From: Brian Wolff <bawolff+wn@gmail.com>
Date: Wed, 20 Apr 2016 17:41:20 +0000 (-0400)
Subject: SECURITY: Escape '<' and ']]>' in inline <style> blocks
X-Git-Tag: 1.31.0-rc.0~5948^2~2
X-Git-Url: http://git.cyclocoop.org/%7B%24www_url%7Dadmin/compta/exercices/?a=commitdiff_plain;h=d0662487e683d602d08f3c3875797e850ad7210c;p=lhc%2Fweb%2Fwiklou.git

SECURITY: Escape '<' and ']]>' in inline <style> blocks

This is to prevent people from closing the <style> tag, and
then doing arbitrary js-y things. In particular, this is needed
for when previewing user css pages.

This does not escape '>' since its used as the child selector
in css, and generally speaking, '>' is safe inside the contents
of elements.

Bug: T133147
Change-Id: If024398d7bd4b578ad7f8c74367787f5b19eb9d7
---

diff --git a/includes/Html.php b/includes/Html.php
index 7cb75bba91..8c01448749 100644
--- a/includes/Html.php
+++ b/includes/Html.php
@@ -627,6 +627,17 @@ class Html {
 	 * @return string Raw HTML
 	 */
 	public static function inlineStyle( $contents, $media = 'all' ) {
+		// Don't escape '>' since that is used
+		// as direct child selector.
+		// Remember, in css, there is no "x" for hexadecimal escapes, and
+		// the space immediately after an escape sequence is swallowed.
+		$contents = strtr( $contents, [
+			'<' => '\3C ',
+			// CDATA end tag for good measure, but the main security
+			// is from escaping the '<'.
+			']]>' => '\5D\5D\3E '
+		] );
+
 		if ( preg_match( '/[<&]/', $contents ) ) {
 			$contents = "/*<![CDATA[*/$contents/*]]>*/";
 		}