|
|
@ -707,6 +707,7 @@ function rcmail_wash_html($html, $p = array(), $cid_replaces)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
$washer = new washtml($wash_opts);
|
|
|
|
$washer = new washtml($wash_opts);
|
|
|
|
|
|
|
|
$washer->add_callback('a', 'rcmail_washtml_callback');
|
|
|
|
$washer->add_callback('form', 'rcmail_washtml_callback');
|
|
|
|
$washer->add_callback('form', 'rcmail_washtml_callback');
|
|
|
|
|
|
|
|
|
|
|
|
if ($p['safe']) { // allow CSS styles, will be sanitized by rcmail_washtml_callback()
|
|
|
|
if ($p['safe']) { // allow CSS styles, will be sanitized by rcmail_washtml_callback()
|
|
|
@ -819,6 +820,11 @@ function rcmail_washtml_callback($tagname, $attrib, $content)
|
|
|
|
$out = html::div('form', $content);
|
|
|
|
$out = html::div('form', $content);
|
|
|
|
break;
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
case 'a':
|
|
|
|
|
|
|
|
if ($attrib) $attrib .= ' target="_blank"';
|
|
|
|
|
|
|
|
$out = '<a'.$attrib.'>' . $content . '</a>';
|
|
|
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
|
|
case 'style':
|
|
|
|
case 'style':
|
|
|
|
// decode all escaped entities and reduce to ascii strings
|
|
|
|
// decode all escaped entities and reduce to ascii strings
|
|
|
|
$stripped = preg_replace('/[^a-zA-Z\(:]/', '', rcmail_xss_entitiy_decode($content));
|
|
|
|
$stripped = preg_replace('/[^a-zA-Z\(:]/', '', rcmail_xss_entitiy_decode($content));
|
|
|
|