From ad4f512c7452d91c7743de1dbbfad470a1226b9f Mon Sep 17 00:00:00 2001 From: DanielRenfro Date: Fri, 4 Jul 2014 23:29:11 -0400 Subject: [PATCH] Breaking out disallowed CSS into a global variable Bug: 11106 Change-Id: Iac6e9a3b1d0265dbd159509dd8938bddeb6f3bba --- includes/DefaultSettings.php | 14 ++++++++++++++ includes/Sanitizer.php | 20 ++++++++------------ 2 files changed, 22 insertions(+), 12 deletions(-) diff --git a/includes/DefaultSettings.php b/includes/DefaultSettings.php index 11196ae109..70978f1640 100644 --- a/includes/DefaultSettings.php +++ b/includes/DefaultSettings.php @@ -2981,6 +2981,20 @@ $wgUseSiteJs = true; */ $wgUseSiteCss = true; +/** + * CSS that is disallowed by the sanitizer, as a regular expression. + */ +$wgDisallowedCss = '! expression + | filter\s*: + | accelerator\s*: + | -o-link\s*: + | -o-link-source\s*: + | -o-replace\s*: + | url\s*\( + | image\s*\( + | image-set\s*\( +!ix'; + /** * Break out of framesets. This can be used to prevent clickjacking attacks, * or to prevent external sites from framing your site with ads. diff --git a/includes/Sanitizer.php b/includes/Sanitizer.php index 6a568c2d0c..75812f2f05 100644 --- a/includes/Sanitizer.php +++ b/includes/Sanitizer.php @@ -849,6 +849,8 @@ class Sanitizer { * @return string */ static function checkCss( $value ) { + global $wgDisallowedCss; + // Decode character references like { $value = Sanitizer::decodeCharReferences( $value ); @@ -937,18 +939,12 @@ class Sanitizer { // Reject problematic keywords and control characters if ( preg_match( '/[\000-\010\013\016-\037\177]/', $value ) ) { return '/* invalid control char */'; - } elseif ( preg_match( - '! expression - | filter\s*: - | accelerator\s*: - | -o-link\s*: - | -o-link-source\s*: - | -o-replace\s*: - | url\s*\( - | image\s*\( - | image-set\s*\( - !ix', $value ) ) { - return '/* insecure input */'; + } else { + if ( $wgDisallowedCss ) { + if ( preg_match( $wgDisallowedCss, $value ) ) { + return '/* insecure input */'; + } + } } return $value; } -- 2.20.1