If the editfont preference somehow had a value like "foo; color: blue",
we have a CSS injection problem. Normally preference validation should
protect against that, but the API module for setting preferences doesn't
perform any validation.
Change-Id: I5c12aa9a48bf4f6ea4a8fb44554d13189e7757fb
$rules[] = ".editsection { display: none; }\n";
}
if ( $options['editfont'] !== 'default' ) {
- $rules[] = "textarea { font-family: {$options['editfont']}; }\n";
+ // Double-check that $options['editfont'] consists of safe characters only
+ if ( preg_match( '/^[a-zA-Z0-9_, -]+$/', $options['editfont'] ) ) {
+ $rules[] = "textarea { font-family: {$options['editfont']}; }\n";
+ }
}
$style = implode( "\n", $rules );
if ( $this->getFlip( $context ) ) {