From 0aab2bd541f1714c969c7fa62420408a8543b81d Mon Sep 17 00:00:00 2001
From: Catrope <roan.kattouw@gmail.com>
Date: Fri, 16 Nov 2012 10:12:58 -0800
Subject: [PATCH] (bug 42202) Validate editfont before embedding it in CSS

If the editfont preference somehow had a value like "foo; color: blue",
we have a CSS injection problem. Normally preference validation should
protect against that, but the API module for setting preferences doesn't
perform any validation.

Change-Id: I5c12aa9a48bf4f6ea4a8fb44554d13189e7757fb
---
 includes/resourceloader/ResourceLoaderUserCSSPrefsModule.php | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/includes/resourceloader/ResourceLoaderUserCSSPrefsModule.php b/includes/resourceloader/ResourceLoaderUserCSSPrefsModule.php
index d90e8c4..bdb240e 100644
--- a/includes/resourceloader/ResourceLoaderUserCSSPrefsModule.php
+++ b/includes/resourceloader/ResourceLoaderUserCSSPrefsModule.php
@@ -81,7 +81,10 @@ class ResourceLoaderUserCSSPrefsModule extends ResourceLoaderModule {
 				$rules[] = ".editsection { display: none; }\n";
 			}
 			if ( $options['editfont'] !== 'default' ) {
-				$rules[] = "textarea { font-family: {$options['editfont']}; }\n";
+				// Double-check that $options['editfont'] consists of safe characters only
+				if ( preg_match( '/^[a-zA-Z0-9_, -]+$/', $options['editfont'] ) ) {
+					$rules[] = "textarea { font-family: {$options['editfont']}; }\n";
+				}
 			}
 			$style = implode( "\n", $rules );
 			if ( $this->getFlip( $context ) ) {
-- 
1.7.10.2.484.gcd07cc5.dirty