Fix CSS URL innerHTML/cssText escaping bug.

Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2024-09-19 10:45:18 +00:00 · 2011-03-27 21:24:32 +01:00 · 2011-03-27 21:24:32 +01:00 · 0124605918
commit 0124605918
parent afb007d22f
3 changed files with 14 additions and 4 deletions
--- a/5
+++ b/5
@ -20,8 +20,9 @@ NEWS ( CHANGELOG and HISTORY )                                     HTMLPurifier
  reverted using %Output.FixInnerHTML.  Reported by Neike Taika-Tessaro
  and Mario Heiderich.
 # Protect against cssText/innerHTML by restricting allowed characters
-  used in fonts further than mandated by the specification.  Reported
-  by Neike Taika-Tessaro and Mario Heiderich.
+  used in fonts further than mandated by the specification and encoding
+  some extra special characters in URLs.  Reported by Neike
+  Taika-Tessaro and Mario Heiderich.
 ! Added %HTML.Nofollow to add rel="nofollow" to external links.
 ! More types of SPL autoloaders allowed on later versions of PHP.
 ! Implementations for position, top, left, right, bottom, z-index
--- a/library/HTMLPurifier/AttrDef/CSS/URI.php
+++ b/library/HTMLPurifier/AttrDef/CSS/URI.php
@ -43,6 +43,15 @@ class HTMLPurifier_AttrDef_CSS_URI extends HTMLPurifier_AttrDef_URI
        // extra sanity check; should have been done by URI
        $result = str_replace(array('"', "\\", "\n", "\x0c", "\r"), "", $result);

+        // suspicious characters are ()'; we're going to percent encode
+        // them for safety.
+        $result = str_replace(array('(', ')', "'"), array('%28', '%29', '%27'), $result);
+
+        // there's an extra bug where ampersands lose their escaping on
+        // an innerHTML cycle, so a very unlucky query parameter could
+        // then change the meaning of the URL.  Unfortunately, there's
+        // not much we can do about that...
+
        return "url(\"$result\")";

    }
--- a/tests/HTMLPurifier/AttrDef/CSS/URITest.php
+++ b/tests/HTMLPurifier/AttrDef/CSS/URITest.php
@ -20,8 +20,8 @@ class HTMLPurifier_AttrDef_CSS_URITest extends HTMLPurifier_AttrDefHarness
        $this->assertDef("url('http://www.example.com/')", $result);
        $this->assertDef(
            '  url(  "http://www.example.com/" )   ', $result);
-        $this->assertDef("url(http://www.example.com/foo,bar\))",
-            'url("http://www.example.com/foo,bar)")');
+        $this->assertDef("url(http://www.example.com/foo,bar\)\'\()",
+            'url("http://www.example.com/foo,bar%29%27%28")');
    }

 }