Strip HTML tags inside CSS style definitions

7 years ago · 37cae3ecfa
parent a54dde834c
commit 37cae3ecfa
1 changed files with 1 additions and 0 deletions
--- a/program/lib/Roundcube/rcube_utils.php
+++ b/program/lib/Roundcube/rcube_utils.php
@ -554,6 +554,7 @@ class rcube_utils
        $out = preg_replace_callback('/\\\([0-9a-f]{4})/i',
            array(self, 'xss_entity_decode_callback'), $out);
        $out = preg_replace('#/\*.*\*/#Ums', '', $out);
+        $out = strip_tags($out);

        return $out;
    }