CSS3 seems like it will extend the attr() function which can interpret
attribute as different types, including 'url', which "...is interpreted
as a quoted string within the ‘url()’ notation."
Currently no browsers support this syntax yet, so submitting this
as a normal non-security patch.
Bug: T68404
Change-Id: Icdae989764754c985a9292d62efae7cc47009df5
| url\s*\(
| image\s*\(
| image-set\s*\(
+ | attr\s*\([^)]+[\s,]+url
!ix', $value ) ) {
return '/* insecure input */';
}
'/* insecure input */',
'background-image: -moz-image-set("asdf.png" 1x, "asdf.png" 2x);'
],
+ [ '/* insecure input */', 'foo: attr( title, url );' ],
+ [ '/* insecure input */', 'foo: attr( title url );' ],
];
}