Commit 75d33359 authored by Emma's avatar Emma 😻

don't allow data: urls in custom styles

parent 5d18309a
Pipeline #9824424 passed with stage
in 4 minutes and 14 seconds
......@@ -10,4 +10,5 @@
'External resource is not allowed on line {{ line }}': 'External resource is not allowed on line {{ line }}'
'expression() syntax is not allowed on line {{ line }}': 'expression() syntax is not allowed on line {{ line }}'
'expression() syntax is not allowed in strings on line {{ line }}': 'expression() syntax is not allowed in strings on line {{ line }}'
'Embedded data is not allowed on line {{ line }}': 'Embedded data is not allowed on line {{ line }}'
'Recursion limit reached': 'Recursion limit reached'
......@@ -155,7 +155,7 @@ class CssValidator extends ConstraintValidator {
private function validateCssValue($cssValue, int $recursionDepth) {
if ($recursionDepth > 5) {
$this->context->buildViolation('Recursion limit reached');
$this->context->addViolation('Recursion limit reached');
}
if (is_object($cssValue)) {
......@@ -201,6 +201,12 @@ class CssValidator extends ConstraintValidator {
->addViolation();
}
if (stripos($url, 'data:') === 0) {
$this->context->buildViolation('Embedded data is not allowed on line {{ line }}')
->setParameter('{{ line }}', $cssValue->getLineNo())
->addViolation();
}
if (strpos($url, '://') !== false || strpos($url, '//') === 0) {
$this->context->buildViolation('External resource is not allowed on line {{ line }}')
->setParameter('{{ line }}', $cssValue->getLineNo())
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment