From d9a422f0d1097902bb71f5d1f9f8f344918ec240 Mon Sep 17 00:00:00 2001 From: Daniel Friesen Date: Fri, 19 Oct 2012 01:12:56 -0700 Subject: [PATCH] Preemptively add image-set to our sanitizer. WebKit's -webkit-image-set() requires a url() to work however css4-images' version of image-set permits strings such that image-set( 'asdf.png' 1x ) would be permitted and would bypass our filters. Change-Id: I366d04807f66df449f791a5e8e2cb58768124a9a --- includes/Sanitizer.php | 2 +- tests/phpunit/includes/SanitizerTest.php | 3 +++ 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/includes/Sanitizer.php b/includes/Sanitizer.php index 2c4ea47372..5aa0545ba0 100644 --- a/includes/Sanitizer.php +++ b/includes/Sanitizer.php @@ -916,7 +916,7 @@ class Sanitizer { // Reject problematic keywords and control characters if ( preg_match( '/[\000-\010\016-\037\177]/', $value ) ) { return '/* invalid control char */'; - } elseif ( preg_match( '! expression | filter\s*: | accelerator\s*: | url\s*\( | image\s*\( !ix', $value ) ) { + } elseif ( preg_match( '! expression | filter\s*: | accelerator\s*: | url\s*\( | image\s*\( | image-set\s*\( !ix', $value ) ) { return '/* insecure input */'; } return $value; diff --git a/tests/phpunit/includes/SanitizerTest.php b/tests/phpunit/includes/SanitizerTest.php index c593d2f1bf..dc672ba534 100644 --- a/tests/phpunit/includes/SanitizerTest.php +++ b/tests/phpunit/includes/SanitizerTest.php @@ -194,6 +194,9 @@ class SanitizerTest extends MediaWikiTestCase { array( '/* insecure input */', 'background-image: image(asdf.png);'), array( '/* insecure input */', 'background-image: -webkit-image(asdf.png);'), array( '/* insecure input */', 'background-image: -moz-image(asdf.png);'), + array( '/* insecure input */', 'background-image: image-set("asdf.png" 1x, "asdf.png" 2x);'), + array( '/* insecure input */', 'background-image: -webkit-image-set("asdf.png" 1x, "asdf.png" 2x);'), + array( '/* insecure input */', 'background-image: -moz-image-set("asdf.png" 1x, "asdf.png" 2x);'), ); } } -- 2.20.1