Toss in the CSS/XSS/MSIE fix from 1.5.1 while we're here. (Somewhat modified.)1.3.18

2 files changed, 10 insertions, 2 deletions

diff --git a/RELEASE-NOTES b/RELEASE-NOTES
index 0f08218bf3f0..f9e5b812c86c 100644
--- a/RELEASE-NOTES
+++ b/RELEASE-NOTES
@@ -7,12 +7,18 @@ setting since version 1.2.0. If you have it on, turn it *off* if you can.
 
 (released 2005-11-02)
 
-MediaWiki 1.3.18 is a maintenance release.
+MediaWiki 1.3.18 is a bugfix and security maintenance release.
 
 A change in PHP 4.4.1 broke handling of extension and <pre> sections,
 causing garbage data to be inserted in output and saved edits. This
 version works around the change.
 
+This release includes further corrections to the inline CSS style sanitation
+which works around a JavaScript "feature" on Microsoft Internet Explorer.
+Users of Microsoft Internet Explorer for Windows may be vulnerable to
+XSS injections on prior 1.3 releases; users of standards-compliant browsers
+are not vulnerable.
+
 
 == MediaWiki 1.3.17 ==
 
diff --git a/includes/Parser.php b/includes/Parser.php
index 6dfccb6a2b55..58666b869d74 100644
--- a/includes/Parser.php
+++ b/includes/Parser.php
@@ -622,7 +622,9 @@ cl_sortkey" ;
 
 		if( preg_match( '/style\\s*=/is', $t ) ) {
 			// Remove any comments; IE gets token splitting wrong
-			$t = preg_replace( '!/\\*.*?\\*/!S', ' ', $t );
+			$star = '(?:\*|&#0*42;|&#x0*2a;)';
+			$slash = '(?:/|&#0*47;|&#x0*2f;)';
+			$t = preg_replace( "!$slash$star.*?$star$slash!iS", ' ', $t );
 			
 			$stripped = wfMungeToUtf8( $t );
 			$stripped = preg_replace( '!\\\\([0-9A-Fa-f]{1,6})[ \\n\\r\\t\\f]?!e',