Validate background colour to avoid arbitrary style attribute injection. Leads to XSS in versions of IE that support dynamic properties (IE<8, and IE 8 in quirks mode).

2024-11-15 03:04:52 +00:00 · 2010-03-30 03:59:15 +00:00 · 2010-03-30 03:59:15 +00:00 · 6bdcff7eaf
parent ef03379a76
commit 6bdcff7eaf
1 changed files with 21 additions and 0 deletions
--- a/InputBox.classes.php
+++ b/InputBox.classes.php
@ -510,7 +510,28 @@ class InputBox {
 		// Validate the width; make sure it's a valid, positive integer
 		$this->mWidth = intval( $this->mWidth <= 0 ? 50 : $this->mWidth );

+		// Validate background color
+		if ( !$this->isValidColor( $this->mBGColor ) ) {
+			$this->mBGColor = 'transparent';
+		}
 		wfProfileOut( __METHOD__ );
 	}

+	/**
+	 * Do a security check on the bgcolor parameter
+	 */
+	public function isValidColor( $color ) {
+		$regex = <<<REGEX
+			/^ (
+				[a-zA-Z]* |       # color names
+				\# [0-9a-f]{3} |  # short hexadecimal
+				\# [0-9a-f]{6} |  # long hexadecimal
+				rgb \s* \( \s* (
+					\d+ \s* , \s* \d+ \s* , \s* \d+ |    # rgb integer
+					[0-9.]+% \s* , \s* [0-9.]+% \s* , \s* [0-9.]+%   # rgb percent
+				) \s* \)
+			) $ /xi
+REGEX;
+		return (bool) preg_match( $regex, $color );
+	}
 }