mirrors/htmlpurifier
0
0
Fork 0
mirror of https://github.com/ezyang/htmlpurifier.git synced 2024-09-19 10:45:18 +00:00
Code Releases Activity

Fix CSS URL innerHTML/cssText escaping bug.

Browse Source 
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
This commit is contained in:
Edward Z. Yang 2011-03-27 21:24:32 +01:00
parent afb007d22f
commit 0124605918
3 changed files with 14 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
NEWS
View File

@ -20,8 +20,9 @@ NEWS ( CHANGELOG and HISTORY ) HTMLPurifier
reverted using %Output.FixInnerHTML. Reported by Neike Taika-Tessaro reverted using %Output.FixInnerHTML. Reported by Neike Taika-Tessaro
and Mario Heiderich. and Mario Heiderich.
# Protect against cssText/innerHTML by restricting allowed characters # Protect against cssText/innerHTML by restricting allowed characters
used in fonts further than mandated by the specification. Reported used in fonts further than mandated by the specification and encoding
by Neike Taika-Tessaro and Mario Heiderich. some extra special characters in URLs. Reported by Neike
Taika-Tessaro and Mario Heiderich.
! Added %HTML.Nofollow to add rel="nofollow" to external links. ! Added %HTML.Nofollow to add rel="nofollow" to external links.
! More types of SPL autoloaders allowed on later versions of PHP. ! More types of SPL autoloaders allowed on later versions of PHP.
! Implementations for position, top, left, right, bottom, z-index ! Implementations for position, top, left, right, bottom, z-index

9
library/HTMLPurifier/AttrDef/CSS/URI.php
View File

@ -43,6 +43,15 @@ class HTMLPurifier_AttrDef_CSS_URI extends HTMLPurifier_AttrDef_URI
// extra sanity check; should have been done by URI // extra sanity check; should have been done by URI
$result = str_replace(array('"', "\\", "\n", "\x0c", "\r"), "", $result); $result = str_replace(array('"', "\\", "\n", "\x0c", "\r"), "", $result);
// suspicious characters are ()'; we're going to percent encode
// them for safety.
$result = str_replace(array('(', ')', "'"), array('%28', '%29', '%27'), $result);
// there's an extra bug where ampersands lose their escaping on
// an innerHTML cycle, so a very unlucky query parameter could
// then change the meaning of the URL. Unfortunately, there's
// not much we can do about that...
return "url(\"$result\")"; return "url(\"$result\")";
} }

4
tests/HTMLPurifier/AttrDef/CSS/URITest.php
View File

@ -20,8 +20,8 @@ class HTMLPurifier_AttrDef_CSS_URITest extends HTMLPurifier_AttrDefHarness
$this->assertDef("url('http://www.example.com/')", $result); $this->assertDef("url('http://www.example.com/')", $result);
$this->assertDef( $this->assertDef(
' url( "http://www.example.com/" ) ', $result); ' url( "http://www.example.com/" ) ', $result);
$this->assertDef("url(http://www.example.com/foo,bar\))", $this->assertDef("url(http://www.example.com/foo,bar\)\'\()",
'url("http://www.example.com/foo,bar)")'); 'url("http://www.example.com/foo,bar%29%27%28")');
} }
} }