|
|
|
|
@ -611,14 +611,13 @@ function rcmail_print_body($part, $p = array())
|
|
|
|
|
$wash_opts['html_elements'] = array('html','head','title','body');
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// allow CSS styles, will be sanitized by rcmail_washtml_callback()
|
|
|
|
|
if ($p['safe']) {
|
|
|
|
|
$wash_opts['html_elements'][] = 'style';
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
$washer = new washtml($wash_opts);
|
|
|
|
|
$washer->add_callback('form', 'rcmail_washtml_callback');
|
|
|
|
|
|
|
|
|
|
if ($p['safe']) { // allow CSS styles, will be sanitized by rcmail_washtml_callback()
|
|
|
|
|
$washer->add_callback('style', 'rcmail_washtml_callback');
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
$body = $washer->wash($html);
|
|
|
|
|
$REMOTE_OBJECTS = $washer->extlinks;
|
|
|
|
|
|
|
|
|
|
@ -708,10 +707,10 @@ function rcmail_washtml_callback($tagname, $attrib, $content)
|
|
|
|
|
|
|
|
|
|
case 'style':
|
|
|
|
|
// decode all escaped entities and reduce to ascii strings
|
|
|
|
|
$stripped = preg_replace('/[^a-zA-Z\(:]/', '', rcmail_xss_entitiy_decode($source));
|
|
|
|
|
$stripped = preg_replace('/[^a-zA-Z\(:]/', '', rcmail_xss_entitiy_decode($content));
|
|
|
|
|
|
|
|
|
|
// now check for evli strings like expression, behavior or url()
|
|
|
|
|
if (!preg_match('/expression|behavior|url\(|import/', $css)) {
|
|
|
|
|
// now check for evil strings like expression, behavior or url()
|
|
|
|
|
if (!preg_match('/expression|behavior|url\(|import/', $stripped)) {
|
|
|
|
|
$out = html::tag('style', array('type' => 'text/css'), $content);
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
thomascube
16 years ago