From 8781f25c74b9759c36e2c57eb14601daf2436b28 Mon Sep 17 00:00:00 2001
From: Brion Vibber
Date: Thu, 6 Oct 2005 02:38:26 +0000
Subject: [PATCH] * Blacklist additional MSIE CSS safety tricks
---
RELEASE-NOTES | 2 ++
includes/Sanitizer.php | 18 ++++++++++++-----
maintenance/parserTests.txt | 40 +++++++++++++++++++++++++++++++++++++
3 files changed, 55 insertions(+), 5 deletions(-)
diff --git a/RELEASE-NOTES b/RELEASE-NOTES
index e273039b5c..eb6ec7a8c3 100644
--- a/RELEASE-NOTES
+++ b/RELEASE-NOTES
@@ -129,6 +129,8 @@ fully support the editing toolbar, but was found to be too confusing.
* (bug 3595) Warn and abort if importDump.php called in read-only mode.
* (bug 3598) Update message cache on message page deletion, patch by Tietew
* Added separate newarticletext messages for logged in and anon users.
+* Blacklist additional MSIE CSS safety tricks
+
=== Caveats ===
diff --git a/includes/Sanitizer.php b/includes/Sanitizer.php
index e0217ba5eb..a543960e3c 100644
--- a/includes/Sanitizer.php
+++ b/includes/Sanitizer.php
@@ -554,11 +554,19 @@ class Sanitizer {
# Strip javascript "expression" from stylesheets.
# http://msdn.microsoft.com/workshop/author/dhtml/overview/recalc.asp
- if( $attribute == 'style' && preg_match(
- '/(expression|tps*:\/\/|url\\s*\().*/is',
- Sanitizer::decodeCharReferences( $value ) ) ) {
- # haxx0r
- continue;
+ if( $attribute == 'style' ) {
+ // Remove any comments; IE gets token splitting wrong
+ $value = preg_replace( '!/\\*.*?\\*/!S', ' ', $value );
+
+ $stripped = Sanitizer::decodeCharReferences( $value );
+ $stripped = preg_replace( '!\\\\([0-9A-Fa-f]{1,6})[ \\n\\r\\t\\f]?!e',
+ 'codepointToUtf8(hexdec("$1"))', $stripped );
+ $stripped = str_replace( '\\', '', $stripped );
+ if( preg_match( '/(expression|tps*:\/\/|url\\s*\().*/is',
+ $stripped ) ) {
+ # haxx0r
+ continue;
+ }
}
# Templates and links may be expanded in later parsing,
diff --git a/maintenance/parserTests.txt b/maintenance/parserTests.txt
index fa40448c69..a967ddb201 100644
--- a/maintenance/parserTests.txt
+++ b/maintenance/parserTests.txt
@@ -2741,6 +2741,46 @@ Nested template calls
!! end
+
+# More MSIE fun discovered by Tom Gilder
+
+!! test
+MSIE CSS safety test: spurious slash
+!! input
+evil
+!! result
+evil
+
+!! end
+
+!! test
+MSIE CSS safety test: hex code
+!! input
+evil
+!! result
+evil
+
+!! end
+
+!! test
+MSIE CSS safety test: comment in url
+!! input
+evil
+!! result
+evil
+
+!! end
+
+!! test
+MSIE CSS safety test: comment in expression
+!! input
+evil4
+!! result
+evil4
+
+!! end
+
+
TODO:
more images
more tables
--
2.20.1