Merge "Bug 1602447: Allow ">" in CSS stylesheets"

37c061d1 · Robert Lyon · Gerrit Code Review · 9a297249 · 08facc98 · 37c061d1
Commit 37c061d1 authored Aug 08, 2016 by Robert Lyon Committed by Gerrit Code Review Aug 08, 2016
Hide whitespace changes
Inline Side-by-side

Showing with 7 additions and 6 deletions

htdocs/lib/web.php htdocs/lib/web.php +7 -6

No files found.
--- a/htdocs/lib/web.php
+++ b/htdocs/lib/web.php
@@ -3728,7 +3728,8 @@ function clean_html($text, $xhtml=false) {
 }

 /**
- * Like clean_html(), but for CSS!
+ * Like clean_html(), but for CSS stylesheets! (May not be secure for CSS directly
+ * in an HTML document a la <style>.)
 *
 * Much of the code in this function was taken from the sample code in this post:
 * http://stackoverflow.com/questions/3241616/sanitize-user-defined-css-in-php#5209050
@@ -3760,15 +3761,15 @@ function clean_css($input_css, $preserve_css=false) {
    $config->set('Filter.ExtractStyleBlocks', true);
    $config->set('Filter.ExtractStyleBlocks.PreserveCSS', $preserve_css);

+    // Prevents "&<>" from being escaped. Escaping those is helpful
+    // if you're dealing with CSS declarations within an HTML document, but is
+    // not necessary for CSS in isolation.
+    $config->set('Filter.ExtractStyleBlocks.Escaping', false);
+
    if (get_config('disableexternalresources')) {
        $config->set('URI.DisableExternalResources', true);
    }

-    $customfilters = get_htmlpurifier_custom_filters();
-    if (!empty($customfilters)) {
-        $config->set('Filter.Custom', $customfilters);
-    }
-
    // Create a new purifier instance
    $purifier = new HTMLPurifier($config);