so they get called on non-EditPage actions that use these functions
to create or update pages.
* Fix table prefix usage in Block::enumBlocks
+* (bug 3244) Fix remote image loading hack, JavaScript injection on MSIE
=== Caveats ===
$text = strtr( $text, array( '<noinclude>' => '', '</noinclude>' => '') );
$text = preg_replace( '/<includeonly>.*?<\/includeonly>/s', '', $text );
- $text = Sanitizer::removeHTMLtags( $text, array( &$this, 'replaceVariables' ) );
+ $text = Sanitizer::removeHTMLtags( $text, array( &$this, 'attributeStripCallback' ) );
$text = $this->replaceVariables( $text, $args );
$text = preg_replace( '/(^|\n)-----*/', '\\1<hr />', $text );
function disableCache() {
$this->mOutput->mCacheTime = -1;
}
+
+ /**
+ * Callback from the Sanitizer for expanding items found in HTML attribute
+ * values, so they can be safely tested and escaped.
+ * @param string $text
+ * @param array $args
+ * @return string
+ * @access private
+ */
+ function attributeStripCallback( &$text, $args ) {
+ $text = $this->replaceVariables( $text, $args );
+ $text = $this->unstrip( $text, $this->mStripState );
+ $text = $this->unstripNoWiki( $text, $this->mStripState );
+ return $text;
+ }
}
/**
'RFC' => 'RFC',
'PMID' => 'PMID',
) );
- $value = preg_replace(
- '/(' . $wgUrlProtocols . '):/',
- '\\1:', $value );
+
+ # Stupid hack
+ $value = preg_replace_callback(
+ '/(' . $wgUrlProtocols . ')/',
+ array( 'Sanitizer', 'armorLinksCallback' ),
+ $value );
// If this attribute was previously set, override it.
// Output should only have one attribute of each name.
}
}
+ /**
+ * Regex replace callback for armoring links against further processing.
+ * @param array $matches
+ * @return string
+ * @access private
+ */
+ function armorLinksCallback( $matches ) {
+ return str_replace( ':', ':', $matches[1] );
+ }
+
/**
* Return an associative array of attribute names and values from
* a partial tag string. Attribute names are forces to lowercase,
!! end
+!! test
+Bug 3244: HTML attribute safety (extension; safe)
+!! input
+<div style="<nowiki>background:blue</nowiki>"></div>
+!! result
+<div style="background:blue"></div>
+
+!! end
+
+!! test
+Bug 3244: HTML attribute safety (extension; unsafe)
+!! input
+<div style="<nowiki>border-left:expression(alert(document.cookie))</nowiki>"></div>
+!! result
+<div></div>
+
+!! end
+
TODO:
more images