- Adding this now even though no browser supports it so that when one does it doesn't become a way to bypass our url() filter.
- Including missing tests for all of our insecure input filters.
- Also make sure that vendor prefixed versions like -webkit-image() are caught because most browsers are probably going to go and implement a vendor prefixed version first.
Change-Id: If73aa98b8accdb7621b0e4ff0615b61d530fa547
Align should be converted to text-align for all the elements specified
in $presentationalAttribs mapping. Table however is an exception, it
applies to alignment of the block (instead of the content).
Follow up I108cbd10 / 27a4d74bd7.
Change-Id: Iee17d4ef1a6a9b46d88a330cfc9179bccfe93247
r85856 fixed a CSS injection issue but lacked testing. This
test verify we properly strip out CSS comments even when the
token delimiter '/*' is backslash-escaped : \2f\2a
Its removal in r70849 breaks ProofreadPage extension.
Restricted r82475 relaxation to just numbers.
Added tests.
This only affects wikitext (tag hooks).
MW_ATTRIBS_REGEX is only used through decodeTagAttributes() calls.
fixTagAttributes() calls decodeTagAttributes(), and would be nastier to
fix, since it is called with HTML parameters (eg. by removeHTMLtags)
but such incorrect parameters grabbed would be removed by validateTagAttributes()
