--- Comment #79 from Daniel Friesen <> ---
(In reply to comment #77)
> This test fixture seems to indicate that a
>      'background-image: url(' . $wgFooterIcons['powererdby']['src'] . ')';
> CSS attribute containing input from configuration on the filesystem may be
> stripped:
> 6a2d25eed09c311c70657789b3f7a841bc5363db/
> tests%2Fphpunit%2Fincludes%2FSanitizerTest.php#L253

Yes, all url() constructs will make checkCss consider the css unsafe. So you'll
have to sanitize the background-image separate from the rest of the css.

> HTML::element states:
>             // There's no point in escaping quotes, >, etc. in the contents
> of
>             // elements.
> In this case, it is probably good to escape a '"; and/or javascript: in the
> configuration-supplied variable.
> It would be helpful if someone more familiar with the codebase could indicate
> if there is a more appropriate function than htmlspecialchars (with

Escaping of quotes ('") are already handled by Html::element, ignore
htmlspecialchars completely here.

For sanitizing the URL is safe/not javascript: use preg_match( '/^(' .
wfUrlProtocols() . ')[^\s]+$/', ... ) to test if the protocol is whitelisted.

You are receiving this mail because:
You are the assignee for the bug.
You are on the CC list for the bug.
Wikibugs-l mailing list

Reply via email to