Changeset 5586 in subversion


Ignore:
Timestamp:
Dec 9, 2011 4:13:54 PM (18 months ago)
Author:
thomasb
Message:

Allow clean background:url(...) styles in safe mode. This will make Roundcube pass the Email Standards Acid Test

Location:
trunk/roundcubemail/program
Files:
3 edited

Legend:

Unmodified
Added
Removed

  • trunk/roundcubemail/program/include/main.inc

    r5562 r5586  
    884884 * @return string Modified CSS source 
    885885 */ 
    886 function rcmail_mod_css_styles($source, $container_id) 
     886function rcmail_mod_css_styles($source, $container_id, $allow_remote=false) 
    887887  { 
    888888  $last_pos = 0; 
     
    890890 
    891891  // ignore the whole block if evil styles are detected 
    892   $stripped = preg_replace('/[^a-z\(:;]/', '', rcmail_xss_entity_decode($source)); 
    893   if (preg_match('/expression|behavior|url\(|import[^a]/', $stripped)) 
     892  $source = rcmail_xss_entity_decode($source); 
     893  $stripped = preg_replace('/[^a-z\(:;]/i', '', $source); 
     894  $evilexpr = 'expression|behavior' . (!$allow_remote ? '|url\(|import[^a]' : ''); 
     895  if (preg_match("/$evilexpr/i", $stripped) // don't accept No-Gos 
     896      || (strpos($stripped, 'url(') && !preg_match('!url\s*\([ "\'](https?:)//[a-z0-9/._+-]+["\' ]\)!Ui', $source))) // only allow clean urls 
    894897    return '/* evil! */'; 
    895  
    896   // remove css comments (sometimes used for some ugly hacks) 
    897   $source = preg_replace('!/\*(.+)\*/!Ums', '', $source); 
    898898 
    899899  // cut out all contents between { and } 
     
    938938  $out = html_entity_decode(html_entity_decode($content)); 
    939939  $out = preg_replace_callback('/\\\([0-9a-f]{4})/i', 'rcmail_xss_entity_decode_callback', $out); 
    940   $out = preg_replace('#/\*.*\*/#Um', '', $out); 
     940  $out = preg_replace('#/\*.*\*/#Ums', '', $out); 
    941941  return $out; 
    942942} 

  • trunk/roundcubemail/program/lib/washtml.php

    r5511 r5586  
    244244        $tagName = strtolower($node->tagName); 
    245245        if ($callback = $this->handlers[$tagName]) { 
    246           $dump .= call_user_func($callback, $tagName, $this->wash_attribs($node), $this->dumpHtml($node)); 
     246          $dump .= call_user_func($callback, $tagName, $this->wash_attribs($node), $this->dumpHtml($node), $this); 
    247247        } 
    248248        else if (isset($this->_html_elements[$tagName])) { 
     
    302302  } 
    303303 
     304  /** 
     305   * Getter for config parameters 
     306   */ 
     307  public function get_config($prop) 
     308  { 
     309      return $this->config[$prop]; 
     310  } 
     311 
    304312} 
    305313 

  • trunk/roundcubemail/program/steps/mail/func.inc

    r5563 r5586  
    823823 * Callback function for washtml cleaning class 
    824824 */ 
    825 function rcmail_washtml_callback($tagname, $attrib, $content) 
     825function rcmail_washtml_callback($tagname, $attrib, $content, $washtml) 
    826826{ 
    827827  switch ($tagname) { 
     
    835835 
    836836      // now check for evil strings like expression, behavior or url() 
    837       if (!preg_match('/expression|behavior|url\(|import[^a]/', $stripped)) { 
    838         $out = html::tag('style', array('type' => 'text/css'), $content); 
     837      if (!preg_match('/expression|behavior/i', $stripped)) { 
     838        if (!$washtml->get_config('allow_remote') && preg_match('/url\(|import[^a]/i', $stripped)) 
     839          $washtml->extlinks = true; 
     840        else 
     841          $out = html::tag('style', array('type' => 'text/css'), $content); 
    839842        break; 
    840843      } 
     
    10221025 
    10231026        if ($part->ctype_secondary == 'html') { 
    1024           $body = rcmail_html4inline($body, $attrib['id'], 'rcmBody', $attrs); 
     1027          $body = rcmail_html4inline($body, $attrib['id'], 'rcmBody', $attrs, $safe_mode); 
    10251028          $div_attr = array('class' => 'message-htmlpart'); 
    10261029          $style = array(); 
     
    11051108 * modify a HTML message that it can be displayed inside a HTML page 
    11061109 */ 
    1107 function rcmail_html4inline($body, $container_id, $body_id='', &$attributes=null) 
     1110function rcmail_html4inline($body, $container_id, $body_id='', &$attributes=null, $allow_remote=false) 
    11081111{ 
    11091112  $last_style_pos = 0; 
     
    11171120    // replace all css definitions with #container [def] 
    11181121    $styles = rcmail_mod_css_styles( 
    1119       substr($body, $pos, $pos2-$pos), $cont_id); 
     1122      substr($body, $pos, $pos2-$pos), $cont_id, $allow_remote); 
    11201123 
    11211124    $body = substr_replace($body, $styles, $pos, $pos2-$pos); 
Note: See TracChangeset for help on using the changeset viewer.