Changeset 1773 in subversion


Ignore:
Timestamp:
Sep 12, 2008 11:14:34 AM (5 years ago)
Author:
thomasb
Message:

Allow (sanitized) style elements in HTML messages

Location:
trunk/roundcubemail/program
Files:
2 edited

Legend:

Unmodified
Added
Removed

  • trunk/roundcubemail/program/include/main.inc

    r1763 r1773  
    598598   
    599599  // ignore the whole block if evil styles are detected 
    600   if (stristr($source, 'expression') || stristr($source, 'behavior')) 
     600  $stripped = preg_replace('/[^a-z\(:]/', '', rcmail_xss_entitiy_decode($source)); 
     601  if (preg_match('/expression|behavior|url\(|import/', $stripped)) 
    601602    return ''; 
    602603 
     
    631632  return $styles; 
    632633  } 
     634 
     635 
     636/** 
     637 * Decode escaped entities used by known XSS exploits. 
     638 * See http://downloads.securityfocus.com/vulnerabilities/exploits/26800.eml for examples 
     639 * 
     640 * @param string CSS content to decode 
     641 * @return string Decoded string 
     642 */ 
     643function rcmail_xss_entitiy_decode($content) 
     644{ 
     645  $out = html_entity_decode(html_entity_decode($content)); 
     646  $out = preg_replace('/\\\00([a-z0-9]{2})/ie', "chr(hexdec('\\1'))", $out); 
     647  $out = preg_replace('#/\*.+\*/#Um', '', $out); 
     648  return $out; 
     649} 
    633650 
    634651 

  • trunk/roundcubemail/program/steps/mail/func.inc

    r1766 r1773  
    603603    } 
    604604     
    605     /* CSS styles need to be sanitized! 
     605    // allow CSS styles, will be sanitized by rcmail_washtml_callback() 
    606606    if ($p['safe']) { 
    607607      $wash_opts['html_elements'][] = 'style'; 
    608       $wash_opts['html_attribs'] = array('type'); 
    609     } 
    610     */ 
     608    } 
    611609     
    612610    $washer = new washtml($wash_opts); 
    613611    $washer->add_callback('form', 'rcmail_washtml_callback'); 
     612    $washer->add_callback('style', 'rcmail_washtml_callback'); 
    614613    $body = $washer->wash($html); 
    615614    $REMOTE_OBJECTS = $washer->extlinks; 
     
    699698      break; 
    700699       
     700    case 'style': 
     701      // decode all escaped entities and reduce to ascii strings 
     702      $stripped = preg_replace('/[^a-zA-Z\(:]/', '', rcmail_xss_entitiy_decode($source)); 
     703       
     704      // now check for evli strings like expression, behavior or url() 
     705      if (!preg_match('/expression|behavior|url\(|import/', $css)) { 
     706        $out = html::tag('style', array('type' => 'text/css'), $content); 
     707        break; 
     708      } 
     709     
    701710    default: 
    702711      $out = ''; 
Note: See TracChangeset for help on using the changeset viewer.