From: Krinkle <krinklemail@gmail.com>
Date: Fri, 18 Jul 2014 02:39:41 +0000 (+0000)
Subject: Revert "Breaking out disallowed CSS into a global variable"
X-Git-Tag: 1.31.0-rc.0~14898^2
X-Git-Url: https://git.cyclocoop.org/%7B%24www_url%7Dadmin/membres/message.php?a=commitdiff_plain;h=d2c5a1c6e706492444fa1049729688b25626693b;p=lhc%2Fweb%2Fwiklou.git

Revert "Breaking out disallowed CSS into a global variable"

This reverts commit ad4f512c7452d91c7743de1dbbfad470a1226b9f.

Change-Id: I1dbb927997693d686b4677b9c2107be99dedd7b2
---

diff --git a/includes/DefaultSettings.php b/includes/DefaultSettings.php
index 70978f1640..11196ae109 100644
--- a/includes/DefaultSettings.php
+++ b/includes/DefaultSettings.php
@@ -2981,20 +2981,6 @@ $wgUseSiteJs = true;
  */
 $wgUseSiteCss = true;
 
-/**
- * CSS that is disallowed by the sanitizer, as a regular expression.
- */
-$wgDisallowedCss = '! expression
-	| filter\s*:
-	| accelerator\s*:
-	| -o-link\s*:
-	| -o-link-source\s*:
-	| -o-replace\s*:
-	| url\s*\(
-	| image\s*\(
-	| image-set\s*\(
-!ix';
-
 /**
  * Break out of framesets. This can be used to prevent clickjacking attacks,
  * or to prevent external sites from framing your site with ads.
diff --git a/includes/Sanitizer.php b/includes/Sanitizer.php
index 75812f2f05..6a568c2d0c 100644
--- a/includes/Sanitizer.php
+++ b/includes/Sanitizer.php
@@ -849,8 +849,6 @@ class Sanitizer {
 	 * @return string
 	 */
 	static function checkCss( $value ) {
-		global $wgDisallowedCss;
-
 		// Decode character references like &#123;
 		$value = Sanitizer::decodeCharReferences( $value );
 
@@ -939,12 +937,18 @@ class Sanitizer {
 		// Reject problematic keywords and control characters
 		if ( preg_match( '/[\000-\010\013\016-\037\177]/', $value ) ) {
 			return '/* invalid control char */';
-		} else {
-			if ( $wgDisallowedCss ) {
-				if ( preg_match( $wgDisallowedCss, $value ) ) {
-					return '/* insecure input */';
-				}
-			}
+		} elseif ( preg_match(
+			'! expression
+				| filter\s*:
+				| accelerator\s*:
+				| -o-link\s*:
+				| -o-link-source\s*:
+				| -o-replace\s*:
+				| url\s*\(
+				| image\s*\(
+				| image-set\s*\(
+			!ix', $value ) ) {
+			return '/* insecure input */';
 		}
 		return $value;
 	}