Merge branch 'master' into trinidad

author: friendica <info@friendica.com> 2015-01-01 22:33:28 -0800
committer: friendica <info@friendica.com> 2015-01-01 22:33:28 -0800
commit: 82d0a4af452015e870bdcea56f1008ea22d066b3 (patch)
tree: 3ad1db1aeb0dfdeb10a70b99da353fe3094f1d69 /library/HTMLPurifier/AttrDef/CSS/URI.php
parent: 9a34e18319301e0a952f674899aeb58b424637a4 (diff)
parent: 68c612c597471404201099ecbc8b4082d152e18a (diff)
download: volse-hubzilla-82d0a4af452015e870bdcea56f1008ea22d066b3.tar.gz
volse-hubzilla-82d0a4af452015e870bdcea56f1008ea22d066b3.tar.bz2
volse-hubzilla-82d0a4af452015e870bdcea56f1008ea22d066b3.zip
1 files changed, 30 insertions, 8 deletions
diff --git a/library/HTMLPurifier/AttrDef/CSS/URI.php b/library/HTMLPurifier/AttrDef/CSS/URI.php
index 1df17dc25..f9434230e 100644
--- a/library/HTMLPurifier/AttrDef/CSS/URI.php
+++ b/library/HTMLPurifier/AttrDef/CSS/URI.php
@@ -12,25 +12,39 @@
 class HTMLPurifier_AttrDef_CSS_URI extends HTMLPurifier_AttrDef_URI
 {
 
-    public function __construct() {
+    public function __construct()
+    {
         parent::__construct(true); // always embedded
     }
 
-    public function validate($uri_string, $config, $context) {
+    /**
+     * @param string $uri_string
+     * @param HTMLPurifier_Config $config
+     * @param HTMLPurifier_Context $context
+     * @return bool|string
+     */
+    public function validate($uri_string, $config, $context)
+    {
         // parse the URI out of the string and then pass it onto
         // the parent object
 
         $uri_string = $this->parseCDATA($uri_string);
-        if (strpos($uri_string, 'url(') !== 0) return false;
+        if (strpos($uri_string, 'url(') !== 0) {
+            return false;
+        }
         $uri_string = substr($uri_string, 4);
         $new_length = strlen($uri_string) - 1;
-        if ($uri_string[$new_length] != ')') return false;
+        if ($uri_string[$new_length] != ')') {
+            return false;
+        }
         $uri = trim(substr($uri_string, 0, $new_length));
 
         if (!empty($uri) && ($uri[0] == "'" || $uri[0] == '"')) {
             $quote = $uri[0];
             $new_length = strlen($uri) - 1;
-            if ($uri[$new_length] !== $quote) return false;
+            if ($uri[$new_length] !== $quote) {
+                return false;
+            }
             $uri = substr($uri, 1, $new_length - 1);
         }
 
@@ -38,15 +52,23 @@ class HTMLPurifier_AttrDef_CSS_URI extends HTMLPurifier_AttrDef_URI
 
         $result = parent::validate($uri, $config, $context);
 
-        if ($result === false) return false;
+        if ($result === false) {
+            return false;
+        }
 
         // extra sanity check; should have been done by URI
         $result = str_replace(array('"', "\\", "\n", "\x0c", "\r"), "", $result);
 
-        return "url(\"$result\")";
+        // suspicious characters are ()'; we're going to percent encode
+        // them for safety.
+        $result = str_replace(array('(', ')', "'"), array('%28', '%29', '%27'), $result);
 
+        // there's an extra bug where ampersands lose their escaping on
+        // an innerHTML cycle, so a very unlucky query parameter could
+        // then change the meaning of the URL.  Unfortunately, there's
+        // not much we can do about that...
+        return "url(\"$result\")";
     }
-
 }
 
 // vim: et sw=4 sts=4
author	friendica <info@friendica.com>	2015-01-01 22:33:28 -0800
committer	friendica <info@friendica.com>	2015-01-01 22:33:28 -0800
commit	82d0a4af452015e870bdcea56f1008ea22d066b3 (patch)
tree	3ad1db1aeb0dfdeb10a70b99da353fe3094f1d69 /library/HTMLPurifier/AttrDef/CSS/URI.php
parent	9a34e18319301e0a952f674899aeb58b424637a4 (diff)
parent	68c612c597471404201099ecbc8b4082d152e18a (diff)
download	volse-hubzilla-82d0a4af452015e870bdcea56f1008ea22d066b3.tar.gz volse-hubzilla-82d0a4af452015e870bdcea56f1008ea22d066b3.tar.bz2 volse-hubzilla-82d0a4af452015e870bdcea56f1008ea22d066b3.zip