Page MenuHomePhabricator

bug66404.patch

Authored By
bzimport
Nov 22 2014, 3:13 AM
Size
977 B
Referenced Files
None
Subscribers
None

bug66404.patch

From 877627488c9e8edfd4db3c29da30da08bcc5876d Mon Sep 17 00:00:00 2001
From: csteipp <csteipp@wikimedia.org>
Date: Wed, 11 Jun 2014 16:29:33 -0700
Subject: [PATCH] SECURITY: Disallow css attr() with url type
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
CSS3 seems like it will extend the attr() function which can interpret
attribute as different types, including 'url', which "...is interpreted
as a quoted string within the ‘url()’ notation."
Bug: 66404
Change-Id: Icdae989764754c985a9292d62efae7cc47009df5
---
includes/Sanitizer.php | 1 +
1 file changed, 1 insertion(+)
diff --git a/includes/Sanitizer.php b/includes/Sanitizer.php
index 6a568c2..477b50d 100644
--- a/includes/Sanitizer.php
+++ b/includes/Sanitizer.php
@@ -947,6 +947,7 @@ class Sanitizer {
| url\s*\(
| image\s*\(
| image-set\s*\(
+ | attr\s*\([^)]+[\s,]+url
!ix', $value ) ) {
return '/* insecure input */';
}
--
1.8.4.5

File Metadata

Mime Type
text/x-diff
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
13091
Default Alt Text
bug66404.patch (977 B)

Event Timeline