Merge "Disallow css attr() with url type"

author jenkins-bot <jenkins-bot@gerrit.wikimedia.org>

Thu, 29 Sep 2016 00:58:43 +0000 (00:58 +0000)

committer Gerrit Code Review <gerrit@wikimedia.org>

Thu, 29 Sep 2016 00:58:43 +0000 (00:58 +0000)
author jenkins-bot <jenkins-bot@gerrit.wikimedia.org>
Thu, 29 Sep 2016 00:58:43 +0000 (00:58 +0000)
committer Gerrit Code Review <gerrit@wikimedia.org>
Thu, 29 Sep 2016 00:58:43 +0000 (00:58 +0000)
diff --git a/includes/Sanitizer.php b/includes/Sanitizer.php

index c81c7bb..4069658 100644 (file)
--- a/includes/Sanitizer.php
+++ b/includes/Sanitizer.php
@@ -1015,6 +1015,7 @@ class Sanitizer {
                                 | url\s*\(
                                 | image\s*\(
                                 | image-set\s*\(
+                               | attr\s*\([^)]+[\s,]+url
                         !ix', $value ) ) {
                         return '/* insecure input */';
                 }
diff --git a/tests/phpunit/includes/SanitizerTest.php b/tests/phpunit/includes/SanitizerTest.php

index 26529e8..c915b70 100644 (file)
--- a/tests/phpunit/includes/SanitizerTest.php
+++ b/tests/phpunit/includes/SanitizerTest.php
@@ -314,6 +314,8 @@ class SanitizerTest extends MediaWikiTestCase {
                                 '/* insecure input */',
                                 'background-image: -moz-image-set("asdf.png" 1x, "asdf.png" 2x);'
                         ],
+                       [ '/* insecure input */', 'foo: attr( title, url );' ],
+                       [ '/* insecure input */', 'foo: attr( title url );' ],
                 ];
         }
author	jenkins-bot <jenkins-bot@gerrit.wikimedia.org>
	Thu, 29 Sep 2016 00:58:43 +0000 (00:58 +0000)
committer	Gerrit Code Review <gerrit@wikimedia.org>
	Thu, 29 Sep 2016 00:58:43 +0000 (00:58 +0000)
includes/Sanitizer.php		patch \| blob \| history
tests/phpunit/includes/SanitizerTest.php		patch \| blob \| history