Better fix for XSS in style tags (b59ff5ca)

8 years ago · bf21557873
parent 05aae4711c
commit bf21557873
1 changed files with 1 additions and 1 deletions
--- a/program/lib/Roundcube/rcube_utils.php
+++ b/program/lib/Roundcube/rcube_utils.php
@ -496,9 +496,9 @@ class rcube_utils
        $callback = function($matches) { return chr(hexdec($matches[1])); };

        $out = html_entity_decode(html_entity_decode($content));
-        $out = strip_tags($out);
        $out = preg_replace_callback('/\\\([0-9a-f]{4})/i', $callback, $out);
        $out = preg_replace('#/\*.*\*/#Ums', '', $out);
+        $out = strip_tags($out);

        return $out;
    }