From 22b0fc2f103bb3ee348e1af588311eda801129a3 Mon Sep 17 00:00:00 2001
From: Daniel Friesen <dantman@users.mediawiki.org>
Date: Sun, 14 Aug 2011 14:59:26 +0000
Subject: [PATCH] This Sanitizer::EVIL_URI_PATTERN is completely inadequate for
 actual security as there are numerious ways to bypass blacklisting. Since
 it's only used right now for paranoia in cases you currently can't actually
 exploit a browser we let it slide. However this thing needs a big fat warning
 message next to it to avoid someone thinking this is actually a good idea for
 security and ending up later on using it and opening up an XSS hole in core.

---
 includes/Sanitizer.php | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/includes/Sanitizer.php b/includes/Sanitizer.php
index 7848abdb17..118f170b0d 100644
--- a/includes/Sanitizer.php
+++ b/includes/Sanitizer.php
@@ -39,6 +39,14 @@ class Sanitizer {
 		 |&\#[xX]([0-9A-Fa-f]+);
 		 |(&)/x';
 
+	/**
+	 * Blacklist for evil uris like javascript:
+	 * WARNING: DO NOT use this in any place that actually requires blacklisting
+	 * for security reasons. There are NUMEROUS[1] ways to bypass blacklisting, the
+	 * only way to be secure from javascript: uri based xss vectors is to whitelist
+	 * things that you know are safe and deny everything else.
+	 * [1]: http://ha.ckers.org/xss.html
+	 */
 	const EVIL_URI_PATTERN = '!(^|\s|\*/\s*)(javascript|vbscript)([^\w]|$)!i';
 	const XMLNS_ATTRIBUTE_PATTERN = "/^xmlns:[:A-Z_a-z-.0-9]+$/";
 
-- 
2.20.1