dépôts / lhc / web / wiklou.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Breaking out disallowed CSS into a global variable
[lhc/web/wiklou.git] / includes / DefaultSettings.php
diff --git a/includes/DefaultSettings.php b/includes/DefaultSettings.php
index 11196ae..70978f1 100644 (file)
--- a/includes/DefaultSettings.php
+++ b/includes/DefaultSettings.php
@@ -2981,6 +2981,20 @@ $wgUseSiteJs = true;
  */
 $wgUseSiteCss = true;
 
+/**
+ * CSS that is disallowed by the sanitizer, as a regular expression.
+ */
+$wgDisallowedCss = '! expression
+       | filter\s*:
+       | accelerator\s*:
+       | -o-link\s*:
+       | -o-link-source\s*:
+       | -o-replace\s*:
+       | url\s*\(
+       | image\s*\(
+       | image-set\s*\(
+!ix';
+
 /**
  * Break out of framesets. This can be used to prevent clickjacking attacks,
  * or to prevent external sites from framing your site with ads.
Wiklou, le Wiki du Wiklou