From 5d81c793855a4c19daf95173ec15232b5b48a210 Mon Sep 17 00:00:00 2001
From: BlankEclair <blankeclair@disroot.org>
Date: Thu, 20 Feb 2025 14:54:25 +1100
Subject: [PATCH] SECURITY: Fix various IP address and user agent leaks

Bug: T386887
Change-Id: I03bec9528ee3ed05f35187458cde4e2fc4b51092
---
 includes/Tabs.php | 18 ++++++++++++------
 1 file changed, 12 insertions(+), 6 deletions(-)

diff --git a/includes/Tabs.php b/includes/Tabs.php
index 8b7cc95..b3d1bd2 100644
--- a/includes/Tabs.php
+++ b/includes/Tabs.php
@@ -203,7 +203,7 @@ class Tabs {
 		}
 		$containerStyle = '';
 		if ( isset( $attr['container'] ) ) {
-			$containerStyle = htmlspecialchars( $attr['container'] );
+			$containerStyle = htmlspecialchars( Sanitizer::checkCss( $attr['container'] ) );
 		}
 		$container = [
 			"<div$containAttrStr>$css<div class=\"tabs-container\">$label",
@@ -240,7 +240,7 @@ class Tabs {
 		$attrStr = $this->getSafeAttrs( $attr );
 		$containerStyle = '';
 		if ( isset( $attr['container'] ) ) {
-			$containerStyle = htmlspecialchars( $attr['container'] );
+			$containerStyle = htmlspecialchars( Sanitizer::checkCss( $attr['container'] ) );
 		}
 
 		// CLEARING:
@@ -367,11 +367,11 @@ class Tabs {
 		$attrStr = '';
 		foreach ( $safeAttrs as $i ) {
 			if ( isset( $attr[$i] ) ) {
-				$safe[$i] = htmlspecialchars( trim( $attr[$i] ) );
+				$safe[$i] = trim( $attr[$i] );
 				if ( $i == 'style' ) { // escape the urls, to prevent users from loading images from disallowed sites.
-					$safe[$i] = preg_replace( "/[^;]+\s*url\s*\([^\)]+\)[^;]*;?/i", "/*$0*/", $safe[$i] );
+					$safe[$i] = Sanitizer::checkCss( $safe[$i] );
 				}
-				$attrStr .= " $i=\"" . $safe[$i] . '"';
+				$attrStr .= " $i=\"" . htmlspecialchars( $safe[$i] ) . '"';
 			} else {
 				$safe[$i] = '';
 			}
@@ -401,6 +401,12 @@ class Tabs {
 	 * @return bool
 	 */
 	public function createDynamicCss( &$parser ) {
+		// XXX: Sanitize this better?
+		$bgcolor = wfMessage( 'tabs-dropdown-bgcolor' )->text();
+		if ( preg_match( '|[^a-z\d\s\(\)/\.,%\-#]|i', $bgcolor ) !== false ) {
+			$bgcolor = 'white /* Malicious data in tabs-dropdown-bgcolor */';
+		}
+
 		$css = '';
 		$class = [ '', '.tabs-inline', '.tabs-block' ];
 		$style = [ 'inline-block', 'inline', 'block' ];
@@ -417,7 +423,7 @@ class Tabs {
 				'.tabs-dropdown li,' .
 				'.tabs-dropdown ul,' .
 				'.tabs-dropdown ol {' .
-					'background-color: ' . wfMessage( 'tabs-dropdown-bgcolor' ) .
+					'background-color: ' . $bgcolor .
 				'}';
 		return "<style type=\"text/css\" id=\"tabs-dynamic-styles\">/*<![CDATA[*/\n/* Dynamically generated tabs styles */\n$css\n/*]]>*/</style>";
 	}
-- 
2.48.1