X-Git-Url: http://git.cyclocoop.org/?a=blobdiff_plain;f=includes%2FSanitizer.php;h=bca2f67e91386be4a76d2d06f7a0a17e0fb883fc;hb=cbdb81d1bc256caa87ac9e7fa857b8a800347905;hp=2cdbe15f2c0481657b733ec9e301430f0d296c57;hpb=db6b2cb3c252479ed6e9cf80100c3802528bd45f;p=lhc%2Fweb%2Fwiklou.git diff --git a/includes/Sanitizer.php b/includes/Sanitizer.php index 2cdbe15f2c..bca2f67e91 100644 --- a/includes/Sanitizer.php +++ b/includes/Sanitizer.php @@ -832,24 +832,16 @@ class Sanitizer { } /** - * Pick apart some CSS and check it for forbidden or unsafe structures. - * Returns a sanitized string. This sanitized string will have - * character references and escape sequences decoded and comments - * stripped (unless it is itself one valid comment, in which case the value - * will be passed through). If the input is just too evil, only a comment - * complaining about evilness will be returned. - * - * Currently URL references, 'expression', 'tps' are forbidden. - * - * NOTE: Despite the fact that character references are decoded, the - * returned string may contain character references given certain - * clever input strings. These character references must - * be escaped before the return value is embedded in HTML. - * - * @param string $value - * @return string + * Normalize CSS into a format we can easily search for hostile input + * - decode character references + * - decode escape sequences + * - convert characters that IE6 interprets into ascii + * - remove comments, unless the entire value is one single comment + * @param string $value the css string + * @return string normalized css */ - static function checkCss( $value ) { + public static function normalizeCss( $value ) { + // Decode character references like { $value = Sanitizer::decodeCharReferences( $value ); @@ -935,6 +927,31 @@ class Sanitizer { $value ); + return $value; + } + + + /** + * Pick apart some CSS and check it for forbidden or unsafe structures. + * Returns a sanitized string. This sanitized string will have + * character references and escape sequences decoded and comments + * stripped (unless it is itself one valid comment, in which case the value + * will be passed through). If the input is just too evil, only a comment + * complaining about evilness will be returned. + * + * Currently URL references, 'expression', 'tps' are forbidden. + * + * NOTE: Despite the fact that character references are decoded, the + * returned string may contain character references given certain + * clever input strings. These character references must + * be escaped before the return value is embedded in HTML. + * + * @param string $value + * @return string + */ + static function checkCss( $value ) { + $value = self::normalizeCss( $value ); + // Reject problematic keywords and control characters if ( preg_match( '/[\000-\010\013\016-\037\177]/', $value ) ) { return '/* invalid control char */'; @@ -1097,8 +1114,9 @@ class Sanitizer { global $wgExperimentalHtmlIds; $options = (array)$options; + $id = Sanitizer::decodeCharReferences( $id ); + if ( $wgExperimentalHtmlIds && !in_array( 'legacy', $options ) ) { - $id = Sanitizer::decodeCharReferences( $id ); $id = preg_replace( '/[ \t\n\r\f_\'"&#%]+/', '_', $id ); $id = trim( $id, '_' ); if ( $id === '' ) { @@ -1115,7 +1133,7 @@ class Sanitizer { '%' => '.' ); - $id = urlencode( Sanitizer::decodeCharReferences( strtr( $id, ' ', '_' ) ) ); + $id = urlencode( strtr( $id, ' ', '_' ) ); $id = str_replace( array_keys( $replace ), array_values( $replace ), $id ); if ( !preg_match( '/^[a-zA-Z]/', $id )