag for good measure, but the main security
+                       // is from escaping the '<'.
+                       ']]>' => '\5D\5D\3E '
+               ] );
+
                if ( preg_match( '/[<&]/', $contents ) ) {
                        $contents = "/*<![CDATA[*/$contents/*]]>*/";
                }