fanbinit/rhymix
1
0
Fork 0
mirror of https://github.com/Lastorder-DC/rhymix.git synced 2026-01-03 16:51:40 +09:00
Code Issues Projects Releases Packages Wiki Activity

Improve escape_css() to accept most common CSS expressions

Browse source
This commit is contained in:
Kijin Sung 2025-03-18 23:53:06 +09:00
parent 62eb6b2aae
commit baadb36e37
2 changed files with 4 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

2
common/functions.php
View file

@ -205,7 +205,7 @@ function escape($str, bool $double_escape = true, bool $except_lang_code = false
*/
function escape_css(string $str): string
{
return preg_replace('/[^a-zA-Z0-9_.#\/-]/', '', (string)$str);
return preg_replace('/[^a-zA-Z0-9_.,#%\/\'()\x20-]/', '', (string)$str);
}
/**

4
tests/unit/functions/FunctionsTest.php
View file

@ -50,8 +50,10 @@ class FunctionsTest extends \Codeception\Test\Unit
$this->assertEquals('$user_lang->userLang1234567890', escape('$user_lang->userLang1234567890', true, false));
$this->assertEquals('$user_lang->userLang1234567890', escape('$user_lang->userLang1234567890', true, true));
$this->assertEquals('expressionalertXSS', escape_css('expression:alert("XSS")'));
$this->assertEquals('expressionalert(XSS)', escape_css('expression:alert("XSS")'));
$this->assertEquals('#123456', escape_css('#123456'));
$this->assertEquals('16px/160% Segoe UI, sans-serif font-style', escape_css('16px/160% Segoe UI, sans-serif; font-style'));
$this->assertEquals('box-shadow(0 1px 2px rgba(0, 0, 0, 0.15)', escape_css('box-shadow(0 1px 2px rgba(0, 0, 0, "0.15")'));
$this->assertEquals('hello\\\\world', escape_js('hello\\world'));
$this->assertEquals('\u003Cbr \/\u003E', escape_js('<br />'));