Changeset 3740 in subversion

Timestamp:

Jun 9, 2010 3:08:15 PM (3 years ago)

Author:

netbit

Message:

• Sanitize CSS universal selector from e-mails. Without this fix any message can play with the CSS from entire mail window or mail preview frame. Test case:

<style type="text/css">*{ background: #000; }</style>

File:

• trunk/roundcubemail/program/include/main.inc (modified) (2 diffs)

trunk/roundcubemail/program/include/main.inc

@@ -1 @@
-<?php
+<?php
 
 /*
@@ -844 +844 @@
     array(
       '/(^\s*<!--)|(-->\s*$)/',
-      '/(^\s*|,\s*|\}\s*)([a-z0-9\._#][a-z0-9\.\-_]*)/im',
+      '/(^\s*|,\s*|\}\s*)([a-z0-9\._#\*][a-z0-9\.\-_]*)/im',
       "/$container_id\s+body/i",
     ),