* Sanitizer CSS comment processing order fix

diff --git a/RELEASE-NOTES b/RELEASE-NOTES
index ce8c818..55ba21f 100644 (file)
--- a/RELEASE-NOTES
+++ b/RELEASE-NOTES
@@ -170,6 +170,7 @@ fully support the editing toolbar, but was found to be too confusing.
 * (bug 3786) Experimental support for MySQL 4.1/5.0 utf8 charset mode
   NOTE: Enabling this may break existing wikis, and still doesn't
   work for all Unicode characters due to MySQL limitations.
+* Sanitizer CSS comment processing order fix
 
 
 === Caveats ===

diff --git a/includes/Sanitizer.php b/includes/Sanitizer.php
index a543960..4e478c6 100644 (file)
--- a/includes/Sanitizer.php
+++ b/includes/Sanitizer.php
@@ -555,10 +555,13 @@ class Sanitizer {
                        # Strip javascript "expression" from stylesheets.
                        # http://msdn.microsoft.com/workshop/author/dhtml/overview/recalc.asp
                        if( $attribute == 'style' ) {
+                               $stripped = Sanitizer::decodeCharReferences( $value );
+                               
                                // Remove any comments; IE gets token splitting wrong
-                               $value = preg_replace( '!/\\*.*?\\*/!S', ' ', $value );
+                               $stripped = preg_replace( '!/\\*.*?\\*/!S', ' ', $stripped );
+                               $value = htmlspecialchars( $stripped );
                                
-                               $stripped = Sanitizer::decodeCharReferences( $value );
+                               // ... and continue checks
                                $stripped = preg_replace( '!\\\\([0-9A-Fa-f]{1,6})[ \\n\\r\\t\\f]?!e',
                                        'codepointToUtf8(hexdec("$1"))', $stripped );
                                $stripped = str_replace( '\\', '', $stripped );