diff options
Diffstat (limited to 'includes/Sanitizer.php')
| -rw-r--r-- | includes/Sanitizer.php | 51 |
1 files changed, 34 insertions, 17 deletions
diff --git a/includes/Sanitizer.php b/includes/Sanitizer.php index 9e9ac38b..3ca66443 100644 --- a/includes/Sanitizer.php +++ b/includes/Sanitizer.php @@ -819,24 +819,16 @@ class Sanitizer { } /** - * Pick apart some CSS and check it for forbidden or unsafe structures. - * Returns a sanitized string. This sanitized string will have - * character references and escape sequences decoded and comments - * stripped (unless it is itself one valid comment, in which case the value - * will be passed through). If the input is just too evil, only a comment - * complaining about evilness will be returned. - * - * Currently URL references, 'expression', 'tps' are forbidden. - * - * NOTE: Despite the fact that character references are decoded, the - * returned string may contain character references given certain - * clever input strings. These character references must - * be escaped before the return value is embedded in HTML. - * - * @param $value String - * @return String + * Normalize CSS into a format we can easily search for hostile input + * - decode character references + * - decode escape sequences + * - convert characters that IE6 interprets into ascii + * - remove comments, unless the entire value is one single comment + * @param string $value the css string + * @return string normalized css */ - static function checkCss( $value ) { + public static function normalizeCss( $value ) { + // Decode character references like { $value = Sanitizer::decodeCharReferences( $value ); @@ -922,6 +914,31 @@ class Sanitizer { $value ); + return $value; + } + + + /** + * Pick apart some CSS and check it for forbidden or unsafe structures. + * Returns a sanitized string. This sanitized string will have + * character references and escape sequences decoded and comments + * stripped (unless it is itself one valid comment, in which case the value + * will be passed through). If the input is just too evil, only a comment + * complaining about evilness will be returned. + * + * Currently URL references, 'expression', 'tps' are forbidden. + * + * NOTE: Despite the fact that character references are decoded, the + * returned string may contain character references given certain + * clever input strings. These character references must + * be escaped before the return value is embedded in HTML. + * + * @param string $value + * @return string + */ + static function checkCss( $value ) { + $value = self::normalizeCss( $value ); + // Reject problematic keywords and control characters if ( preg_match( '/[\000-\010\013\016-\037\177]/', $value ) ) { return '/* invalid control char */'; |