This Sanitizer::EVIL_URI_PATTERN is completely inadequate for actual security as...

Since it's only used right now for paranoia in cases you currently can't actually exploit a browser we let it slide.
However this thing needs a big fat warning message next to it to avoid someone thinking this is actually a good idea for security and ending up later on using it and opening up an XSS hole in core.

diff --git a/includes/Sanitizer.php b/includes/Sanitizer.php
index 7848abd..118f170 100644 (file)
--- a/includes/Sanitizer.php
+++ b/includes/Sanitizer.php
@@ -39,6 +39,14 @@ class Sanitizer {
                 |&\#[xX]([0-9A-Fa-f]+);
                 |(&)/x';
 
+       /**
+        * Blacklist for evil uris like javascript:
+        * WARNING: DO NOT use this in any place that actually requires blacklisting
+        * for security reasons. There are NUMEROUS[1] ways to bypass blacklisting, the
+        * only way to be secure from javascript: uri based xss vectors is to whitelist
+        * things that you know are safe and deny everything else.
+        * [1]: http://ha.ckers.org/xss.html
+        */
        const EVIL_URI_PATTERN = '!(^|\s|\*/\s*)(javascript|vbscript)([^\w]|$)!i';
        const XMLNS_ATTRIBUTE_PATTERN = "/^xmlns:[:A-Z_a-z-.0-9]+$/";