* (bug 3786) Experimental support for MySQL 4.1/5.0 utf8 charset mode
NOTE: Enabling this may break existing wikis, and still doesn't
work for all Unicode characters due to MySQL limitations.
+* Sanitizer CSS comment processing order fix
=== Caveats ===
# Strip javascript "expression" from stylesheets.
# http://msdn.microsoft.com/workshop/author/dhtml/overview/recalc.asp
if( $attribute == 'style' ) {
+ $stripped = Sanitizer::decodeCharReferences( $value );
+
// Remove any comments; IE gets token splitting wrong
- $value = preg_replace( '!/\\*.*?\\*/!S', ' ', $value );
+ $stripped = preg_replace( '!/\\*.*?\\*/!S', ' ', $stripped );
+ $value = htmlspecialchars( $stripped );
- $stripped = Sanitizer::decodeCharReferences( $value );
+ // ... and continue checks
$stripped = preg_replace( '!\\\\([0-9A-Fa-f]{1,6})[ \\n\\r\\t\\f]?!e',
'codepointToUtf8(hexdec("$1"))', $stripped );
$stripped = str_replace( '\\', '', $stripped );