From a7ebf2c424fb147777abfe401d220ae1969bd4ca Mon Sep 17 00:00:00 2001
From: Brion Vibber <brion@users.mediawiki.org>
Date: Wed, 26 Oct 2005 01:57:56 +0000
Subject: [PATCH] * Sanitizer CSS comment processing order fix

---
 RELEASE-NOTES          | 1 +
 includes/Sanitizer.php | 7 +++++--
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/RELEASE-NOTES b/RELEASE-NOTES
index ce8c818fd6..55ba21f0aa 100644
--- a/RELEASE-NOTES
+++ b/RELEASE-NOTES
@@ -170,6 +170,7 @@ fully support the editing toolbar, but was found to be too confusing.
 * (bug 3786) Experimental support for MySQL 4.1/5.0 utf8 charset mode
   NOTE: Enabling this may break existing wikis, and still doesn't
   work for all Unicode characters due to MySQL limitations.
+* Sanitizer CSS comment processing order fix
 
 
 === Caveats ===
diff --git a/includes/Sanitizer.php b/includes/Sanitizer.php
index a543960e3c..4e478c6c75 100644
--- a/includes/Sanitizer.php
+++ b/includes/Sanitizer.php
@@ -555,10 +555,13 @@ class Sanitizer {
 			# Strip javascript "expression" from stylesheets.
 			# http://msdn.microsoft.com/workshop/author/dhtml/overview/recalc.asp
 			if( $attribute == 'style' ) {
+				$stripped = Sanitizer::decodeCharReferences( $value );
+				
 				// Remove any comments; IE gets token splitting wrong
-				$value = preg_replace( '!/\\*.*?\\*/!S', ' ', $value );
+				$stripped = preg_replace( '!/\\*.*?\\*/!S', ' ', $stripped );
+				$value = htmlspecialchars( $stripped );
 				
-				$stripped = Sanitizer::decodeCharReferences( $value );
+				// ... and continue checks
 				$stripped = preg_replace( '!\\\\([0-9A-Fa-f]{1,6})[ \\n\\r\\t\\f]?!e',
 					'codepointToUtf8(hexdec("$1"))', $stripped );
 				$stripped = str_replace( '\\', '', $stripped );
-- 
2.20.1