diff options
Diffstat (limited to 'includes/Sanitizer.php')
-rw-r--r-- | includes/Sanitizer.php | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/includes/Sanitizer.php b/includes/Sanitizer.php index f6a9773d..b5725ce8 100644 --- a/includes/Sanitizer.php +++ b/includes/Sanitizer.php @@ -739,6 +739,13 @@ class Sanitizer { // Remove any comments; IE gets token splitting wrong $value = StringUtils::delimiterReplace( '/*', '*/', ' ', $value ); + // Remove anything after a comment-start token, to guard against + // incorrect client implementations. + $commentPos = strpos( $value, '/*' ); + if ( $commentPos !== false ) { + $value = substr( $value, 0, $commentPos ); + } + // Decode escape sequences and line continuation // See the grammar in the CSS 2 spec, appendix D. static $decodeRegex, $reencodeTable; |