Better fix for XSS in style tags (9b5eee294)

pull/6833/head
Thomas Bruederli 8 years ago
parent 9b5eee2946
commit d6ddd31a1b

@ -540,10 +540,10 @@ class rcube_utils
public static function xss_entity_decode($content) public static function xss_entity_decode($content)
{ {
$out = html_entity_decode(html_entity_decode($content)); $out = html_entity_decode(html_entity_decode($content));
$out = strip_tags($out);
$out = preg_replace_callback('/\\\([0-9a-f]{4})/i', $out = preg_replace_callback('/\\\([0-9a-f]{4})/i',
array(self, 'xss_entity_decode_callback'), $out); array(self, 'xss_entity_decode_callback'), $out);
$out = preg_replace('#/\*.*\*/#Ums', '', $out); $out = preg_replace('#/\*.*\*/#Ums', '', $out);
$out = strip_tags($out);
return $out; return $out;
} }

Loading…
Cancel
Save