https://www.mediawiki.org/wiki/Special:Code/MediaWiki/111842
Revision: 111842
Author: au
Date: 2012-02-18 20:16:23 +0000 (Sat, 18 Feb 2012)
Log Message:
-----------
* Rudimentary CSS validation; +4 tests pass. (Bug 2304, 3244).
Modified Paths:
--------------
trunk/extensions/VisualEditor/modules/parser/ext.core.Sanitizer.js
Modified: trunk/extensions/VisualEditor/modules/parser/ext.core.Sanitizer.js
===================================================================
--- trunk/extensions/VisualEditor/modules/parser/ext.core.Sanitizer.js
2012-02-18 19:52:50 UTC (rev 111841)
+++ trunk/extensions/VisualEditor/modules/parser/ext.core.Sanitizer.js
2012-02-18 20:16:23 UTC (rev 111842)
@@ -99,12 +99,25 @@
if ( kv.v.constructor === Array ) {
kv.v = this.manager.env.tokensToString ( kv.v );
}
+ if ( kv.k === 'style' ) {
+ kv.v = this.checkCss(kv.v);
+ }
}
}
// XXX: Validate attributes
return { token: token };
};
+Sanitizer.prototype.checkCss = function ( value ) {
+ if (/[\000-\010\016-\037\177]/.test(value)) {
+ return '/* invalid control char */';
+ }
+ if (/expression|filter\s*:|accelerator\s*:|url\s*\(/i.test(value)) {
+ return '/* insecure input */';
+ }
+ return value;
+};
+
if (typeof module == "object") {
module.exports.Sanitizer = Sanitizer;
}
_______________________________________________
MediaWiki-CVS mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-cvs
