From 0a0ac045fe30b5f07d24e62581b37adc8a7ac4c7 Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Thu, 27 Sep 2018 16:00:54 +0200
Subject: [PATCH] Fix bug where valid content between HTML comments could have
 been skipped in some cases (#6464)

---
 CHANGELOG                               |  1 +
 program/lib/Roundcube/rcube_washtml.php | 11 ++++++++++-
 tests/Framework/Washtml.php             |  5 +++++
 3 files changed, 16 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG b/CHANGELOG
index 74fd70c5a..16fd00aaf 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -21,6 +21,7 @@ CHANGELOG Roundcube Webmail
 - Managesieve: Fix bug where show_real_foldernames setting wasn't respected (#6422)
 - New_user_identity: Fix %fu/%u vars substitution in user specific LDAP params (#6419)
 - Fix support for "allow-from <uri>" in "x_frame_options" config option (#6449)
+- Fix bug where valid content between HTML comments could have been skipped in some cases (#6464)
 
 RELEASE 1.4-beta
 ----------------
diff --git a/program/lib/Roundcube/rcube_washtml.php b/program/lib/Roundcube/rcube_washtml.php
index 8837a917f..497a1c3e4 100644
--- a/program/lib/Roundcube/rcube_washtml.php
+++ b/program/lib/Roundcube/rcube_washtml.php
@@ -643,6 +643,9 @@ class rcube_washtml
 
         $html = str_replace($badwordchars, $fixedwordchars, $html);
 
+        // FIXME: HTML comments handling could be better. The code below can break comments (#6464),
+        //        we should probably do not modify content inside comments at all.
+
         // fix (unknown/malformed) HTML tags before "wash"
         $html = preg_replace_callback('/(<(?!\!)[\/]*)([^\s>]+)([^>]*)/', array($this, 'html_tag_callback'), $html);
 
@@ -665,9 +668,15 @@ class rcube_washtml
      */
     public static function html_tag_callback($matches)
     {
+        // It might be an ending of a comment, ignore (#6464)
+        if (substr($matches[3], -2) == '--') {
+            $matches[0] = '';
+            return implode('', $matches);
+        }
+
         $tagname = $matches[2];
         $tagname = preg_replace(array(
-            '/:.*$/',               // Microsoft's Smart Tags <st1:xxxx>
+            '/:.*$/',                // Microsoft's Smart Tags <st1:xxxx>
             '/[^a-z0-9_\[\]\!?-]/i', // forbidden characters
         ), '', $tagname);
 
diff --git a/tests/Framework/Washtml.php b/tests/Framework/Washtml.php
index 9879575a8..eebd80de5 100644
--- a/tests/Framework/Washtml.php
+++ b/tests/Framework/Washtml.php
@@ -98,6 +98,11 @@ class Framework_Washtml extends PHPUnit_Framework_TestCase
         $washed = $this->cleanupResult($washer->wash($html));
 
         $this->assertEquals('<p>para1</p><p>para2</p>', $washed, "HTML comments - bracket inside");
+
+        $html   = "<p><!-- span>1</span -->\n<span>2</span>\n<!-- >3</span --><span>4</span></p>";
+        $washed = $this->cleanupResult($washer->wash($html));
+
+        $this->assertEquals("<p>\n<span>2</span>\n<span>4</span></p>", $washed, "HTML comments (#6464)");
     }
 
     /**