MDL-79759 repository_url: Limit css imports and remove fragments

There are checks to urls that attempt to limit recurrsion when
parse_file is called. This is problematic for css import urls that
can call an indefinite amount of nested import urls. An import limit
has been introduced to address this. Fragments have also been removed.

repository/url/lib.php

@@ -38,6 +38,10 @@ require_once(__DIR__.'/locallib.php');
 class repository_url extends repository {
     /** @var int Maximum time of recursion. */
     const MAX_RECURSION_TIME = 5;
+    /** @var int Maximum number of CSS imports. */
+    protected const MAX_CSS_IMPORTS = 10;
+    /** @var int CSS import counter. */
+    protected int $cssimportcounter = 0;
     var $processedfiles = array();
     /** @var int Recursion counter. */
     var $recursioncounter = 0;
@@ -134,8 +138,8 @@ EOD;
             // Avoid endless recursion for the same URL with same parameters.
             return;
         }
-        // Remove the query string before check.
-        $recursioncheckurl = preg_replace('/\?.*/', '', $url);
+        // Remove the query string and anchors before check.
+        $recursioncheckurl = (new moodle_url($url))->out_omit_querystring();
         if (in_array($recursioncheckurl, $this->processedfiles)) {
             $this->recursioncounter++;
         }
@@ -200,6 +204,11 @@ EOD;
                 }
                 if (!empty($urls['import'])) {
                     foreach ($urls['import'] as $cssurl) {
+                        // Limit the number of CSS imports to avoid infinite imports.
+                        if ($this->cssimportcounter >= self::MAX_CSS_IMPORTS) {
+                            return;
+                        }
+                        $this->cssimportcounter++;
                         $this->parse_file($info['url'], $cssurl, $list);
                     }
                 }