From f9406bcb628deb5419c561b5b663887abf4e45e1 Mon Sep 17 00:00:00 2001
From: Christoph Burschka <christoph@burschka.de>
Date: Sun, 6 Dec 2015 01:20:58 +0100
Subject: [PATCH] Issue #2629256 regression: Can't quote CSS values.

Instead of quoting the CSS values to prevent injection,
we should just strip out the semicolon.
---
 config/install/xbbcode.tag.align.yml | 2 +-
 config/install/xbbcode.tag.color.yml | 2 +-
 config/install/xbbcode.tag.font.yml  | 2 +-
 config/install/xbbcode.tag.size.yml  | 2 +-
 templates/xbbcode-tag-list.html.twig | 2 +-
 5 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/config/install/xbbcode.tag.align.yml b/config/install/xbbcode.tag.align.yml
index e3564bc..9c7ba01 100644
--- a/config/install/xbbcode.tag.align.yml
+++ b/config/install/xbbcode.tag.align.yml
@@ -6,4 +6,4 @@ sample: >
   [{{ name }}=left]Left,[/{{ name }}]
   [{{ name }}=right]right,[/{{ name }}]
   [{{ name }}=center]center.[/{{ name }}]
-template_code: '<p style="text-align:''{{ tag.option }}''">{{ tag.content }}</p>'
+template_code: '<p style="text-align:{{ tag.option|replace({";":""}) }}">{{ tag.content }}</p>'
diff --git a/config/install/xbbcode.tag.color.yml b/config/install/xbbcode.tag.color.yml
index ae97780..eacb49a 100644
--- a/config/install/xbbcode.tag.color.yml
+++ b/config/install/xbbcode.tag.color.yml
@@ -3,4 +3,4 @@ label: Color
 name: color
 description: Sets the font color.
 sample: "[{{ name }}=red]C[/{{ name }}][{{ name }}=orange]o[/{{ name }}][{{ name }}=#080]l[/{{ name }}][{{ name }}=green]o[/{{ name }}][{{ name }}=#0000ff]r[/{{ name }}]"
-template_code: '<span style="color:''{{ tag.option }}''">{{ tag.content }}</span>'
+template_code: '<span style="color:{{ tag.option|replace({";":""}) }}">{{ tag.content }}</span>'
diff --git a/config/install/xbbcode.tag.font.yml b/config/install/xbbcode.tag.font.yml
index 87e9d59..e34371d 100644
--- a/config/install/xbbcode.tag.font.yml
+++ b/config/install/xbbcode.tag.font.yml
@@ -3,4 +3,4 @@ label: Font face
 name: font
 description: Change the font
 sample: '[{{ name }}=serif]Serif font[/{{ name }}]'
-template_code: '<span style="font-family:''{{ tag.option }}''">{{ tag.content }}</span>'
+template_code: '<span style="font-family:''{{ tag.option|replace({";":""}) }}''">{{ tag.content }}</span>'
diff --git a/config/install/xbbcode.tag.size.yml b/config/install/xbbcode.tag.size.yml
index 54b5592..86a5535 100644
--- a/config/install/xbbcode.tag.size.yml
+++ b/config/install/xbbcode.tag.size.yml
@@ -3,4 +3,4 @@ label: Font size
 name: size
 description: Sets the font size.
 sample: '[{{ name }}=0.75em]Smaller text[/{{ name }}]'
-template_code: '<span style="font-size:''{{ tag.option }}''">{{ tag.content }}</span>'
+template_code: '<span style="font-size:''{{ tag.option|replace({";":""}) }}''">{{ tag.content }}</span>'
diff --git a/templates/xbbcode-tag-list.html.twig b/templates/xbbcode-tag-list.html.twig
index 7d5fb4e..45011ea 100644
--- a/templates/xbbcode-tag-list.html.twig
+++ b/templates/xbbcode-tag-list.html.twig
@@ -5,7 +5,7 @@
  */
 #}
 {% spaceless %}
-<ul{% if tag.option %} style="list-style-type:'{{ tag.option }}'"{% endif %}>
+<ul{% if tag.option %} style="list-style-type:{{ tag.option|replace({";":""}) }}"{% endif %}>
   {% for item in tag.content|split('[*]')|without('0') %}
     <li>{{ item|trim }}</li>
   {% endfor %}
-- 
1.9.1