Commit Graph

246 Commits (2bf097dcdb766f8e580dd027a6245bb2c1738ab1)

Author SHA1 Message Date
Aleksander Machniak 2348899a3f Fix bug where it was possible to bypass href URI check with data:application/xhtml+xml URIs (#6896) 5 years ago
Aleksander Machniak 554a20fe49 Fix security issue where it was possible to bypass the CSS jail in HTML messages using :root pseudo-class (#6897) 5 years ago
Aleksander Machniak c0c42d1075 Fix bug where some strict remote URIs in url() style were unintentionally blocked (#6899) 5 years ago
Aleksander Machniak d0d8c1ace5 Fix security issue where it was possible to bypass the position:fixed CSS check in received messages (#6898) 5 years ago
Aleksander Machniak 37f4c7df77 Update changelog, add some tests for rcube_utils::parse_host() 6 years ago
Aleksander Machniak 55ebae3c1e Fix bug where bold/strong text was converted to upper-case on html-to-text conversion (6758) 6 years ago
Aleksander Machniak eec0d76360 Fix regression in vcard parser 6 years ago
Aleksander Machniak 8dec8fb60a Fix handling of empty entries in vCard import (#6564) 6 years ago
Aleksander Machniak c22c177e53 Fix bug where valid content between HTML comments could have been skipped in some cases (#6464) 6 years ago
Aleksander Machniak 095cd2fa8a Add test for #6410 6 years ago
Aleksander Machniak 2e3648b24f Fix bug where some HTML comments could have been malformed by HTML parser (#6333) 7 years ago
Aleksander Machniak d9eed3625b Fix bug where some escape sequences in html styles could bypass security checks 7 years ago
Aleksander Machniak c278b8796f Fix bug where usernames without domain part could be malformed or converted to lower-case on logon (#6224) 7 years ago
Aleksander Machniak 60902de521 Fix parsing date strings (e.g. from a Date: mail header) with comments (#6216) 7 years ago
Aleksander Machniak f55724d1e8 Fix bug where some unix timestamps were not handled correctly by rcube_utils::anytodatetime() (#6212) 7 years ago
Aleksander Machniak 24dcdb5414 Fix bug in remote content blocking on HTML image and style tags (#6178) 7 years ago
Aleksander Machniak 46faac4a6e Fix mangled non-ASCII characters in links in HTML messages (#6028) 7 years ago
Aleksander Machniak 972be07a41 Fix (again) bug where image data URIs in css style were treated as evil/remote in mail preview (#5580) 7 years ago
Thomas Bruederli 2359f30b96 Modify links in html messages during Washtml DOM traversal
This is a more safe approach than using regex and mitigates
possible vulnerabilities using malformed html markup.
7 years ago
Thomas Bruederli 74e0852db2 Escape textarea contents in Washtml 7 years ago
Aleksander Machniak 39fa590bad Fix bug where HTML messages with @media styles could moddify style of page body (#5811) 8 years ago
Aleksander Machniak dade481658 Fix bug where comment notation within style tag would cause the whole style to be ignored (#5747) 8 years ago
Aleksander Machniak ce61c8210e Added test for rcube_db::parse_dsn() 8 years ago
dfukagaw28 89a4134064 Add support for DelSp=Yes messages (#5702) 8 years ago
Thomas Bruederli 522565b400 Add tests for XSS vulnerabilities in style tags 8 years ago
Shin Kojima 0b385dc946 Skip iconv for problematic ISO-2022-JP strings (#5668)
We sometimes get broken character encodings such as:
Subject: =?iso-2022-jp?B?GyRCLWo7M3l1OSk2SBsoQgo=?=
This actually is not a strict ISO-2022-JP string, but a CP50220 string
that is a variant of ISO-2022-JP with extended characters proposed by
Microsoft. Iconv can not handle these encodings well.
8 years ago
Aleksander Machniak e08f22ef28 Fix bug where external content in src attribute of input/video tags was not secured (#5583) 8 years ago
Aleksander Machniak 7340360e79 Fix bug where image data URIs in css style were treated as evil/remote in mail preview (#5580) 8 years ago
Aleksander Machniak bbab6a6db7 Identicon plugin
https://kolabian.wordpress.com/2016/12/02/contact-identicons/
8 years ago
JohnDoh dd714b33a8 replace old trac links (#5514) 8 years ago
Aleksander Machniak 0485275a75 Merge branch 'dev/drop-legacy-browsers' 8 years ago
Aleksander Machniak 94f8ce3334 Make html::parse_attrib_string() more robust
Fixes PHP Error: Expression parse error on: ($app->config->get('preview_pane',rcube_utils::get_boolean('')) == true ? ' checked=checked' : ')
8 years ago
Aleksander Machniak 829442a4cd Removed legacy_browsr plugin 8 years ago
Aleksander Machniak dcabc1d814 Merge remote-tracking branch 'upstream/master'
Conflicts:
	tests/Framework/Washtml.php
8 years ago
Aleksander Machniak 906cf101c3 Better time handling in rcube_utils::clean_datestr() 8 years ago
Aleksander Machniak ed35267b9b Managesieve: Fix parsing of vacation date-time with non-default date_format (#5372)
Added new method rcube_utils::format_datestr() to convert date_format date
into ISO date format.
8 years ago
Aleksander Machniak d91bad5975 Fix handling of blockquote tags with mixed case on html2text conversion (#5363) 8 years ago
Aleksander Machniak bf5b3072c4 Fix MathML test on older PHP versions 8 years ago
Aleksander Machniak edfd9da42a Support MathML in HTML message preview (#5182) 8 years ago
Aleksander Machniak 6737e293bb Wash position:fixed style in HTML mail for better security (#5264) 9 years ago
Aleksander Machniak afd090672c Small performance optimization 9 years ago
Aleksander Machniak ca9ad75d96 Add some more tests for HREF attribute washing 9 years ago
Aleksander Machniak 6652367d65 Fix XSS issue in href attribute on area tag (#5240, #5241) 9 years ago
Aleksander Machniak a0f38f5fd8 Small code style improvements 9 years ago
Aleksander Machniak e8ab3d96bd Fix converting mail addresses with @www. into mailto links (#5197) 9 years ago
Aleksander Machniak ed1d212ae2 Improved SVG cleanup code 9 years ago
Aleksander Machniak cbe701ac4a Fix rcube_utils::words_match() to work with mixed/invalid/binary content (T844) 9 years ago
Aleksander Machniak 9234903287 Fix HTML sanitizer to skip <!-- node type X --> in output (#1490583) 9 years ago
Aleksander Machniak 26086981a2 Improve randomness of security tokens (#1490529) 9 years ago
Aleksander Machniak a63f14ec40 Emoticons-related code refactoring
- Emoticons: All emoticons-related functionality is handled by the plugin now
- Emoticons: Added option to switch on/off emoticons in compose editor (#1485732)
- Emoticons: Added option to switch on/off emoticons in plain text messages
- Plugin API: Added disabled_plugins an disabled_buttons options in html_editor hook
- Plugin API: Added html2text hook
9 years ago