https://bugzilla.wikimedia.org/show_bug.cgi?id=30113
--- Comment #81 from Wes Turner <wes.tur...@gmail.com> --- (In reply to comment #79) > (In reply to comment #77) > > This test fixture seems to indicate that a > > > > 'background-image: url(' . $wgFooterIcons['powererdby']['src'] . ')'; > > > > CSS attribute containing input from configuration on the filesystem may be > > stripped: > > > > https://git.wikimedia.org/blob/mediawiki%2Fcore/ > > 6a2d25eed09c311c70657789b3f7a841bc5363db/ > > tests%2Fphpunit%2Fincludes%2FSanitizerTest.php#L253 > > Yes, all url() constructs will make checkCss consider the css unsafe. So > you'll > have to sanitize the background-image separate from the rest of the css. > > > HTML::element states: > > > > // There's no point in escaping quotes, >, etc. in the contents > > of > > // elements. > > > > In this case, it is probably good to escape a '"; and/or javascript: in the > > configuration-supplied variable. > > > > It would be helpful if someone more familiar with the codebase could > > indicate > > if there is a more appropriate function than htmlspecialchars (with > > ENT_NOQUOTES/ENT_QUOTES) for this. > > Escaping of quotes ('") are already handled by Html::element, ignore > htmlspecialchars completely here. > > For sanitizing the URL is safe/not javascript: use preg_match( '/^(' . > wfUrlProtocols() . ')[^\s]+$/', ... ) to test if the protocol is whitelisted. It look like Sanitizer::safeEncodeAttribute [would] also reference wfUrlProtocols, though it seems to only escape double single quotes ("''", "''"), expecting the input to have already been run through encodeAttribute and htmlspecialchars with ENT_QUOTES. The documentation for http://php.net/manual/en/function.htmlspecialchars.php reads: * '"' (double quote) becomes '"' when ENT_NOQUOTES is not set. * "'" (single quote) becomes ''' (or ') only when ENT_QUOTES is set. And: ENT_QUOTES Will convert both double and single quotes. -- You are receiving this mail because: You are the assignee for the bug. You are on the CC list for the bug. _______________________________________________ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l