Fix bug where comment notation within style tag would cause the whole style to be ignored (#5747)

CHANGELOG

@@ -1,6 +1,8 @@
 CHANGELOG Roundcube Webmail
 ===========================
 
+- Fix bug where comment notation within style tag would cause the whole style to be ignored (#5747)
+
 RELEASE 1.2.5
 -------------
 - Fix re-positioning of the fixed header of messages list in Chrome when using minimal mode toggle and About dialog (#5711)

program/lib/Roundcube/rcube_utils.php

@@ -499,6 +499,7 @@ class rcube_utils
     public static function xss_entity_decode($content)
     {
         $out = html_entity_decode(html_entity_decode($content));
+        $out = trim(preg_replace('/(^<!--|-->$)/', '', trim($out)));
         $out = preg_replace_callback('/\\\([0-9a-f]{4})/i',
             array(self, 'xss_entity_decode_callback'), $out);
         $out = preg_replace('#/\*.*\*/#Ums', '', $out);

tests/Framework/Utils.php

@@ -220,6 +220,19 @@ class Framework_Utils extends PHPUnit_Framework_TestCase
         $this->assertEquals("#rcmbody { background-image: url(data:image/png;base64,123); }", $mod, "Data URIs in url() allowed");
     }
 
+    function test_xss_entity_decode()
+    {
+        $mod = rcube_utils::xss_entity_decode("&lt;img/src=x onerror=alert(1)// </b>");
+        $this->assertNotContains('<img', $mod, "Strip (encoded) tags from style node");
+
+        $mod = rcube_utils::xss_entity_decode('#foo:after{content:"\003Cimg/src=x onerror=alert(2)>";}');
+        $this->assertNotContains('<img', $mod, "Strip (encoded) tags from content property");
+
+        // #5747
+        $mod = rcube_utils::xss_entity_decode('<!-- #foo { content:css; } -->');
+        $this->assertContains('#foo', $mod, "Strip HTML comments from content, but not the content");
+    }
+
     /**
      * Check rcube_utils::explode_quoted_string()
      */