Merge "Disallow css attr() with url type"

author jenkins-bot <jenkins-bot@gerrit.wikimedia.org>

Thu, 29 Sep 2016 00:58:43 +0000 (00:58 +0000)

committer Gerrit Code Review <gerrit@wikimedia.org>

Thu, 29 Sep 2016 00:58:43 +0000 (00:58 +0000)
author jenkins-bot <jenkins-bot@gerrit.wikimedia.org>
Thu, 29 Sep 2016 00:58:43 +0000 (00:58 +0000)
committer Gerrit Code Review <gerrit@wikimedia.org>
Thu, 29 Sep 2016 00:58:43 +0000 (00:58 +0000)
diff --combined includes/Sanitizer.php

index c81c7bb,7cd21d8..4069658
--- 1/includes/Sanitizer.php
--- 2/includes/Sanitizer.php
+++ b/includes/Sanitizer.php
@@@ -1015,6 -1015,7 +1015,7 @@@ class Sanitizer 
                                 | url\s*\(
                                 | image\s*\(
                                 | image-set\s*\(
+                               | attr\s*\([^)]+[\s,]+url
                         !ix', $value ) ) {
                         return '/* insecure input */';
                 }
@@@ -1867,7 -1868,7 +1868,7 @@@
                         list( /* $whole */, $protocol, $host, $rest ) = $matches;
   
                         // Characters that will be ignored in IDNs.
- -                      // http://tools.ietf.org/html/3454#section-3.1
+ +                      // https://tools.ietf.org/html/rfc3454#section-3.1
                         // Strip them before further processing so blacklists and such work.
                         $strip = "/
                                 \\s|          # general whitespace
author	jenkins-bot <jenkins-bot@gerrit.wikimedia.org>
	Thu, 29 Sep 2016 00:58:43 +0000 (00:58 +0000)
committer	Gerrit Code Review <gerrit@wikimedia.org>
	Thu, 29 Sep 2016 00:58:43 +0000 (00:58 +0000)