*/
$wgUseSiteCss = true;
+/**
+ * CSS that is disallowed by the sanitizer, as a regular expression.
+ */
+$wgDisallowedCss = '! expression
+ | filter\s*:
+ | accelerator\s*:
+ | -o-link\s*:
+ | -o-link-source\s*:
+ | -o-replace\s*:
+ | url\s*\(
+ | image\s*\(
+ | image-set\s*\(
+!ix';
+
/**
* Break out of framesets. This can be used to prevent clickjacking attacks,
* or to prevent external sites from framing your site with ads.
* @return string
*/
static function checkCss( $value ) {
+ global $wgDisallowedCss;
+
// Decode character references like {
$value = Sanitizer::decodeCharReferences( $value );
// Reject problematic keywords and control characters
if ( preg_match( '/[\000-\010\013\016-\037\177]/', $value ) ) {
return '/* invalid control char */';
- } elseif ( preg_match(
- '! expression
- | filter\s*:
- | accelerator\s*:
- | -o-link\s*:
- | -o-link-source\s*:
- | -o-replace\s*:
- | url\s*\(
- | image\s*\(
- | image-set\s*\(
- !ix', $value ) ) {
- return '/* insecure input */';
+ } else {
+ if ( $wgDisallowedCss ) {
+ if ( preg_match( $wgDisallowedCss, $value ) ) {
+ return '/* insecure input */';
+ }
+ }
}
return $value;
}