Commit 37c061d1 authored by Robert Lyon's avatar Robert Lyon Committed by Gerrit Code Review

Merge "Bug 1602447: Allow ">" in CSS stylesheets"

parents 9a297249 08facc98
......@@ -3728,7 +3728,8 @@ function clean_html($text, $xhtml=false) {
}
/**
* Like clean_html(), but for CSS!
* Like clean_html(), but for CSS stylesheets! (May not be secure for CSS directly
* in an HTML document a la <style>.)
*
* Much of the code in this function was taken from the sample code in this post:
* http://stackoverflow.com/questions/3241616/sanitize-user-defined-css-in-php#5209050
......@@ -3760,15 +3761,15 @@ function clean_css($input_css, $preserve_css=false) {
$config->set('Filter.ExtractStyleBlocks', true);
$config->set('Filter.ExtractStyleBlocks.PreserveCSS', $preserve_css);
// Prevents "&<>" from being escaped. Escaping those is helpful
// if you're dealing with CSS declarations within an HTML document, but is
// not necessary for CSS in isolation.
$config->set('Filter.ExtractStyleBlocks.Escaping', false);
if (get_config('disableexternalresources')) {
$config->set('URI.DisableExternalResources', true);
}
$customfilters = get_htmlpurifier_custom_filters();
if (!empty($customfilters)) {
$config->set('Filter.Custom', $customfilters);
}
// Create a new purifier instance
$purifier = new HTMLPurifier($config);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment