From d7889309ba18572267f9ec3d4a726cddee4bea3a Mon Sep 17 00:00:00 2001 From: Jens Frank Date: Sat, 17 Jan 2004 07:33:44 +0000 Subject: [PATCH] Bug#790303 - Fix javascript or external URL insertion in style= attributes --- includes/OutputPage.php | 41 ++++++++++++++++++++++++----------------- 1 file changed, 24 insertions(+), 17 deletions(-) diff --git a/includes/OutputPage.php b/includes/OutputPage.php index 7006ab9709..2fb8e0f5dc 100644 --- a/includes/OutputPage.php +++ b/includes/OutputPage.php @@ -605,18 +605,27 @@ function getHTMLattrs () return $htmlattrs ; } -function fixTableTags ( $t ) +function fixTagAttributes ( $t ) { - if ( trim ( $t ) == "" ) return "" ; # Saves runtime ;-) - $htmlattrs = $this->getHTMLattrs() ; + if ( trim ( $t ) == "" ) return "" ; # Saves runtime ;-) + $htmlattrs = $this->getHTMLattrs() ; -# Strip non-approved attributes from the tag - $t = preg_replace( - "/(\\w+)(\\s*=\\s*([^\\s\">]+|\"[^\">]*\"))?/e", - "(in_array(strtolower(\"\$1\"),\$htmlattrs)?(\"\$1\".((\"x\$3\" != \"x\")?\"=\$3\":'')):'')", - $t); + # Strip non-approved attributes from the tag + $t = preg_replace( + "/(\\w+)(\\s*=\\s*([^\\s\">]+|\"[^\">]*\"))?/e", + "(in_array(strtolower(\"\$1\"),\$htmlattrs)?(\"\$1\".((\"x\$3\" != \"x\")?\"=\$3\":'')):'')", + $t); + # Strip javascript "expression" from stylesheets. Brute force approach: + # If anythin offensive is found, all attributes of the HTML tag are dropped + + if( preg_match( + "/style\\s*=.*(expression|tps*:\/\/|url\\s*\().*/is", + wfMungeToUtf8( $t ) ) ) + { + $t=""; + } - return trim ( $t ) ; + return trim ( $t ) ; } function doTableStuff ( $t ) @@ -632,7 +641,7 @@ function doTableStuff ( $t ) $fc = substr ( $x , 0 , 1 ) ; if ( "{|" == substr ( $x , 0 , 2 ) ) { - $t[$k] = "fixTableTags ( substr ( $x , 3 ) ) . ">" ; + $t[$k] = "
fixTagAttributes ( substr ( $x , 3 ) ) . ">" ; array_push ( $td , false ) ; array_push ( $ltd , "" ) ; array_push ( $tr , false ) ; @@ -666,7 +675,7 @@ function doTableStuff ( $t ) array_push ( $tr , false ) ; array_push ( $td , false ) ; array_push ( $ltd , "" ) ; - array_push ( $ltr , $this->fixTableTags ( $x ) ) ; + array_push ( $ltr , $this->fixTagAttributes ( $x ) ) ; } else if ( "|" == $fc || "!" == $fc || "|+" == substr ( $x , 0 , 2 ) ) # Caption { @@ -696,7 +705,7 @@ function doTableStuff ( $t ) array_push ( $ltd , $l ) ; $y = explode ( "|" , $theline , 2 ) ; if ( count ( $y ) == 1 ) $y = "{$z}<{$l}>{$y[0]}" ; - else $y = $y = "{$z}<{$l} ".$this->fixTableTags($y[0]).">{$y[1]}" ; + else $y = $y = "{$z}<{$l} ".$this->fixTagAttributes($y[0]).">{$y[1]}" ; $t[$k] .= $y ; array_push ( $td , true ) ; } @@ -1343,14 +1352,12 @@ $t[] = "
" ; array_push( $tagstack, $t ); } # Strip non-approved attributes from the tag - $newparams = preg_replace( - "/(\\w+)(\\s*=\\s*([^\\s\">]+|\"[^\">]*\"))?/e", - "(in_array(strtolower(\"\$1\"),\$htmlattrs)?(\"\$1\".((\"x\$3\" != \"x\")?\"=\$3\":'')):'')", - $params); + $newparams = $this->fixTagAttributes($params); + } if ( ! $badtag ) { $rest = str_replace( ">", ">", $rest ); - $text .= "<$slash$t$newparams$brace$rest"; + $text .= "<$slash$t $newparams$brace$rest"; continue; } } -- 2.20.1