Protect against font family innerHTML/cssText attacks.

Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2025-08-10 16:14:08 +02:00 · 2011-03-27 20:35:38 +01:00
parent 0dd9e4faf4
commit afb007d22f
10 changed files with 188 additions and 46 deletions
--- a/3
+++ b/3
@@ -19,6 +19,9 @@ NEWS ( CHANGELOG and HISTORY )                                     HTMLPurifier
  spaces.  This constitutes a slight semantic change, which can be
  reverted using %Output.FixInnerHTML.  Reported by Neike Taika-Tessaro
  and Mario Heiderich.
+# Protect against cssText/innerHTML by restricting allowed characters
+  used in fonts further than mandated by the specification.  Reported
+  by Neike Taika-Tessaro and Mario Heiderich.
 ! Added %HTML.Nofollow to add rel="nofollow" to external links.
 ! More types of SPL autoloaders allowed on later versions of PHP.
 ! Implementations for position, top, left, right, bottom, z-index