Fix bug where 'text' attribute on body tag was ignored when displaying HTML message (#7109)

pull/7135/head
Aleksander Machniak 5 years ago
parent 545ea62dfc
commit cf90c69ad7

@ -27,6 +27,7 @@ CHANGELOG Roundcube Webmail
- Fix bug where 'skins_allowed' option didn't enforce user skin preference (#7080) - Fix bug where 'skins_allowed' option didn't enforce user skin preference (#7080)
- Fix so contact's organization field accepts up to 128 characters (it was 50) - Fix so contact's organization field accepts up to 128 characters (it was 50)
- Fix bug where listing tables in PostgreSQL database with db_prefix didn't work (#7093) - Fix bug where listing tables in PostgreSQL database with db_prefix didn't work (#7093)
- Fix bug where 'text' attribute on body tag was ignored when displaying HTML message (#7109)
RELEASE 1.4.1 RELEASE 1.4.1
------------- -------------

@ -155,6 +155,11 @@ class rcube_washtml
'maligngroup', 'none', 'mprescripts', 'maligngroup', 'none', 'mprescripts',
); );
/**
* @var array Additional allowed attributes of body element
*/
static $body_attribs = array('alink', 'background', 'bgcolor', 'link', 'text', 'vlink');
/** @var bool State indicating existence of linked objects in HTML */ /** @var bool State indicating existence of linked objects in HTML */
public $extlinks = false; public $extlinks = false;
@ -295,6 +300,11 @@ class rcube_washtml
{ {
$result = ''; $result = '';
$washed = array(); $washed = array();
$additional_attribs = array();
if ($node->nodeName == 'body') {
$additional_attribs = self::$body_attribs;
}
foreach ($node->attributes as $name => $attr) { foreach ($node->attributes as $name => $attr) {
$key = strtolower($name); $key = strtolower($name);
@ -304,7 +314,7 @@ class rcube_washtml
// replace double quotes to prevent syntax error and XSS issues (#1490227) // replace double quotes to prevent syntax error and XSS issues (#1490227)
$result .= ' style="' . str_replace('"', '"', $style) . '"'; $result .= ' style="' . str_replace('"', '"', $style) . '"';
} }
else if (isset($this->_html_attribs[$key])) { else if (isset($this->_html_attribs[$key]) || in_array($key, $additional_attribs)) {
$value = trim($value); $value = trim($value);
$out = null; $out = null;

@ -1127,6 +1127,12 @@ function rcmail_html4inline($body, &$args)
$attrs = preg_replace('/\s?bgcolor=["\']*[a-z0-9#]+["\']*/i', '', $attrs); $attrs = preg_replace('/\s?bgcolor=["\']*[a-z0-9#]+["\']*/i', '', $attrs);
} }
// Get text color, we'll set it as font color of the message container
if ($m[1] && preg_match('/text=["\']*([a-z0-9#]+)["\']*/i', $attrs, $mb)) {
$style['color'] = $mb[1];
$attrs = preg_replace('/\s?text=["\']*[a-z0-9#]+["\']*/i', '', $attrs);
}
// Get background, we'll set it as background-image of the message container // Get background, we'll set it as background-image of the message container
if ($m[1] && preg_match('/background=["\']*([^"\'>\s]+)["\']*/', $attrs, $mb)) { if ($m[1] && preg_match('/background=["\']*([^"\'>\s]+)["\']*/', $attrs, $mb)) {
$style['background-image'] = 'url('.$mb[1].')'; $style['background-image'] = 'url('.$mb[1].')';

@ -212,6 +212,26 @@ class Framework_Washtml extends PHPUnit_Framework_TestCase
$this->assertRegExp('|style="font-family: 新細明體; color: red"|', $washed, "Unicode chars in style attribute (#1489697)"); $this->assertRegExp('|style="font-family: 新細明體; color: red"|', $washed, "Unicode chars in style attribute (#1489697)");
} }
/**
* Test deprecated body attributes (#7109)
*/
function test_style_body_attrs()
{
$html = "<html><meta http-equiv=\"Content-Type\" content=\"text/html; charset=utf-8\" />
<body bgcolor=\"#fff\" text=\"#000\" background=\"#test\" link=\"#111\" alink=\"#222\" vlink=\"#333\">
</body></html>";
$washer = new rcube_washtml(array('html_elements' => array('body')));
$washed = $washer->wash($html);
$this->assertRegExp('|bgcolor="#fff"|', $washed, "Body bgcolor attribute");
$this->assertRegExp('|text="#000"|', $washed, "Body text attribute");
$this->assertRegExp('|background="#test"|', $washed, "Body background attribute");
$this->assertRegExp('|link="#111"|', $washed, "Body link attribute");
$this->assertRegExp('|alink="#222"|', $washed, "Body alink attribute");
$this->assertRegExp('|vlink="#333"|', $washed, "Body vlink attribute");
}
/** /**
* Test style item fixes * Test style item fixes
*/ */

@ -50,7 +50,6 @@ class MailFunc extends PHPUnit_Framework_TestCase
$this->assertRegExp('#background="program/resources/blocked.gif"#', $html, "Replace external background image"); $this->assertRegExp('#background="program/resources/blocked.gif"#', $html, "Replace external background image");
$this->assertNotRegExp('/ex3.jpg/', $html, "No references to external images"); $this->assertNotRegExp('/ex3.jpg/', $html, "No references to external images");
$this->assertNotRegExp('/<meta [^>]+>/', $html, "No meta tags allowed"); $this->assertNotRegExp('/<meta [^>]+>/', $html, "No meta tags allowed");
//$this->assertNoPattern('/<style [^>]+>/', $html, "No style tags allowed");
$this->assertNotRegExp('/<form [^>]+>/', $html, "No form tags allowed"); $this->assertNotRegExp('/<form [^>]+>/', $html, "No form tags allowed");
$this->assertRegExp('/Subscription form/', $html, "Include <form> contents"); $this->assertRegExp('/Subscription form/', $html, "Include <form> contents");
$this->assertRegExp('/<!-- link ignored -->/', $html, "No external links allowed"); $this->assertRegExp('/<!-- link ignored -->/', $html, "No external links allowed");
@ -119,13 +118,15 @@ class MailFunc extends PHPUnit_Framework_TestCase
*/ */
function test_html4inline_body_style() function test_html4inline_body_style()
{ {
$html = '<body background="test" bgcolor="#fff" style="font-size:11px"><p>test</p></body>'; $html = '<body background="test" bgcolor="#fff" style="font-size:11px" text="#000"><p>test</p></body>';
$params = array('container_id' => 'foo'); $params = array('container_id' => 'foo');
$html = rcmail_html4inline($html, $params); $html = rcmail_html4inline($html, $params);
$this->assertRegExp('/<div style="font-size:11px">/', $html, "Body attributes"); $this->assertRegExp('/<div style="font-size:11px">/', $html, "Body attributes");
$this->assertArrayHasKey('container_attrib', $params, "'container_attrib' param set"); $this->assertArrayHasKey('container_attrib', $params, "'container_attrib' param set");
$this->assertSame('background-color: #fff; background-image: url(test)', $params['container_attrib']['style'], "Body style"); $this->assertRegExp('/background-color: #fff;/', $params['container_attrib']['style'], "Body style (bgcolor)");
$this->assertRegExp('/background-image: url\(test\)/', $params['container_attrib']['style'], "Body style (background)");
$this->assertRegExp('/color: #000/', $params['container_attrib']['style'], "Body style (text)");
} }
/** /**

Loading…
Cancel
Save