From 224b22a051051f6c2e494c3a2fb4adb42898e2d1 Mon Sep 17 00:00:00 2001
From: Pierre Schmitz <pierre@archlinux.de>
Date: Tue, 14 Jan 2014 19:24:18 +0100
Subject: Update to MediaWiki 1.22.1

---
 includes/Sanitizer.php | 51 ++++++++++++++++++++++++++++++++++++++++++++++++--
 1 file changed, 49 insertions(+), 2 deletions(-)

(limited to 'includes/Sanitizer.php')

diff --git a/includes/Sanitizer.php b/includes/Sanitizer.php
index 499d8218..9e9ac38b 100644
--- a/includes/Sanitizer.php
+++ b/includes/Sanitizer.php
@@ -865,6 +865,27 @@ class Sanitizer {
 		$value = preg_replace_callback( $decodeRegex,
 			array( __CLASS__, 'cssDecodeCallback' ), $value );
 
+		// Normalize Halfwidth and Fullwidth Unicode block that IE6 might treat as ascii
+		$value = preg_replace_callback(
+			'/[！-［］-ｚ]/u', // U+FF01 to U+FF5A, excluding U+FF3C (bug 58088)
+			function ( $matches ) {
+				$cp = utf8ToCodepoint( $matches[0] );
+				if ( $cp === false ) {
+					return '';
+				}
+				return chr( $cp - 65248 ); // ASCII range \x21-\x7A
+			},
+			$value
+		);
+
+		// Convert more characters IE6 might treat as ascii
+		// U+0280, U+0274, U+207F, U+029F, U+026A, U+207D, U+208D
+		$value = str_replace(
+			array( 'ʀ', 'ɴ', 'ⁿ', 'ʟ', 'ɪ', '⁽', '₍' ),
+			array( 'r', 'n', 'n', 'l', 'i', '(', '(' ),
+			$value
+		);
+
 		// Let the value through if it's nothing but a single comment, to
 		// allow other functions which may reject it to pass some error
 		// message through.
@@ -885,10 +906,36 @@ class Sanitizer {
 			}
 		}
 
+		// S followed by repeat, iteration, or prolonged sound marks,
+		// which IE will treat as "ss"
+		$value = preg_replace(
+			'/s(?:
+				\xE3\x80\xB1 | # U+3031
+				\xE3\x82\x9D | # U+309D
+				\xE3\x83\xBC | # U+30FC
+				\xE3\x83\xBD | # U+30FD
+				\xEF\xB9\xBC | # U+FE7C
+				\xEF\xB9\xBD | # U+FE7D
+				\xEF\xBD\xB0   # U+FF70
+			)/ix',
+			'ss',
+			$value
+		);
+
 		// Reject problematic keywords and control characters
-		if ( preg_match( '/[\000-\010\016-\037\177]/', $value ) ) {
+		if ( preg_match( '/[\000-\010\013\016-\037\177]/', $value ) ) {
 			return '/* invalid control char */';
-		} elseif ( preg_match( '! expression | filter\s*: | accelerator\s*: | url\s*\( | image\s*\( | image-set\s*\( !ix', $value ) ) {
+		} elseif ( preg_match(
+			'! expression
+				| filter\s*:
+				| accelerator\s*:
+				| -o-link\s*:
+				| -o-link-source\s*:
+				| -o-replace\s*:
+				| url\s*\(
+				| image\s*\(
+				| image-set\s*\(
+			!ix', $value ) ) {
 			return '/* insecure input */';
 		}
 		return $value;
-- 
cgit v1.2.2