From bf21557873c8cedbffdaadd3dfc986226030ecf5 Mon Sep 17 00:00:00 2001
From: Thomas Bruederli <thomas@roundcube.net>
Date: Fri, 10 Mar 2017 10:44:51 +0100
Subject: [PATCH] Better fix for XSS in style tags (b59ff5ca)

---
 program/lib/Roundcube/rcube_utils.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/program/lib/Roundcube/rcube_utils.php b/program/lib/Roundcube/rcube_utils.php
index 07b60d30c..ea2ef2906 100644
--- a/program/lib/Roundcube/rcube_utils.php
+++ b/program/lib/Roundcube/rcube_utils.php
@@ -496,9 +496,9 @@ class rcube_utils
         $callback = function($matches) { return chr(hexdec($matches[1])); };
 
         $out = html_entity_decode(html_entity_decode($content));
-        $out = strip_tags($out);
         $out = preg_replace_callback('/\\\([0-9a-f]{4})/i', $callback, $out);
         $out = preg_replace('#/\*.*\*/#Ums', '', $out);
+        $out = strip_tags($out);
 
         return $out;
     }