#! /bin/sh /usr/share/dpatch/dpatch-run
## css_url_escaping.dpatch by Francois Marier <francois@debian.org>
##
## All lines beginning with `## DP:' are a description of the patch.
## DP: Fix CSS URL innerHTML/cssText escaping bug (01246059180bd9f2946d49f4fb939852f697ce17)

@DPATCH@
--- a/htdocs/lib/htmlpurifier/HTMLPurifier/AttrDef/CSS/URI.php
+++ b/htdocs/lib/htmlpurifier/HTMLPurifier/AttrDef/CSS/URI.php
@@ -45,6 +45,15 @@ class HTMLPurifier_AttrDef_CSS_URI extends HTMLPurifier_AttrDef_URI
         // extra sanity check; should have been done by URI
         $result = str_replace(array('"', "\\", "\n", "\x0c", "\r"), "", $result);
 
+        // suspicious characters are ()'; we're going to percent encode
+        // them for safety.
+        $result = str_replace(array('(', ')', "'"), array('%28', '%29', '%27'), $result);
+
+        // there's an extra bug where ampersands lose their escaping on
+        // an innerHTML cycle, so a very unlucky query parameter could
+        // then change the meaning of the URL.  Unfortunately, there's
+        // not much we can do about that...
+
         return "url(\"$result\")";
 
     }