From a8f71a98b163648da4125dcdc95a07d2d65e45e0 Mon Sep 17 00:00:00 2001 From: SomeRandomDeveloper Date: Tue, 3 Jun 2025 20:16:13 +0200 Subject: [PATCH] SECURITY: Sanitize style parameter properly Also use Html to build the iframe element, which simplifies sanitizing other parameters. Raise the MW requirement to 1.40 since a namespaced import is used for the Html class. Bug: T395949 --- extension.json | 2 +- src/GoogleDocs4MW.php | 32 ++++++++++++++++++-------------- 2 files changed, 19 insertions(+), 15 deletions(-) diff --git a/extension.json b/extension.json index c31be57..df27e35 100644 --- a/extension.json +++ b/extension.json @@ -9,7 +9,7 @@ "descriptionmsg": "googledocs4mw-desc", "type": "parserhook", "requires": { - "MediaWiki": ">= 1.31.0" + "MediaWiki": ">= 1.40.0" }, "MessagesDirs": { "GoogleDocs4MW": [ diff --git a/src/GoogleDocs4MW.php b/src/GoogleDocs4MW.php index 56f8dd7..72fec19 100644 --- a/src/GoogleDocs4MW.php +++ b/src/GoogleDocs4MW.php @@ -1,4 +1,7 @@ tag for displaying * Google Docs' spreadsheets @@ -25,22 +28,23 @@ class GoogleDocs4MW { * * @param string $input * @param array $argv - * @return $output + * @return string $output */ public static function renderGoogleSpreadsheet( $input, $argv ) { - $width = isset( $argv['width'] ) ? $argv['width'] : 500; - $height = isset( $argv['height'] ) ? $argv['height'] : 300; - $style = isset( $argv['style'] ) ? $argv['style'] : 'width:100%'; - $key = htmlspecialchars( $input, ENT_QUOTES ); - - $output = ''; - - return $output; + $width = $argv['width'] ?? 500; + $height = $argv['height'] ?? 300; + $style = $argv['style'] ?? 'width:100%'; + $style = Sanitizer::checkCss( $style ); + + $src = 'https://docs.google.com/spreadsheets/d/' . $input . '/htmlembed?widget=true'; + + return Html::element( 'iframe', [ + 'class' => 'googlespreadsheetframe', + 'width' => intval( $width ), + 'height' => intval( $height ), + 'style' => $style, + 'src' => $src, + ] ); } } -- 2.49.0