https://bugzilla.wikimedia.org/show_bug.cgi?id=30113

--- Comment #77 from Wes Turner <wes.tur...@gmail.com> ---
(In reply to comment #76)
> (In reply to comment #71)
> > It looks like Sanitizer::validateAttributes would call Sanitizer::checkCss 
> > on
> > the style property; but the docstrings for Sanitizer::checkCss specify:
> > 
> >     * Currently URL references, 'expression', 'tps' are forbidden.
> > 
> > so I suppose the following would be needed:
> > 
> > * background-image: '";>
> > * width: safeEncodeAttribute
> > * height: safeEncodeAttribute
> 
> Html::element already handles encoding attributes, you just want to sanitize
> css.(In reply to comment #74)

This test fixture seems to indicate that a

     'background-image: url(' . $wgFooterIcons['powererdby']['src'] . ')';

CSS attribute containing input from configuration on the filesystem may be
stripped:

https://git.wikimedia.org/blob/mediawiki%2Fcore/6a2d25eed09c311c70657789b3f7a841bc5363db/tests%2Fphpunit%2Fincludes%2FSanitizerTest.php#L253

https://www.mediawiki.org/wiki/Manual:$wgFooterIcons

HTML::element states:

            // There's no point in escaping quotes, >, etc. in the contents of
            // elements.

In this case, it is probably good to escape a ' and/or javascript: in the
configuration-supplied variable.

It would be helpful if someone more familiar with the codebase could indicate
if there is a more appropriate function than htmlspecialchars (with
ENT_NOQUOTES/ENT_QUOTES) for this.

-- 
You are receiving this mail because:
You are the assignee for the bug.
You are on the CC list for the bug.
_______________________________________________
Wikibugs-l mailing list
Wikibugs-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikibugs-l

Reply via email to