From c7f89acbf28012a6b21ea90c23d48a134fd0d71e Mon Sep 17 00:00:00 2001 From: Bilka Date: Sat, 14 Dec 2024 19:04:35 +0100 Subject: [PATCH] AO3-6864 Disallow URLs followed by something else in CSS --- lib/css_cleaner.rb | 2 +- spec/models/skin_spec.rb | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/lib/css_cleaner.rb b/lib/css_cleaner.rb index b5a25b4ee0..8c3f278bed 100644 --- a/lib/css_cleaner.rb +++ b/lib/css_cleaner.rb @@ -227,7 +227,7 @@ def sanitize_css_content(value) return value if value =~ /^\"([^\"]*)\"$/ # or a valid img url - return value if value.match(URL_FUNCTION_REGEX) + return value if value.match(Regexp.new("^#{URL_FUNCTION_REGEX}$")) # or "none" return value if value == "none" diff --git a/spec/models/skin_spec.rb b/spec/models/skin_spec.rb index 10e3280555..b5b2772b8b 100644 --- a/spec/models/skin_spec.rb +++ b/spec/models/skin_spec.rb @@ -177,7 +177,8 @@ "errors when saving gradient with xss" => "div {background: -webkit-linear-gradient(url(xss.htc))}", "errors when saving dsf images" => "body {background: url(http://foo.com/bar.dsf)}", "errors when saving urls with invalid domain" => "body {background: url(http://foo.htc/bar.png)}", - "errors when saving xss interrupted with comments" => "div {xss:expr/*XSS*/ession(alert('XSS'))}" + "errors when saving xss interrupted with comments" => "div {xss:expr/*XSS*/ession(alert('XSS'))}", + "errors when saving url followed by something else" => 'a {content: url(/images/fakeimage.png) " (" attr(href) ")"}' }.each_pair do |condition, css| it condition do @skin.css = css