Fix CSS issue in handling invalid style tag content (#6410)

pull/6465/head
Aleksander Machniak 6 years ago
parent 017819df00
commit 102fbf1169

@ -6,6 +6,7 @@ CHANGELOG Roundcube Webmail
- Enigma: Fix deleting keys with authentication subkeys (#6381)
- Fix invalid regular expressions that throw warnings on PHP 7.3 (#6398)
- Fix so Classic skin splitter does not escape out of window (#6397)
- Fix CSS issue in handling invalid style tag content (#6410)
RELEASE 1.3.7
-------------

@ -1014,7 +1014,8 @@ function rcmail_washtml_callback($tagname, $attrib, $content, $washtml)
}
// decode all escaped entities and reduce to ascii strings
$stripped = preg_replace('/[^a-zA-Z\(:;]/', '', rcube_utils::xss_entity_decode($content));
$decoded = rcube_utils::xss_entity_decode($content);
$stripped = preg_replace('/[^a-zA-Z\(:;]/', '', $decoded);
// now check for evil strings like expression, behavior or url()
if (!preg_match('/expression|behavior|javascript:|import[^a]/i', $stripped)) {
@ -1022,7 +1023,7 @@ function rcmail_washtml_callback($tagname, $attrib, $content, $washtml)
$washtml->extlinks = true;
}
else {
$out = html::tag('style', array('type' => 'text/css'), $content);
$out = html::tag('style', array('type' => 'text/css'), $decoded);
}
break;
}

Loading…
Cancel
Save