--- Comment #81 from Wes Turner <wes.tur...@gmail.com> ---
(In reply to comment #79)
> (In reply to comment #77)
> > This test fixture seems to indicate that a
> > 'background-image: url(' . $wgFooterIcons['powererdby']['src'] . ')';
> > CSS attribute containing input from configuration on the filesystem may be
> > stripped:
> > https://git.wikimedia.org/blob/mediawiki%2Fcore/
> > 6a2d25eed09c311c70657789b3f7a841bc5363db/
> > tests%2Fphpunit%2Fincludes%2FSanitizerTest.php#L253
> Yes, all url() constructs will make checkCss consider the css unsafe. So
> have to sanitize the background-image separate from the rest of the css.
> > HTML::element states:
> > // There's no point in escaping quotes, >, etc. in the contents
> > of
> > // elements.
> > configuration-supplied variable.
> > It would be helpful if someone more familiar with the codebase could
> > indicate
> > if there is a more appropriate function than htmlspecialchars (with
> > ENT_NOQUOTES/ENT_QUOTES) for this.
> Escaping of quotes ('") are already handled by Html::element, ignore
> htmlspecialchars completely here.
> wfUrlProtocols() . ')[^\s]+$/', ... ) to test if the protocol is whitelisted.
It look like Sanitizer::safeEncodeAttribute [would] also reference
wfUrlProtocols, though it seems to only escape double single quotes ("''",
"''"), expecting the input to have already been run through
encodeAttribute and htmlspecialchars with ENT_QUOTES.
The documentation for http://php.net/manual/en/function.htmlspecialchars.php
* '"' (double quote) becomes '"' when ENT_NOQUOTES is not set.
* "'" (single quote) becomes ''' (or ') only when ENT_QUOTES is
ENT_QUOTES Will convert both double and single quotes.
You are receiving this mail because:
You are the assignee for the bug.
You are on the CC list for the bug.
Wikibugs-l mailing list