From 5620241165333463bd785d4548aee8cef99eca9d Mon Sep 17 00:00:00 2001
From: "Edward Z. Yang" <edwardzyang@thewritingpot.com>
Date: Wed, 21 May 2008 02:01:25 +0000
Subject: [PATCH] [3.1.1] Disable percent height/width attributes for img

git-svn-id: http://htmlpurifier.org/svnroot/htmlpurifier/trunk@1756 48356398-32a2-884e-a903-53898d9a118a
---
 NEWS                                      | 1 +
 library/HTMLPurifier/HTMLModule/Image.php | 7 +++++--
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/NEWS b/NEWS
index 3af94bd3..c0f131e8 100644
--- a/NEWS
+++ b/NEWS
@@ -11,6 +11,7 @@ NEWS ( CHANGELOG and HISTORY )                                     HTMLPurifier
 
 3.1.1, unknown release date
 ! More robust imagecrash protection with height/width CSS with %CSS.MaxImgLength.
+- Disable percent height/width attributes for img
 . Added HTMLPurifier_UnitConverter and HTMLPurifier_Length for convenient
   handling of CSS-style lengths. HTMLPurifier_AttrDef_CSS_Length now uses
   this class.
diff --git a/library/HTMLPurifier/HTMLModule/Image.php b/library/HTMLPurifier/HTMLModule/Image.php
index 7d2a98c3..5a7afe62 100644
--- a/library/HTMLPurifier/HTMLModule/Image.php
+++ b/library/HTMLPurifier/HTMLModule/Image.php
@@ -15,10 +15,13 @@ class HTMLPurifier_HTMLModule_Image extends HTMLPurifier_HTMLModule
             'img', 'Inline', 'Empty', 'Common',
             array(
                 'alt*' => 'Text',
-                'height' => 'Length',
+                // According to the spec, it's Length, but percents can
+                // be abused, so we allow only Pixels. A trusted module
+                // could overload this with the real value.
+                'height' => 'Pixels',
+                'width' => 'Pixels',
                 'longdesc' => 'URI', 
                 'src*' => new HTMLPurifier_AttrDef_URI(true), // embedded
-                'width' => 'Length'
             )
         );
         // kind of strange, but splitting things up would be inefficient