Preemptively add css3's image() to our css sanitizer.

- Adding this now even though no browser supports it so that when one does it doesn't become a way to bypass our url() filter.
- Including missing tests for all of our insecure input filters.
- Also make sure that vendor prefixed versions like -webkit-image() are caught because most browsers are probably going to go and implement a vendor prefixed version first.

Change-Id: If73aa98b8accdb7621b0e4ff0615b61d530fa547

diff --git a/includes/Sanitizer.php b/includes/Sanitizer.php
index 224b2d1..6358540 100644 (file)
--- a/includes/Sanitizer.php
+++ b/includes/Sanitizer.php
@@ -912,7 +912,7 @@ class Sanitizer {
                // Reject problematic keywords and control characters
                if ( preg_match( '/[\000-\010\016-\037\177]/', $value ) ) {
                        return '/* invalid control char */';
-               } elseif ( preg_match( '! expression | filter\s*: | accelerator\s*: | url\s*\( !ix', $value ) ) {
+               } elseif ( preg_match( '! expression | filter\s*: | accelerator\s*: | url\s*\( | image\s*\( !ix', $value ) ) {
                        return '/* insecure input */';
                }
                return $value;

diff --git a/tests/phpunit/includes/SanitizerTest.php b/tests/phpunit/includes/SanitizerTest.php
index d67f905..ac9971e 100644 (file)
--- a/tests/phpunit/includes/SanitizerTest.php
+++ b/tests/phpunit/includes/SanitizerTest.php
@@ -182,6 +182,12 @@ class SanitizerTest extends MediaWikiTestCase {
                                'Remove anything after a comment-start token' ),
                        array( '', "\\2f\\2a unifinished comment'",
                                'Remove anything after a backslash-escaped comment-start token' ),
+                       array( '/* insecure input */', 'filter: progid:DXImageTransform.Microsoft.AlphaImageLoader(src=\'asdf.png\',sizingMethod=\'scale\');'),
+                       array( '/* insecure input */', '-ms-filter: "progid:DXImageTransform.Microsoft.AlphaImageLoader(src=\'asdf.png\',sizingMethod=\'scale\')";'),
+                       array( '/* insecure input */', 'width: expression(1+1);'),
+                       array( '/* insecure input */', 'background-image: image(asdf.png);'),
+                       array( '/* insecure input */', 'background-image: -webkit-image(asdf.png);'),
+                       array( '/* insecure input */', 'background-image: -moz-image(asdf.png);'),
                );
        }
 }