daniel at svn
Nov 7, 2009, 7:45 AM
Post #1 of 1
(16 views)
Permalink
|
|
SVN: [58714] trunk/phase3/includes/Sanitizer.php
|
|
http://www.mediawiki.org/wiki/Special:Code/MediaWiki/58714
Revision: 58714
Author: daniel
Date: 2009-11-07 15:45:13 +0000 (Sat, 07 Nov 2009)
Log Message:
-----------
better pattern for detecting evil scripts in rdfa attributes
Modified Paths:
--------------
trunk/phase3/includes/Sanitizer.php
Modified: trunk/phase3/includes/Sanitizer.php
===================================================================
--- trunk/phase3/includes/Sanitizer.php 2009-11-07 15:25:06 UTC (rev 58713)
+++ trunk/phase3/includes/Sanitizer.php 2009-11-07 15:45:13 UTC (rev 58714)
@@ -57,6 +57,11 @@
)?(?=$space|\$)/sx" );
/**
+ * Regular expression to match URIs that could trigger script execution
+ */
+define( 'MW_SCRIPT_URL_PATTERN', '/(^|\s)(javascript|vbscript)[^\w]/i' );
+
+/**
* List of all named character entities defined in HTML 4.01
* http://www.w3.org/TR/html4/sgml/entities.html
* @private
@@ -631,7 +636,7 @@
$attribute === 'about' || $attribute === 'property' || $attribute === 'resource' ||
$attribute === 'datatype' || $attribute === 'typeof' ) {
//Paranoia. Allow "simple" values but suppress javascript
- if ( preg_match( '/(^|\s)javascript\s*:/i', $value ) ) {
+ if ( preg_match( MW_SCRIPT_URL_PATTERN, $value ) ) {
continue;
}
}
_______________________________________________
MediaWiki-CVS mailing list
MediaWiki-CVS[at]lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-cvs
|
