* (bug 3595) Warn and abort if importDump.php called in read-only mode.
* (bug 3598) Update message cache on message page deletion, patch by Tietew
* Added separate newarticletext messages for logged in and anon users.
+* Blacklist additional MSIE CSS safety tricks
+
=== Caveats ===
# Strip javascript "expression" from stylesheets.
# http://msdn.microsoft.com/workshop/author/dhtml/overview/recalc.asp
- if( $attribute == 'style' && preg_match(
- '/(expression|tps*:\/\/|url\\s*\().*/is',
- Sanitizer::decodeCharReferences( $value ) ) ) {
- # haxx0r
- continue;
+ if( $attribute == 'style' ) {
+ // Remove any comments; IE gets token splitting wrong
+ $value = preg_replace( '!/\\*.*?\\*/!S', ' ', $value );
+
+ $stripped = Sanitizer::decodeCharReferences( $value );
+ $stripped = preg_replace( '!\\\\([0-9A-Fa-f]{1,6})[ \\n\\r\\t\\f]?!e',
+ 'codepointToUtf8(hexdec("$1"))', $stripped );
+ $stripped = str_replace( '\\', '', $stripped );
+ if( preg_match( '/(expression|tps*:\/\/|url\\s*\().*/is',
+ $stripped ) ) {
+ # haxx0r
+ continue;
+ }
}
# Templates and links may be expanded in later parsing,
</p>
!! end
+
+# More MSIE fun discovered by Tom Gilder
+
+!! test
+MSIE CSS safety test: spurious slash
+!! input
+<div style="background-image:u\rl(javascript:alert('boo'))">evil</div>
+!! result
+<div>evil</div>
+
+!! end
+
+!! test
+MSIE CSS safety test: hex code
+!! input
+<div style="background-image:u\72l(javascript:alert('boo'))">evil</div>
+!! result
+<div>evil</div>
+
+!! end
+
+!! test
+MSIE CSS safety test: comment in url
+!! input
+<div style="background-image:u/**/rl(javascript:alert('boo'))">evil</div>
+!! result
+<div style="background-image:u rl(javascript:alert('boo'))">evil</div>
+
+!! end
+
+!! test
+MSIE CSS safety test: comment in expression
+!! input
+<div style="background-image:expres/**/sion(alert('boo4'))">evil4</div>
+!! result
+<div style="background-image:expres sion(alert('boo4'))">evil4</div>
+
+!! end
+
+
TODO:
more images
more tables