Joeytje50 has submitted this change and it was merged. Change subject: Problem fix: url() no longer allowed in style attr ......................................................................
Problem fix: url() no longer allowed in style attr - Style attributes allowed any CSS input; now any url() is filtered out to prevent loading of images. - Added extra info to $wgExtennsion credits - Added/fixed some things in the README file. Change-Id: Ibdc12167733936ae19fda853e5c7447463580972 --- M README.md M Tabs.body.php M Tabs.php 3 files changed, 19 insertions(+), 5 deletions(-) Approvals: Joeytje50: Verified; Looks good to me, approved diff --git a/README.md b/README.md index 079eb73..05da501 100644 --- a/README.md +++ b/README.md @@ -26,7 +26,7 @@ '''Note:''' - This extension uses the <code>bgcolor</code> attribute for dropdown menus. This is in no way meant as encouragement for the use of this deprecated attribute anywhere other than this tag. -For both the <code><tab></code> and <code><tab></code> tags, parser functions ''can'' be used within the content of the tag, but ''not'' in the attributes. To use parser functions within the attributes, the <code>#tag:tabs</code> or <code>#tag:tab</code> parser functions should be used. The [[#Parser function|<code>#tab</code> parser function]] will also work, but since the only attributes it can define are the <code>index</code> and <code>name</code> attributes, these don't allow complete support. +For both the <code><tab></code> and <code><tabs></code> tags, parser functions ''can'' be used within the content of the tag, but ''not'' in the attributes. To use parser functions within the attributes, the <code>#tag:tabs</code> or <code>#tag:tab</code> parser functions should be used. The [[#Parser function|<code>#tab</code> parser function]] will also work, but since the only attributes it can define are the <code>index</code> and <code>name</code> attributes, these don't allow complete support. For example, this will not work: @@ -92,7 +92,7 @@ Since dropdown menus use the <code><menu></code> tag for their content, it is permitted to use <code><li></code> tags directly within the dropdown menu's contents. Any other content is also allowed. -Dropdown menus will convert all list items and links placed within to specially styled list items. The only exception is that links show as they normally do when placed within unordered lists ([http://www.mediawiki.org/wiki/Help:Lists any line starting with <code>*</code>]). This is also the only difference between ordered and unordered lists. +Dropdown menus will convert all list items and links placed within to specially styled list items. The only exception is that links ''only'' show as they normally do when placed within unordered lists ([http://www.mediawiki.org/wiki/Help:Lists any line starting with <code>*</code>]). In ordered lists, or outside list items, they take up the full list item. This is also the only difference between ordered and unordered lists. Any nested lists will be rendered as sub-menus in the dropdown menu. Nested lists are created by starting a line with [http://www.mediawiki.org/wiki/Help:Lists multiple <code>*</code> or <code>#</code> characters]. There is one limitation with this however: Individual nested lists can not alternate between ordered and unordered lists. Seperate levels can, however. For example, this is not allowed: <pre> @@ -129,7 +129,8 @@ ===== Background-color for dropdowns ===== <tab dropdown bgcolor="salmon}body{font-weight:bold;"> -*This tab has a its <code>bgcolor</code> attribute set to <code>bgcolor="salmon"</code>. Just defining a <code>background-color</code> style would not work. +This tab has a its <code>bgcolor</code> attribute set to <code>bgcolor="salmon"</code>. +Just defining a <code>background-color</code> style would not work. </tab> ===== Lists and links ===== @@ -230,7 +231,7 @@ #*If the entered value contains only whitespace or is left empty, the index of that tab within the parser function is assumed. #No indices or names are defined here, so the indices of the tabs within the parser functions are automatically assigned as index. #The second tab will automatcally get <code>index="1"</code>, and the third tab will have no content: -#*If the third tab has a name defined in the list of names, then a [[#Self-closing tabs|self-closing tag. +#*If the third tab has a name defined in the list of names, then a [[#Self-closing tabs|self-closing tag]]. #*If the third tab has an index defined, this tab is skipped, and no output is generated for this tab. #This will define three tabs, "name 1", "name 2" and "name 3" using the [[#Self-closing tabs|self-closing syntax]]. #When the content of a tab is <code>$n</code> (where <code>n</code> is the place of the tab in the parser function), the contents of that tab are copied over to the tab that has <code>$n</code> in it. This only works if the tab contains nothing other than <code>$n</code>, and the parser function's <code>n</code>th parameter is defined and not empty. @@ -262,6 +263,14 @@ <tab index="4" block>Despite fitting on the previous line, the <code>block</code> attribute forces this seperate tab to a new line</tab> </tabs> +===== <code>plain</code> tab interfaces ===== + +<tabs plain style="width:250px;"> +<tab>This tab interface doesn't have a box surrounding it, but just has buttons above it.</tab> +<tab>This makes it a bit easier to customise the box</tab> +<tab>It is also more useful for storing tabbed tables in</tab> +</tabs> + ===== Inline switching parts ===== This tab menu uses the regular syntax using the <code><tab></code> tag. diff --git a/Tabs.body.php b/Tabs.body.php index 30fe03f..5090363 100644 --- a/Tabs.body.php +++ b/Tabs.body.php @@ -124,7 +124,8 @@ $containAttrStr = $this->getSafeAttrs($attr); if (isset($attr['bgcolor'])) { // preg_split filters for ;{} characters and CSS comments, to prevent injection of any other styles than just the background-color. Only the input before the filtered characters will be included. - $bgcolor = preg_split('/[;{}]|\/\*/', trim(htmlspecialchars($attr['bgcolor'])))[0]; + $bgsplit = preg_split('/[;\{\}]|\/\*/', trim(htmlspecialchars($attr['bgcolor']))); + $bgcolor = $bgsplit[0]; $background = "data-bgcolor=\"$bgcolor\""; $containAttrStr .= " $background"; $css = "<style type=\"text/css\">.tabs-dropdown[$background] .tabs-content, .tabs-dropdown[$background] .tabs-container, .tabs-dropdown[$background] li, .tabs-dropdown[$background] ul, .tabs-dropdown[$background] ol {background-color:$bgcolor}</style>"; @@ -278,6 +279,8 @@ foreach ($safeAttrs as $i) { if (isset($attr[$i])) { $safe[$i] = htmlspecialchars(trim($attr[$i])); + if ($i == 'style') //escape the urls, to prevent users from loading images from disallowed sites. + $safe[$i] = preg_replace("/[^;]+\s*url\s*\([^\)]+\)[^;]*;?/i", "/*$0*/", $safe[$i]); $attrStr .= " $i=\"".$safe[$i].'"'; } else $safe[$i] = ''; diff --git a/Tabs.php b/Tabs.php index f5dd643..324e484 100644 --- a/Tabs.php +++ b/Tabs.php @@ -30,6 +30,8 @@ 'author' => 'Joeytje50', 'url' => 'https://www.mediawiki.org/wiki/Extension:Tabs', 'descriptionmsg' => 'tabs-desc', + 'version' => 1.1, + 'license-name' => 'GPLv2+' ); $dir = __DIR__ . '/'; -- To view, visit https://gerrit.wikimedia.org/r/183978 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: merged Gerrit-Change-Id: Ibdc12167733936ae19fda853e5c7447463580972 Gerrit-PatchSet: 2 Gerrit-Project: mediawiki/extensions/Tabs Gerrit-Branch: master Gerrit-Owner: Joeytje50 <[email protected]> Gerrit-Reviewer: Joeytje50 <[email protected]> Gerrit-Reviewer: jenkins-bot <> _______________________________________________ MediaWiki-commits mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
