From: Brion Vibber <brion@users.mediawiki.org>
Date: Sun, 2 Jul 2006 22:45:16 +0000 (+0000)
Subject: Move 'style' attribute check to Sanitizer::checkCss, which can be called separately
X-Git-Tag: 1.31.0-rc.0~56455
X-Git-Url: http://git.cyclocoop.org/%24image?a=commitdiff_plain;h=2a942df0c73d370a8567c01cf8416805ac77296b;p=lhc%2Fweb%2Fwiklou.git

Move 'style' attribute check to Sanitizer::checkCss, which can be called separately
---

diff --git a/includes/Sanitizer.php b/includes/Sanitizer.php
index 6d731c2366..f5a24dfa33 100644
--- a/includes/Sanitizer.php
+++ b/includes/Sanitizer.php
@@ -561,18 +561,8 @@ class Sanitizer {
 			# Strip javascript "expression" from stylesheets.
 			# http://msdn.microsoft.com/workshop/author/dhtml/overview/recalc.asp
 			if( $attribute == 'style' ) {
-				$stripped = Sanitizer::decodeCharReferences( $value );
-
-				// Remove any comments; IE gets token splitting wrong
-				$stripped = preg_replace( '!/\\*.*?\\*/!S', ' ', $stripped );
-				$value = $stripped;
-
-				// ... and continue checks
-				$stripped = preg_replace( '!\\\\([0-9A-Fa-f]{1,6})[ \\n\\r\\t\\f]?!e',
-					'codepointToUtf8(hexdec("$1"))', $stripped );
-				$stripped = str_replace( '\\', '', $stripped );
-				if( preg_match( '/(expression|tps*:\/\/|url\\s*\().*/is',
-						$stripped ) ) {
+				$value = Sanitizer::checkCss( $value );
+				if( $value === false ) {
 					# haxx0r
 					continue;
 				}
@@ -587,6 +577,35 @@ class Sanitizer {
 		}
 		return $out;
 	}
+	
+	/**
+	 * Pick apart some CSS and check it for forbidden or unsafe structures.
+	 * Returns a sanitized string, or false if it was just too evil.
+	 *
+	 * Currently URL references, 'expression', 'tps' are forbidden.
+	 *
+	 * @param string $value
+	 * @return mixed
+	 */
+	static function checkCss( $value ) {
+		$stripped = Sanitizer::decodeCharReferences( $value );
+
+		// Remove any comments; IE gets token splitting wrong
+		$stripped = preg_replace( '!/\\*.*?\\*/!S', ' ', $stripped );
+		$value = $stripped;
+
+		// ... and continue checks
+		$stripped = preg_replace( '!\\\\([0-9A-Fa-f]{1,6})[ \\n\\r\\t\\f]?!e',
+			'codepointToUtf8(hexdec("$1"))', $stripped );
+		$stripped = str_replace( '\\', '', $stripped );
+		if( preg_match( '/(expression|tps*:\/\/|url\\s*\().*/is',
+				$stripped ) ) {
+			# haxx0r
+			return false;
+		}
+		
+		return $value;
+	}
 
 	/**
 	 * Take a tag soup fragment listing an HTML element's attributes