*/
$wgUseSiteCss = true;
-/**
- * CSS that is disallowed by the sanitizer, as a regular expression.
- */
-$wgDisallowedCss = '! expression
- | filter\s*:
- | accelerator\s*:
- | -o-link\s*:
- | -o-link-source\s*:
- | -o-replace\s*:
- | url\s*\(
- | image\s*\(
- | image-set\s*\(
-!ix';
-
/**
* Break out of framesets. This can be used to prevent clickjacking attacks,
* or to prevent external sites from framing your site with ads.
* @return string
*/
static function checkCss( $value ) {
- global $wgDisallowedCss;
-
// Decode character references like {
$value = Sanitizer::decodeCharReferences( $value );
// Reject problematic keywords and control characters
if ( preg_match( '/[\000-\010\013\016-\037\177]/', $value ) ) {
return '/* invalid control char */';
- } else {
- if ( $wgDisallowedCss ) {
- if ( preg_match( $wgDisallowedCss, $value ) ) {
- return '/* insecure input */';
- }
- }
+ } elseif ( preg_match(
+ '! expression
+ | filter\s*:
+ | accelerator\s*:
+ | -o-link\s*:
+ | -o-link-source\s*:
+ | -o-replace\s*:
+ | url\s*\(
+ | image\s*\(
+ | image-set\s*\(
+ !ix', $value ) ) {
+ return '/* insecure input */';
}
return $value;
}