Opera will execute javascript from -o-link css attributes.
Bug: 58472
Change-Id: I3b640282ca1feeb175b095e9fdc4dc3ceff05e0f
if ( preg_match( '/[\000-\010\013\016-\037\177]/', $value ) ) {
return '/* invalid control char */';
} elseif ( preg_match(
- '! expression | filter\s*: | accelerator\s*: | url\s*\( | image\s*\( | image-set\s*\( !ix',
- $value
- ) ) {
+ '! expression
+ | filter\s*:
+ | accelerator\s*:
+ | -o-link\s*:
+ | -o-link-source\s*:
+ | -o-replace\s*:
+ | url\s*\(
+ | image\s*\(
+ | image-set\s*\(
+ !ix', $value ) ) {
return '/* insecure input */';
}
return $value;
!! end
+!! test
+Opera -o-link CSS
+!! input
+<div
+title="data:text/html,<img src=1 onerror=alert(1)>"
+style="-o-link:attr(title);-o-link-source:current">X</div>
+!! result
+<div title="data:text/html,<img src=1 onerror=alert(1)>" style="/* insecure input */">X</div>
+
+!! end
+
!! test
MSIE CSS safety test: Repetition markers
!! input