From 8781f25c74b9759c36e2c57eb14601daf2436b28 Mon Sep 17 00:00:00 2001
From: Brion Vibber <brion@users.mediawiki.org>
Date: Thu, 6 Oct 2005 02:38:26 +0000
Subject: [PATCH] * Blacklist additional MSIE CSS safety tricks

---
 RELEASE-NOTES               |  2 ++
 includes/Sanitizer.php      | 18 ++++++++++++-----
 maintenance/parserTests.txt | 40 +++++++++++++++++++++++++++++++++++++
 3 files changed, 55 insertions(+), 5 deletions(-)

diff --git a/RELEASE-NOTES b/RELEASE-NOTES
index e273039b5c..eb6ec7a8c3 100644
--- a/RELEASE-NOTES
+++ b/RELEASE-NOTES
@@ -129,6 +129,8 @@ fully support the editing toolbar, but was found to be too confusing.
 * (bug 3595) Warn and abort if importDump.php called in read-only mode.
 * (bug 3598) Update message cache on message page deletion, patch by Tietew
 * Added separate newarticletext messages for logged in and anon users.
+* Blacklist additional MSIE CSS safety tricks
+
 
 === Caveats ===
 
diff --git a/includes/Sanitizer.php b/includes/Sanitizer.php
index e0217ba5eb..a543960e3c 100644
--- a/includes/Sanitizer.php
+++ b/includes/Sanitizer.php
@@ -554,11 +554,19 @@ class Sanitizer {
 			
 			# Strip javascript "expression" from stylesheets.
 			# http://msdn.microsoft.com/workshop/author/dhtml/overview/recalc.asp
-			if( $attribute == 'style' && preg_match(
-				'/(expression|tps*:\/\/|url\\s*\().*/is',
-					Sanitizer::decodeCharReferences( $value ) ) ) {
-				# haxx0r
-				continue;
+			if( $attribute == 'style' ) {
+				// Remove any comments; IE gets token splitting wrong
+				$value = preg_replace( '!/\\*.*?\\*/!S', ' ', $value );
+				
+				$stripped = Sanitizer::decodeCharReferences( $value );
+				$stripped = preg_replace( '!\\\\([0-9A-Fa-f]{1,6})[ \\n\\r\\t\\f]?!e',
+					'codepointToUtf8(hexdec("$1"))', $stripped );
+				$stripped = str_replace( '\\', '', $stripped );
+				if( preg_match( '/(expression|tps*:\/\/|url\\s*\().*/is',
+						$stripped ) ) {
+					# haxx0r
+					continue;
+				}
 			}
 			
 			# Templates and links may be expanded in later parsing,
diff --git a/maintenance/parserTests.txt b/maintenance/parserTests.txt
index fa40448c69..a967ddb201 100644
--- a/maintenance/parserTests.txt
+++ b/maintenance/parserTests.txt
@@ -2741,6 +2741,46 @@ Nested template calls
 </p>
 !! end
 
+
+# More MSIE fun discovered by Tom Gilder
+
+!! test
+MSIE CSS safety test: spurious slash
+!! input
+<div style="background-image:u\rl(javascript:alert('boo'))">evil</div>
+!! result
+<div>evil</div>
+
+!! end
+
+!! test
+MSIE CSS safety test: hex code
+!! input
+<div style="background-image:u\72l(javascript:alert('boo'))">evil</div>
+!! result
+<div>evil</div>
+
+!! end
+
+!! test
+MSIE CSS safety test: comment in url
+!! input
+<div style="background-image:u/**/rl(javascript:alert('boo'))">evil</div>
+!! result
+<div style="background-image:u rl(javascript:alert('boo'))">evil</div>
+
+!! end
+
+!! test
+MSIE CSS safety test: comment in expression
+!! input
+<div style="background-image:expres/**/sion(alert('boo4'))">evil4</div>
+!! result
+<div style="background-image:expres sion(alert('boo4'))">evil4</div>
+
+!! end
+
+
 TODO:
 more images
 more tables
-- 
2.20.1