From fb53c809a632a0f4122f0ef76cb8958a4ed7f6e1 Mon Sep 17 00:00:00 2001 From: Aleksander Machniak Date: Thu, 8 Nov 2012 09:05:35 +0100 Subject: [PATCH] Fix AREA links handling (#1488792) --- CHANGELOG | 1 + program/lib/washtml.php | 2 +- program/steps/mail/func.inc | 8 ++++++-- 3 files changed, 8 insertions(+), 3 deletions(-) diff --git a/CHANGELOG b/CHANGELOG index b7881c1a3..02fe0e2ce 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,6 +1,7 @@ CHANGELOG Roundcube Webmail =========================== +- Fix AREA links handling (#1488792) - Better client-side timezone detection using the jsTimezoneDetect library (#1488725) - Fix possible HTTP DoS on error in keep-alive requests (#1488782) - Add option to disable saving sent mail in Sent folder - no_save_sent_messages (#1488686) diff --git a/program/lib/washtml.php b/program/lib/washtml.php index 98ae5ed5a..d5cdb82f8 100644 --- a/program/lib/washtml.php +++ b/program/lib/washtml.php @@ -102,7 +102,7 @@ class washtml 'cellpadding', 'valign', 'bgcolor', 'color', 'border', 'bordercolorlight', 'bordercolordark', 'face', 'marginwidth', 'marginheight', 'axis', 'border', 'abbr', 'char', 'charoff', 'clear', 'compact', 'coords', 'vspace', 'hspace', - 'cellborder', 'size', 'lang', 'dir', 'usemap', + 'cellborder', 'size', 'lang', 'dir', 'usemap', 'shape', // attributes of form elements 'type', 'rows', 'cols', 'disabled', 'readonly', 'checked', 'multiple', 'value' ); diff --git a/program/steps/mail/func.inc b/program/steps/mail/func.inc index 10829d514..f128a3834 100644 --- a/program/steps/mail/func.inc +++ b/program/steps/mail/func.inc @@ -1294,7 +1294,7 @@ function rcmail_html4inline($body, $container_id, $body_id='', &$attributes=null // modify HTML links to open a new window if clicked $GLOBALS['rcmail_html_container_id'] = $container_id; - $body = preg_replace_callback('/<(a|link)\s+([^>]+)>/Ui', 'rcmail_alter_html_link', $body); + $body = preg_replace_callback('/<(a|link|area)\s+([^>]+)>/Ui', 'rcmail_alter_html_link', $body); unset($GLOBALS['rcmail_html_container_id']); $body = preg_replace(array( @@ -1407,7 +1407,11 @@ function rcmail_alter_html_link($matches) $attrib['target'] = '_blank'; } - return "<$tag" . html::attrib_string($attrib, array('href','name','target','onclick','id','class','style','title','rel','type','media')) . $end; + // allowed attributes for a|link|area tags + $allow = array('href','name','target','onclick','id','class','style','title', + 'rel','type','media','alt','coords','nohref','hreflang','shape'); + + return "<$tag" . html::attrib_string($attrib, $allow) . $end; }