From a6f68f9781aea527721a683466a74839ad144b47 Mon Sep 17 00:00:00 2001
From: SomeRandomDeveloper <thisisnotmyname275@gmail.com>
Date: Tue, 3 Jun 2025 20:16:13 +0200
Subject: [PATCH] SECURITY: Sanitize style parameter properly

Also use Html to build the iframe element, which simplifies
sanitizing other parameters.
Raise the MW requirement to 1.43 to support namespaced imports
for the Html and Sanitizer classes.
Bump the version to 1.5.

Bug: T395949
---
 extension.json        |  4 ++--
 src/GoogleDocs4MW.php | 33 +++++++++++++++++++--------------
 2 files changed, 21 insertions(+), 16 deletions(-)

diff --git a/extension.json b/extension.json
index c31be57..2db0ae0 100644
--- a/extension.json
+++ b/extension.json
@@ -1,6 +1,6 @@
 {
 	"name": "GoogleDocs4MW",
-	"version": "1.4",
+	"version": "1.5",
 	"author": [
 		"Jack Phoenix"
 	],
@@ -9,7 +9,7 @@
 	"descriptionmsg": "googledocs4mw-desc",
 	"type": "parserhook",
 	"requires": {
-		"MediaWiki": ">= 1.31.0"
+		"MediaWiki": ">= 1.43.0"
 	},
 	"MessagesDirs": {
 		"GoogleDocs4MW": [
diff --git a/src/GoogleDocs4MW.php b/src/GoogleDocs4MW.php
index 56f8dd7..747c858 100644
--- a/src/GoogleDocs4MW.php
+++ b/src/GoogleDocs4MW.php
@@ -1,4 +1,8 @@
 <?php
+
+use MediaWiki\Html\Html;
+use MediaWiki\Parser\Sanitizer;
+
 /**
  * GoogleDocs4MW parser extension - adds <googlespreadsheet> tag for displaying
  * Google Docs' spreadsheets
@@ -25,22 +29,23 @@ class GoogleDocs4MW {
 	 *
 	 * @param string $input
 	 * @param array $argv
-	 * @return $output
+	 * @return string $output
 	 */
 	public static function renderGoogleSpreadsheet( $input, $argv ) {
-		$width = isset( $argv['width'] ) ? $argv['width'] : 500;
-		$height = isset( $argv['height'] ) ? $argv['height'] : 300;
-		$style = isset( $argv['style'] ) ? $argv['style'] : 'width:100%';
-		$key = htmlspecialchars( $input, ENT_QUOTES );
-
-		$output = '<iframe class="googlespreadsheetframe" width="' .
-				intval( $width ) . '" height="' .
-				intval( $height ) . '" style="' .
-				htmlspecialchars( $style, ENT_QUOTES ) .
-				'" src="https://docs.google.com/spreadsheets/d/' . $key .
-				'/htmlembed?widget=true"></iframe>';
-
-		return $output;
+		$width = $argv['width'] ?? 500;
+		$height = $argv['height'] ?? 300;
+		$style = $argv['style'] ?? 'width:100%';
+		$style = Sanitizer::checkCss( $style );
+
+		$src = 'https://docs.google.com/spreadsheets/d/' . $input . '/htmlembed?widget=true';
+
+		return Html::element( 'iframe', [
+			'class' => 'googlespreadsheetframe',
+			'width' => intval( $width ),
+			'height' => intval( $height ),
+			'style' => $style,
+			'src' => $src,
+		] );
 	}
 
 }
-- 
2.49.0