From 41b20cac3fb03f74ee04829e9dde32b8a0186c2b Mon Sep 17 00:00:00 2001
From: gorhill <rhill@raymondhill.net>
Date: Mon, 18 Jul 2016 15:43:03 -0400
Subject: [PATCH] prevent use of `url()` in injected styles

---
 src/js/cosmetic-filtering.js | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/js/cosmetic-filtering.js b/src/js/cosmetic-filtering.js
index a9004137b..16995dda6 100644
--- a/src/js/cosmetic-filtering.js
+++ b/src/js/cosmetic-filtering.js
@@ -755,8 +755,9 @@ FilterContainer.prototype.isValidSelector = (function() {
     }
 
     var reHasSelector = /^(.+?):has\((.+?)\)$/;
-    var reStyleSelector = /^(.+?):style\((.+?)\)$/;
     var reXpathSelector = /^:xpath\((.+?)\)$/;
+    var reStyleSelector = /^(.+?):style\((.+?)\)$/;
+    var reStyleBad = /url\([^)]+\)/;
 
     // Keep in mind: https://github.com/gorhill/uBlock/issues/693
     var isValidCSSSelector = function(s) {
@@ -793,7 +794,7 @@ FilterContainer.prototype.isValidSelector = (function() {
         // `:style` selector?
         matches = reStyleSelector.exec(s);
         if ( matches !== null ) {
-            return isValidCSSSelector(matches[1]);
+            return isValidCSSSelector(matches[1]) && reStyleBad.test(matches[2]) === false;
         }
         // Special `script:` filter?
         if ( s.startsWith('script') ) {