Aleksander Machniak
2348899a3f
Fix bug where it was possible to bypass href URI check with data:application/xhtml+xml URIs ( #6896 )
5 years ago
Aleksander Machniak
554a20fe49
Fix security issue where it was possible to bypass the CSS jail in HTML messages using :root pseudo-class ( #6897 )
5 years ago
Aleksander Machniak
c0c42d1075
Fix bug where some strict remote URIs in url() style were unintentionally blocked ( #6899 )
5 years ago
Aleksander Machniak
d0d8c1ace5
Fix security issue where it was possible to bypass the position:fixed CSS check in received messages ( #6898 )
5 years ago
Aleksander Machniak
37f4c7df77
Update changelog, add some tests for rcube_utils::parse_host()
6 years ago
Aleksander Machniak
55ebae3c1e
Fix bug where bold/strong text was converted to upper-case on html-to-text conversion (6758)
6 years ago
Aleksander Machniak
eec0d76360
Fix regression in vcard parser
6 years ago
Aleksander Machniak
8dec8fb60a
Fix handling of empty entries in vCard import ( #6564 )
6 years ago
Aleksander Machniak
c22c177e53
Fix bug where valid content between HTML comments could have been skipped in some cases ( #6464 )
6 years ago
Aleksander Machniak
095cd2fa8a
Add test for #6410
6 years ago
Aleksander Machniak
2e3648b24f
Fix bug where some HTML comments could have been malformed by HTML parser ( #6333 )
7 years ago
Aleksander Machniak
d9eed3625b
Fix bug where some escape sequences in html styles could bypass security checks
7 years ago
Aleksander Machniak
c278b8796f
Fix bug where usernames without domain part could be malformed or converted to lower-case on logon ( #6224 )
7 years ago
Aleksander Machniak
60902de521
Fix parsing date strings (e.g. from a Date: mail header) with comments ( #6216 )
7 years ago
Aleksander Machniak
f55724d1e8
Fix bug where some unix timestamps were not handled correctly by rcube_utils::anytodatetime() ( #6212 )
7 years ago
Aleksander Machniak
24dcdb5414
Fix bug in remote content blocking on HTML image and style tags ( #6178 )
7 years ago
Aleksander Machniak
46faac4a6e
Fix mangled non-ASCII characters in links in HTML messages ( #6028 )
7 years ago
Aleksander Machniak
972be07a41
Fix (again) bug where image data URIs in css style were treated as evil/remote in mail preview ( #5580 )
7 years ago
Thomas Bruederli
2359f30b96
Modify links in html messages during Washtml DOM traversal
...
This is a more safe approach than using regex and mitigates
possible vulnerabilities using malformed html markup.
7 years ago
Thomas Bruederli
74e0852db2
Escape textarea contents in Washtml
7 years ago
Aleksander Machniak
39fa590bad
Fix bug where HTML messages with @media styles could moddify style of page body ( #5811 )
8 years ago
Aleksander Machniak
dade481658
Fix bug where comment notation within style tag would cause the whole style to be ignored ( #5747 )
8 years ago
Aleksander Machniak
ce61c8210e
Added test for rcube_db::parse_dsn()
8 years ago
dfukagaw28
89a4134064
Add support for DelSp=Yes messages ( #5702 )
8 years ago
Thomas Bruederli
522565b400
Add tests for XSS vulnerabilities in style tags
8 years ago
Shin Kojima
0b385dc946
Skip iconv for problematic ISO-2022-JP strings ( #5668 )
...
We sometimes get broken character encodings such as:
Subject: =?iso-2022-jp?B?GyRCLWo7M3l1OSk2SBsoQgo=?=
This actually is not a strict ISO-2022-JP string, but a CP50220 string
that is a variant of ISO-2022-JP with extended characters proposed by
Microsoft. Iconv can not handle these encodings well.
8 years ago
Aleksander Machniak
e08f22ef28
Fix bug where external content in src attribute of input/video tags was not secured ( #5583 )
8 years ago
Aleksander Machniak
7340360e79
Fix bug where image data URIs in css style were treated as evil/remote in mail preview ( #5580 )
8 years ago
Aleksander Machniak
bbab6a6db7
Identicon plugin
...
https://kolabian.wordpress.com/2016/12/02/contact-identicons/
8 years ago
JohnDoh
dd714b33a8
replace old trac links ( #5514 )
8 years ago
Aleksander Machniak
0485275a75
Merge branch 'dev/drop-legacy-browsers'
8 years ago
Aleksander Machniak
94f8ce3334
Make html::parse_attrib_string() more robust
...
Fixes PHP Error: Expression parse error on: ($app->config->get('preview_pane',rcube_utils::get_boolean('')) == true ? ' checked=checked' : ')
8 years ago
Aleksander Machniak
829442a4cd
Removed legacy_browsr plugin
8 years ago
Aleksander Machniak
dcabc1d814
Merge remote-tracking branch 'upstream/master'
...
Conflicts:
tests/Framework/Washtml.php
8 years ago
Aleksander Machniak
906cf101c3
Better time handling in rcube_utils::clean_datestr()
8 years ago
Aleksander Machniak
ed35267b9b
Managesieve: Fix parsing of vacation date-time with non-default date_format ( #5372 )
...
Added new method rcube_utils::format_datestr() to convert date_format date
into ISO date format.
8 years ago
Aleksander Machniak
d91bad5975
Fix handling of blockquote tags with mixed case on html2text conversion ( #5363 )
8 years ago
Aleksander Machniak
bf5b3072c4
Fix MathML test on older PHP versions
8 years ago
Aleksander Machniak
edfd9da42a
Support MathML in HTML message preview ( #5182 )
8 years ago
Aleksander Machniak
6737e293bb
Wash position:fixed style in HTML mail for better security ( #5264 )
9 years ago
Aleksander Machniak
afd090672c
Small performance optimization
9 years ago
Aleksander Machniak
ca9ad75d96
Add some more tests for HREF attribute washing
9 years ago
Aleksander Machniak
6652367d65
Fix XSS issue in href attribute on area tag ( #5240 , #5241 )
9 years ago
Aleksander Machniak
a0f38f5fd8
Small code style improvements
9 years ago
Aleksander Machniak
e8ab3d96bd
Fix converting mail addresses with @www. into mailto links ( #5197 )
9 years ago
Aleksander Machniak
ed1d212ae2
Improved SVG cleanup code
9 years ago
Aleksander Machniak
cbe701ac4a
Fix rcube_utils::words_match() to work with mixed/invalid/binary content (T844)
9 years ago
Aleksander Machniak
9234903287
Fix HTML sanitizer to skip <!-- node type X --> in output ( #1490583 )
9 years ago
Aleksander Machniak
26086981a2
Improve randomness of security tokens ( #1490529 )
9 years ago
Aleksander Machniak
a63f14ec40
Emoticons-related code refactoring
...
- Emoticons: All emoticons-related functionality is handled by the plugin now
- Emoticons: Added option to switch on/off emoticons in compose editor (#1485732 )
- Emoticons: Added option to switch on/off emoticons in plain text messages
- Plugin API: Added disabled_plugins an disabled_buttons options in html_editor hook
- Plugin API: Added html2text hook
9 years ago