Brian Wolff has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/316618

Change subject: Disallow css attr() with url type
......................................................................

Disallow css attr() with url type

CSS3 seems like it will extend the attr() function which can interpret
attribute as different types, including 'url', which "...is interpreted
as a quoted string within the ‘url()’ notation."

Currently no browsers support this syntax yet, so submitting this
as a normal non-security patch.

Bug: T68404
Change-Id: Icdae989764754c985a9292d62efae7cc47009df5
(cherry picked from commit 284173282d4fc25031b6ded0f696c46ecbf97338)
---
M includes/Sanitizer.php
M tests/phpunit/includes/SanitizerTest.php
2 files changed, 3 insertions(+), 0 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/mediawiki/core 
refs/changes/18/316618/1

diff --git a/includes/Sanitizer.php b/includes/Sanitizer.php
index d321e9f..1d46e4e 100644
--- a/includes/Sanitizer.php
+++ b/includes/Sanitizer.php
@@ -983,6 +983,7 @@
                                | url\s*\(
                                | image\s*\(
                                | image-set\s*\(
+                               | attr\s*\([^)]+[\s,]+url
                        !ix', $value ) ) {
                        return '/* insecure input */';
                }
diff --git a/tests/phpunit/includes/SanitizerTest.php 
b/tests/phpunit/includes/SanitizerTest.php
index 72d7166..8bc7933 100644
--- a/tests/phpunit/includes/SanitizerTest.php
+++ b/tests/phpunit/includes/SanitizerTest.php
@@ -314,6 +314,8 @@
                                '/* insecure input */',
                                'background-image: -moz-image-set("asdf.png" 
1x, "asdf.png" 2x);'
                        ],
+                       [ '/* insecure input */', 'foo: attr( title, url );' ],
+                       [ '/* insecure input */', 'foo: attr( title url );' ],
                ];
        }
 

-- 
To view, visit https://gerrit.wikimedia.org/r/316618
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: Icdae989764754c985a9292d62efae7cc47009df5
Gerrit-PatchSet: 1
Gerrit-Project: mediawiki/core
Gerrit-Branch: REL1_27
Gerrit-Owner: Brian Wolff <bawolff...@gmail.com>
Gerrit-Reviewer: CSteipp <cste...@wikimedia.org>

_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

Reply via email to