I'm in the process of writing a tool that verifies CSS for safe markup. I put together a regular expression that extracts the URL section from CSS tags and groups parenthesis and quotations. This is what I have so far:
$string = ".test { background-image:url(javascript:alert(\"popup\"); javascript(alert('another!')); color:red"; // this version doesnt have quotations around the javascript area
$string = ".test { background-image:url(\"javascript:alert(\"popup\"); javascript(alert('another!')\"); color:red"; // this version has quotations around the javascript area... should work with both
if (preg_match("/url\([\"']?.*?(\)?.*?[\"'].*[\"']?.*)+\)/", $string, $matches) )
print_r($matches);
The result I'm looking for is:
javascript:alert("popup"); javascript(alert('another!')
right now it prints:
javascript:alert("popup"); javascript(alert('another!')" <<<<<< trailing quote
I tried moving the parenthesis inside of the last quotation check and that works for the string without the javascript in quotes, but the javascript in quotes gets cut off at the first quote it finds. Any help to get rid of that extra quote is appreciated.
