[3.1.0] Implement DenyElementDecorator for imagecrash-protection against CSS width/height

- Misc doc changes - Add missing inheritance for AttrDef_CSS decorators git-svn-id: http://htmlpurifier.org/svnroot/htmlpurifier/trunk@1684 48356398-32a2-884e-a903-53898d9a118a
2025-08-04 21:28:06 +02:00 · 2008-04-22 22:28:54 +00:00
parent fae720115a
commit 1ba77fedd4
12 changed files with 66 additions and 16 deletions
--- a/library/HTMLPurifier/ConfigSchema/schema.ser
+++ b/library/HTMLPurifier/ConfigSchema/schema.ser
--- a/library/HTMLPurifier/ConfigSchema/schema/Filter.ExtractStyleBlocks.txt
+++ b/library/HTMLPurifier/ConfigSchema/schema/Filter.ExtractStyleBlocks.txt
@@ -21,3 +21,17 @@ $styles = $purifier->context->get('StyleBlocks');
 foreach ($styles as $style) {
    echo '<style type="text/css">' . $style . "</style>\n";
 }]]></pre>
+<p>
+  <strong>Warning:</strong> It is possible for a user to mount an
+  imagecrash attack using this CSS. Counter-measures are difficult;
+  it is not simply enough to limit the range of CSS lengths (using
+  relative lengths with many nesting levels allows for large values
+  to be attained without actually specifying them in the stylesheet),
+  and the flexible nature of selectors makes it difficult to selectively
+  disable lengths on image tags (HTML Purifier, however, does disable
+  CSS width and height in inline styling). There are probably two effective
+  counter measures: an explicit width and height set to auto in all
+  images in your document (unlikely) or the disabling of width and
+  height (somewhat reasonable). Whether or not these measures should be
+  used is left to the reader.
+</p>