From: csteipp <csteipp@wikimedia.org>
Date: Wed, 11 Jun 2014 23:29:33 +0000 (-0700)
Subject: Disallow css attr() with url type
X-Git-Tag: 1.31.0-rc.0~5281^2
X-Git-Url: https://git.cyclocoop.org/%7B%24www_url%7Dadmin/compta/comptes/journal.php?a=commitdiff_plain;h=284173282d4fc25031b6ded0f696c46ecbf97338;p=lhc%2Fweb%2Fwiklou.git

Disallow css attr() with url type

CSS3 seems like it will extend the attr() function which can interpret
attribute as different types, including 'url', which "...is interpreted
as a quoted string within the ‘url()’ notation."

Currently no browsers support this syntax yet, so submitting this
as a normal non-security patch.

Bug: T68404
Change-Id: Icdae989764754c985a9292d62efae7cc47009df5
---

diff --git a/includes/Sanitizer.php b/includes/Sanitizer.php
index 8f1fc99fcd..7cd21d81e2 100644
--- a/includes/Sanitizer.php
+++ b/includes/Sanitizer.php
@@ -1015,6 +1015,7 @@ class Sanitizer {
 				| url\s*\(
 				| image\s*\(
 				| image-set\s*\(
+				| attr\s*\([^)]+[\s,]+url
 			!ix', $value ) ) {
 			return '/* insecure input */';
 		}
diff --git a/tests/phpunit/includes/SanitizerTest.php b/tests/phpunit/includes/SanitizerTest.php
index 26529e871c..c915b70e1d 100644
--- a/tests/phpunit/includes/SanitizerTest.php
+++ b/tests/phpunit/includes/SanitizerTest.php
@@ -314,6 +314,8 @@ class SanitizerTest extends MediaWikiTestCase {
 				'/* insecure input */',
 				'background-image: -moz-image-set("asdf.png" 1x, "asdf.png" 2x);'
 			],
+			[ '/* insecure input */', 'foo: attr( title, url );' ],
+			[ '/* insecure input */', 'foo: attr( title url );' ],
 		];
 	}