X-Git-Url: https://git.cyclocoop.org/%7B%24www_url%7Dadmin/compta/banques/?a=blobdiff_plain;f=includes%2FSanitizer.php;h=fbf3234407d8811df435ef94350ba5b014d333db;hb=1e5391c1c957bb2383a7e98d79e0138239cfb616;hp=cd936f3f0a0f15b6aa124dbeadef790fbce96c9f;hpb=e69c4c495efca54aa70e2d2368bd9fbcb38ab81e;p=lhc%2Fweb%2Fwiklou.git diff --git a/includes/Sanitizer.php b/includes/Sanitizer.php index cd936f3f0a..fbf3234407 100644 --- a/includes/Sanitizer.php +++ b/includes/Sanitizer.php @@ -963,7 +963,8 @@ class Sanitizer { $value = self::normalizeCss( $value ); // Reject problematic keywords and control characters - if ( preg_match( '/[\000-\010\013\016-\037\177]/', $value ) ) { + if ( preg_match( '/[\000-\010\013\016-\037\177]/', $value ) || + strpos( $value, UtfNormal\Constants::UTF8_REPLACEMENT ) !== false ) { return '/* invalid control char */'; } elseif ( preg_match( '! expression @@ -1393,15 +1394,19 @@ class Sanitizer { } /** - * Returns true if a given Unicode codepoint is a valid character in XML. + * Returns true if a given Unicode codepoint is a valid character in + * both HTML5 and XML. * @param int $codepoint * @return bool */ private static function validateCodepoint( $codepoint ) { + # U+000C is valid in HTML5 but not allowed in XML. + # U+000D is valid in XML but not allowed in HTML5. + # U+007F - U+009F are disallowed in HTML5 (control characters). return $codepoint == 0x09 || $codepoint == 0x0a - || $codepoint == 0x0d - || ( $codepoint >= 0x20 && $codepoint <= 0xd7ff ) + || ( $codepoint >= 0x20 && $codepoint <= 0x7e ) + || ( $codepoint >= 0xa0 && $codepoint <= 0xd7ff ) || ( $codepoint >= 0xe000 && $codepoint <= 0xfffd ) || ( $codepoint >= 0x10000 && $codepoint <= 0x10ffff ); } @@ -1803,6 +1808,11 @@ class Sanitizer { $host = preg_replace( $strip, '', $host ); + // IPv6 host names are bracketed with []. Url-decode these. + if ( substr_compare( "//%5B", $host, 0, 5 ) === 0 && preg_match( '!^//%5B(.*?)%5D((:\d+)?)$!', $host, $matches ) ) { + $host = '//[' . $matches[1] . ']' . $matches[2]; + } + // @todo FIXME: Validate hostnames here return $protocol . $host . $rest;