Changeset 2802 in subversion

Timestamp:

Jul 28, 2009 4:41:50 AM (4 years ago)

Author:

alec

Message:

• Fix displaying of HTML messages with unknown/malformed tags (#1486003)
• Some other changes for styled HTML display

Location:

trunk/roundcubemail

Files:

• CHANGELOG (modified) (1 diff)
• program/lib/washtml.php (modified) (3 diffs)
• program/steps/mail/func.inc (modified) (6 diffs)

trunk/roundcubemail/CHANGELOG

@@ -2 +2 @@
 ===========================
 
+- Fix displaying of HTML messages with unknown/malformed tags (#1486003)
+
+RELEASE 0.3-RC1
+---------------
 - Fix import of vCard entries with params (#1485453)
 - Fix HTML messages output with empty block elements (#1485974)

trunk/roundcubemail/program/lib/washtml.php

@@ -70 +70 @@
  *  - Dont alter data on a GET: '<img src="http://yourhost/mail?action=delete&uid=3267" />'
  *  - ...
+ *
+ * Roundcube Changes:
+ * - added $block_elements
+ * - changed $ignore_elements behaviour
  */
 
@@ -77 +81 @@
   static $html_elements = array('a', 'abbr', 'acronym', 'address', 'area', 'b', 'basefont', 'bdo', 'big', 'blockquote', 'br', 'caption', 'center', 'cite', 'code', 'col', 'colgroup', 'dd', 'del', 'dfn', 'dir', 'div', 'dl', 'dt', 'em', 'fieldset', 'font', 'h1', 'h2', 'h3', 'h4', 'h5', 'h6', 'hr', 'i', 'ins', 'label', 'legend', 'li', 'map', 'menu', 'nobr', 'ol', 'p', 'pre', 'q', 's', 'samp', 'small', 'span', 'strike', 'strong', 'sub', 'sup', 'table', 'tbody', 'td', 'tfoot', 'th', 'thead', 'tr', 'tt', 'u', 'ul', 'var', 'wbr', 'img');
   
-  /* Ignore these HTML tags but process their content */
-  static $ignore_elements = array('html', 'head', 'body');
+  /* Ignore these HTML tags and their content */
+  static $ignore_elements = array('script', 'applet', 'embed', 'object', 'style');
   
   /* Allowed HTML attributes */
@@ -210 +214 @@
           $content = $this->dumpHtml($node);
           $dump .= '<' . $tagName . $this->wash_attribs($node) .
-//            ($content?">$content</$tagName>":' />');
-// Roundcube Trac: #1485974
             ($content || isset($this->_block_elements[$tagName]) ? ">$content</$tagName>" : ' />');
         } else if(isset($this->_ignore_elements[$tagName])) {
+          $dump .= '<!-- ' . htmlspecialchars($tagName, ENT_QUOTES) . ' not allowed -->';
+        } else {
           $dump .= '<!-- ' . htmlspecialchars($tagName, ENT_QUOTES) . ' ignored -->';
-          $dump .= $this->dumpHtml($node); //Just ignored
-        } else
-          $dump .= '<!-- ' . htmlspecialchars($tagName, ENT_QUOTES) . ' not allowed -->';
+          $dump .= $this->dumpHtml($node); // ignore tags not its content
+        }
         break;
       case XML_CDATA_SECTION_NODE:

trunk/roundcubemail/program/steps/mail/func.inc

@@ -429 +429 @@
         $action = $mbox==$CONFIG['drafts_mbox'] ? 'compose' : 'show';
         $uid_param = $mbox==$CONFIG['drafts_mbox'] ? '_draft_uid' : '_uid';
-        $cont = abbreviate_string(trim($IMAP->decode_header($header->$col)), 160);
+        $cont = trim($IMAP->decode_header($header->$col));
+        if ($browser->ie)
+          $cont = rc_utf8_clean($cont);
+        $cont = abbreviate_string($cont, 160);
         if (!$cont) $cont = rcube_label('nosubject');
         $cont = $browser->ie ? Q($cont) : sprintf('<a href="%s" onclick="return rcube_event.cancel(event)">%s</a>', Q(rcmail_url($action, array($uid_param=>$header->uid, '_mbox'=>$mbox))), Q($cont));
@@ -669 +672 @@
   
   $p += array('safe' => false, 'inline_html' => true);
-  
+
   // special replacements (not properly handled by washtml class)
   $html_search = array(
     '/(<\/nobr>)(\s+)(<nobr>)/i',       // space(s) between <NOBR>
-    '/(<[\/]*st1:[^>]+>)/i',            // Microsoft's Smart Tags <ST1>
-    '/<\/?rte_text>/i',                 // Rich Text Editor tags (#1485647)
-    '/<\/?broadcast[^>]*>/i',           // invoices from the Apple Store contains <broadcast> tags (#1485962)
     '/<title>.*<\/title>/i',            // PHP bug #32547 workaround: remove title tag
-    '/<html[^>]*>/im',                  // malformed html: remove html tags (#1485139)
-    '/<\/html>/i',                      // malformed html: remove html tags (#1485139)
     '/^(\0\0\xFE\xFF|\xFF\xFE\0\0|\xFE\xFF|\xFF\xFE|\xEF\xBB\xBF)/',    // byte-order mark (only outlook?)
   );
@@ -685 +683 @@
     '',
     '',
-    '',
-    '',
-    '',
-    '',
-    '',
   );
   $html = preg_replace($html_search, $html_replace, $html);
+
+  // fix (unknown/malformed) HTML tags before "wash"
+  $html = preg_replace_callback('/(<[\/!]*)([^ >]+)/', 'rcmail_html_tag_callback', $html);
 
   // charset was converted to UTF-8 in rcube_imap::get_message_part() -> change charset specification in HTML accordingly
@@ -697 +693 @@
   if (preg_match($charset_pattern, $html)) {
     $html = preg_replace($charset_pattern, '\\1='.RCMAIL_CHARSET, $html);
-  }
-  else {
+  } else {
     // add head for malformed messages, washtml cannot work without that
     if (!preg_match('/<head[^>]*>(.*)<\/head>/Uims', $html))
@@ -729 +724 @@
   $washer->add_callback('form', 'rcmail_washtml_callback');
 
-  if ($p['safe']) {  // allow CSS styles, will be sanitized by rcmail_washtml_callback()
-    $washer->add_callback('style', 'rcmail_washtml_callback');
-  }
+  // allow CSS styles, will be sanitized by rcmail_washtml_callback()
+  $washer->add_callback('style', 'rcmail_washtml_callback');
     
   $html = $washer->wash($html);
@@ -884 +878 @@
 
 /**
+ * Callback function for HTML tags fixing
+ */
+function rcmail_html_tag_callback($matches)
+{
+  $tagname = $matches[2];
+
+  $tagname = preg_replace(array(
+    '/:.*$/',           // Microsoft's Smart Tags <st1:xxxx>
+    '/[^a-z0-9_-]/i',   // forbidden characters
+    ), '', $tagname);
+
+  return $matches[1].$tagname;
+}
+
+
+/**
  * return table with message headers
  */