' . implode("\n", $body_ary) . '

' => "\n", '

' => "\n", '
' => "\n", '
' => "\n", '
' => "\n", '
' => "\n", '>' => '>', '<' => '<'); $body = strtr($body, $entity_conv); $body = strip_tags($body); $body = trim($body); translateText($body, $wrap_at, $body_message->header->getParameter('charset')); } elseif ($use_iframe) { /** * If we don't add html message between iframe tags, * we must detect unsafe images and modify $has_unsafe_images. */ $html_body = magicHTML($body, $id, $message, $mailbox); // Convert character set in order to display html mails in different character set $html_body = charset_decode($body_message->header->getParameter('charset'),$html_body,false,true); // creating iframe url $iframeurl=sqm_baseuri().'src/view_html.php?' . 'mailbox=' . $urlmailbox . '&passed_id=' . $id . '&ent_id=' . $ent_num . '&view_unsafe_images=' . (int) $view_unsafe_images; global $oTemplate; $oTemplate->assign('iframe_url', $iframeurl); $oTemplate->assign('iframe_height', $iframe_height); $oTemplate->assign('html_body', $html_body); $body = $oTemplate->fetch('read_html_iframe.tpl'); } else { // old way of html rendering /** * convert character set. charset_decode does not remove html special chars * applied by magicHTML functions and does not sanitize them second time if * fourth argument is true. */ $charset = $body_message->header->getParameter('charset'); if (!empty($charset)) { $body = charset_decode($charset,$body,false,true); } $body = magicHTML($body, $id, $message, $mailbox); } } else { translateText($body, $wrap_at, $body_message->header->getParameter('charset')); } /* * Previously the links for downloading and unsafe images were printed * under the mail. By putting the links in a global variable we can * print it in the toolbar where it belongs. Since the original code was * in this place it's left here. It might be possible to move it to some * other place if that makes sense. The possibility to do so has not * been evaluated yet. */ // Initialize the global variable to an empty string. // FIXME: To have $download_and_unsafe_link as a global variable might not be needed since the use of separate variables ($download_href, $unsafe_image_toggle_href, and $unsafe_image_toggle_text) for the templates was introduced. $download_and_unsafe_link = ''; // Prepare and build a link for downloading the mail. $link = 'passed_id=' . $id . '&ent_id='.$ent_num. '&mailbox=' . $urlmailbox .'&sort=' . $sort . '&startMessage=' . $startMessage . '&show_more=0'; if (isset($passed_ent_id)) { $link .= '&passed_ent_id='.$passed_ent_id; } $download_href = SM_PATH . 'src/download.php?absolute_dl=true&' . $link; // Always add the link for downloading the mail as a file to the global // variable. $download_and_unsafe_link .= "$nbsp|$nbsp" . create_hyperlink($download_href, _("Download this as a file")); // Find out the right text to use in the link depending on the // circumstances. If the unsafe images are displayed the link should // hide them, if they aren't displayed the link should only appear if // the mail really contains unsafe images. if ($view_unsafe_images) { $text = _("Hide Unsafe Images"); } else { if (isset($has_unsafe_images) && $has_unsafe_images) { $link .= '&view_unsafe_images=1'; $text = _("View Unsafe Images"); } else { $text = ''; } } // Only create a link for unsafe images if there's need for one. If so: // add it to the global variable. if($text != '') { $unsafe_image_toggle_href = SM_PATH . 'src/read_body.php?'.$link; $unsafe_image_toggle_text = $text; $download_and_unsafe_link .= "$nbsp|$nbsp" . create_hyperlink($unsafe_image_toggle_href, $text); } } return $body; } /** * Generate attachments array for passing to templates. * * @since 1.5.2 * @param object $message SquirrelMail message object * @param array $exclude_id message parts that are not attachments. * @param string $mailbox mailbox name * @param integer $id message id */ function buildAttachmentArray($message, $exclude_id, $mailbox, $id) { global $where, $what, $startMessage, $color, $passed_ent_id, $base_uri; $att_ar = $message->getAttachments($exclude_id); $urlMailbox = urlencode($mailbox); $attachments = array(); foreach ($att_ar as $att) { $ent = $att->entity_id; $header = $att->header; $type0 = strtolower($header->type0); $type1 = strtolower($header->type1); $name = ''; $links = array(); $links['download link']['text'] = _("Download"); $links['download link']['href'] = $base_uri . "src/download.php?absolute_dl=true&passed_id=$id&mailbox=$urlMailbox&ent_id=$ent"; if ($type0 =='message' && $type1 == 'rfc822') { $default_page = $base_uri . 'src/read_body.php'; $rfc822_header = $att->rfc822_header; $filename = $rfc822_header->subject; if (trim( $filename ) == '') { $filename = 'untitled-[' . $ent . ']' ; } $from_o = $rfc822_header->from; if (is_object($from_o)) { $from_name = decodeHeader($from_o->getAddress(false)); } elseif (is_array($from_o) && count($from_o) && is_object($from_o[0])) { // something weird happens when a digest message is opened and you return to the digest // now the from object is part of an array. Probably the parseHeader call overwrites the info // retrieved from the bodystructure in a different way. We need to fix this later. // possible starting point, do not fetch header we already have and inspect how // the rfc822_header object behaves. $from_name = decodeHeader($from_o[0]->getAddress(false)); } else { $from_name = _("Unknown sender"); } $description = _("From").': '.$from_name; } else { $default_page = $base_uri . 'src/download.php'; $filename = $att->getFilename(); if ($header->description) { $description = decodeHeader($header->description); } else { $description = ''; } } $display_filename = $filename; if (isset($passed_ent_id)) { $passed_ent_id_link = '&passed_ent_id='.$passed_ent_id; } else { $passed_ent_id_link = ''; } $defaultlink = $default_page . "?startMessage=$startMessage" . "&passed_id=$id&mailbox=$urlMailbox" . '&ent_id='.$ent.$passed_ent_id_link; if ($where && $what) { $defaultlink .= '&where='. urlencode($where).'&what='.urlencode($what); } // IE does make use of mime content sniffing. Forcing a download // prohibit execution of XSS inside an application/octet-stream attachment if ($type0 == 'application' && $type1 == 'octet-stream') { $defaultlink .= '&absolute_dl=true'; } /* This executes the attachment hook with a specific MIME-type. * If that doesn't have results, it tries if there's a rule * for a more generic type. Finally, a hook for ALL attachment * types is run as well. */ // First remember the default link. $defaultlink_orig = $defaultlink; /* The API for this hook has changed as of 1.5.2 so that all plugin arguments are passed in an array instead of each their own plugin argument, and arguments are passed by reference, so instead of returning any changes, changes should simply be made to the original arguments themselves. */ $temp = array(&$links, &$startMessage, &$id, &$urlMailbox, &$ent, &$defaultlink, &$display_filename, &$where, &$what); do_hook("attachment $type0/$type1", $temp); if(count($links) <= 1 && $defaultlink == $defaultlink_orig) { /* The API for this hook has changed as of 1.5.2 so that all plugin arguments are passed in an array instead of each their own plugin argument, and arguments are passed by reference, so instead of returning any changes, changes should simply be made to the original arguments themselves. */ $temp = array(&$links, &$startMessage, &$id, &$urlMailbox, &$ent, &$defaultlink, &$display_filename, &$where, &$what); do_hook("attachment $type0/*", $temp); } /* The API for this hook has changed as of 1.5.2 so that all plugin arguments are passed in an array instead of each their own plugin argument, and arguments are passed by reference, so instead of returning any changes, changes should simply be made to the original arguments themselves. */ $temp = array(&$links, &$startMessage, &$id, &$urlMailbox, &$ent, &$defaultlink, &$display_filename, &$where, &$what); // Do not let a generic plugin change the default link if a more // specialized one already did it... if ($defaultlink != $defaultlink_orig) { $dummy = ''; $temp[5] = &$dummy; } do_hook("attachment */*", $temp); $this_attachment = array(); $this_attachment['Name'] = decodeHeader($display_filename); $this_attachment['Description'] = $description; $this_attachment['DefaultHREF'] = $defaultlink; $this_attachment['DownloadHREF'] = $links['download link']['href']; $this_attachment['ViewHREF'] = isset($links['attachment_common']) ? $links['attachment_common']['href'] : ''; $this_attachment['Size'] = $header->size; $this_attachment['ContentType'] = htmlspecialchars($type0 .'/'. $type1); $this_attachment['OtherLinks'] = array(); foreach ($links as $val) { if ($val['text']==_("Download") || $val['text'] == _("View")) continue; if (empty($val['text']) && empty($val['extra'])) continue; $temp = array(); $temp['HREF'] = $val['href']; $temp['Text'] = (empty($val['text']) ? '' : $val['text']) . (empty($val['extra']) ? '' : $val['extra']); $this_attachment['OtherLinks'][] = $temp; } $attachments[] = $this_attachment; unset($links); } return $attachments; } /** * Displays attachment links and information * * Since 1.3.0 function is not included in formatBody() call. * * Since 1.0.2 uses attachment $type0/$type1 hook. * Since 1.2.5 uses attachment $type0/* hook. * Since 1.5.0 uses attachments_bottom hook. * Since 1.5.2 uses templates and does *not* return a value. * * @param object $message SquirrelMail message object * @param array $exclude_id message parts that are not attachments. * @param string $mailbox mailbox name * @param integer $id message id */ function formatAttachments($message, $exclude_id, $mailbox, $id) { global $oTemplate; $attach = buildAttachmentArray($message, $exclude_id, $mailbox, $id); $oTemplate->assign('attachments', $attach); $oTemplate->display('read_attachments.tpl'); } function sqimap_base64_decode(&$string) { // Base64 encoded data goes in pairs of 4 bytes. To achieve on the // fly decoding (to reduce memory usage) you have to check if the // data has incomplete pairs // Remove the noise in order to check if the 4 bytes pairs are complete $string = str_replace(array("\r\n","\n", "\r", " "),array('','','',''),$string); $sStringRem = ''; $iMod = strlen($string) % 4; if ($iMod) { $sStringRem = substr($string,-$iMod); // Check if $sStringRem contains padding characters if (substr($sStringRem,-1) != '=') { $string = substr($string,0,-$iMod); } else { $sStringRem = ''; } } $string = base64_decode($string); return $sStringRem; } /** * Decodes encoded string (usually message body) * * This function decodes a string (usually the message body) * depending on the encoding type. Currently quoted-printable * and base64 encodings are supported. * * The decode_body hook was added to this function in 1.4.2/1.5.0. * The $force_crlf parameter was added in 1.5.2. * * @param string $string The encoded string * @param string $encoding used encoding * @param string $force_crlf Whether or not to force CRLF or LF * line endings (or to leave as is). * If given as "LF", line endings will * all be converted to LF; if "CRLF", * line endings will all be converted * to CRLF. If given as an empty value, * the global $default_force_crlf will * be consulted (it can be specified in * config/config_local.php). Otherwise, * any other value will cause the string * to be left alone. Note that this will * be overridden to "LF" if not using at * least PHP version 4.3.0. (OPTIONAL; * default is empty - consult global * default value) * * @return string The decoded string * * @since 1.0 * */ function decodeBody($string, $encoding, $force_crlf='') { global $force_crlf_default; if (empty($force_crlf)) $force_crlf = $force_crlf_default; $force_crlf = strtoupper($force_crlf); // must force line endings to LF due to broken // quoted_printable_decode() in PHP versions // before 4.3.0 (see below) // if (!check_php_version(4, 3, 0) || $force_crlf == 'LF') $string = str_replace("\r\n", "\n", $string); else if ($force_crlf == 'CRLF') $string = str_replace("\n", "\r\n", $string); $encoding = strtolower($encoding); $encoding_handler = do_hook('decode_body', $encoding); // plugins get first shot at decoding the string // if (!empty($encoding_handler) && function_exists($encoding_handler)) { $string = $encoding_handler('decode', $string); } elseif ($encoding == 'quoted-printable' || $encoding == 'quoted_printable') { // quoted_printable_decode() function is broken in older // php versions. Text with \r\n decoding was fixed only // in php 4.3.0. Minimal code requirement is PHP 4.0.4+ // and the above call to: str_replace("\r\n", "\n", $string); // $string = quoted_printable_decode($string); } elseif ($encoding == 'base64') { $string = base64_decode($string); } // All other encodings are returned raw. return $string; } /** * Decodes headers * * This function decodes strings that are encoded according to * RFC1522 (MIME Part Two: Message Header Extensions for Non-ASCII Text). * Patched by Christian Schmidt 23/03/2002 * * @param string $string header string that has to be made readable * @param boolean $utfencode change message in order to be readable on user's charset. defaults to true * @param boolean $htmlsafe preserve spaces and sanitize html special characters. defaults to true * @param boolean $decide decide if string can be utfencoded. defaults to false * @return string decoded header string */ function decodeHeader ($string, $utfencode=true,$htmlsafe=true,$decide=false) { global $languages, $squirrelmail_language,$default_charset; if (is_array($string)) { $string = implode("\n", $string); } if (isset($languages[$squirrelmail_language]['XTRA_CODE']) && function_exists($languages[$squirrelmail_language]['XTRA_CODE'] . '_decodeheader')) { $string = call_user_func($languages[$squirrelmail_language]['XTRA_CODE'] . '_decodeheader', $string); // Do we need to return at this point? // return $string; } $i = 0; $iLastMatch = -2; $encoded = true; $aString = explode(' ',$string); $ret = ''; foreach ($aString as $chunk) { if ($encoded && $chunk === '') { continue; } elseif ($chunk === '') { $ret .= ' '; continue; } $encoded = false; /* if encoded words are not separated by a linear-space-white we still catch them */ $j = $i-1; while ($match = preg_match('/^(.*)=\?([^?]*)\?(Q|B)\?([^?]*)\?=(.*)$/Ui',$chunk,$res)) { /* if the last chunk isn't an encoded string then put back the space, otherwise don't */ if ($iLastMatch !== $j) { if ($htmlsafe) { $ret .= ' '; } else { $ret .= ' '; } } $iLastMatch = $i; $j = $i; if ($htmlsafe) { $ret .= htmlspecialchars($res[1]); } else { $ret .= $res[1]; } $encoding = ucfirst($res[3]); /* decide about valid decoding */ if ($decide && is_conversion_safe($res[2])) { $utfencode=true; $can_be_encoded=true; } else { $can_be_encoded=false; } switch ($encoding) { case 'B': $replace = base64_decode($res[4]); if ($utfencode) { if ($can_be_encoded) { /* convert string to different charset, * if functions asks for it (usually in compose) */ $ret .= charset_convert($res[2],$replace,$default_charset,$htmlsafe); } else { // convert string to html codes in order to display it $ret .= charset_decode($res[2],$replace); } } else { if ($htmlsafe) { $replace = htmlspecialchars($replace); } $ret.= $replace; } break; case 'Q': $replace = str_replace('_', ' ', $res[4]); $replace = preg_replace('/=([0-9a-f]{2})/ie', 'chr(hexdec("\1"))', $replace); if ($utfencode) { if ($can_be_encoded) { /* convert string to different charset, * if functions asks for it (usually in compose) */ $replace = charset_convert($res[2], $replace,$default_charset,$htmlsafe); } else { // convert string to html codes in order to display it $replace = charset_decode($res[2], $replace); } } else { if ($htmlsafe) { $replace = htmlspecialchars($replace); } } $ret .= $replace; break; default: break; } $chunk = $res[5]; $encoded = true; } if (!$encoded) { if ($htmlsafe) { $ret .= ' '; } else { $ret .= ' '; } } if (!$encoded && $htmlsafe) { $ret .= htmlspecialchars($chunk); } else { $ret .= $chunk; } ++$i; } /* remove the first added space */ if ($ret) { if ($htmlsafe) { $ret = substr($ret,5); } else { $ret = substr($ret,1); } } return $ret; } /** * Encodes header * * Function uses XTRA_CODE _encodeheader function, if such function exists. * * Function uses Q encoding by default and encodes a string according to RFC * 1522 for use in headers if it contains 8-bit characters or anything that * looks like it should be encoded. * * Function switches to B encoding and encodeHeaderBase64() function, if * string is 8bit and multibyte character set supported by mbstring extension * is used. It can cause E_USER_NOTICE errors, if interface is used with * multibyte character set unsupported by mbstring extension. * * @param string $string header string, that has to be encoded * @return string quoted-printable encoded string * @todo make $mb_charsets system wide constant */ function encodeHeader ($string) { global $default_charset, $languages, $squirrelmail_language; if (isset($languages[$squirrelmail_language]['XTRA_CODE']) && function_exists($languages[$squirrelmail_language]['XTRA_CODE'] . '_encodeheader')) { return call_user_func($languages[$squirrelmail_language]['XTRA_CODE'] . '_encodeheader', $string); } // Use B encoding for multibyte charsets $mb_charsets = array('utf-8','big5','gb2313','euc-kr'); if (in_array($default_charset,$mb_charsets) && in_array($default_charset,sq_mb_list_encodings()) && sq_is8bit($string)) { return encodeHeaderBase64($string,$default_charset); } elseif (in_array($default_charset,$mb_charsets) && sq_is8bit($string) && ! in_array($default_charset,sq_mb_list_encodings())) { // Add E_USER_NOTICE error here (can cause 'Cannot add header information' warning in compose.php) // trigger_error('encodeHeader: Multibyte character set unsupported by mbstring extension.',E_USER_NOTICE); } // Encode only if the string contains 8-bit characters or =? $j = strlen($string); $max_l = 75 - strlen($default_charset) - 7; $aRet = array(); $ret = ''; $iEncStart = $enc_init = false; $cur_l = $iOffset = 0; for($i = 0; $i < $j; ++$i) { switch($string{$i}) { case '=': case '<': case '>': case ',': case '?': case '_': if ($iEncStart === false) { $iEncStart = $i; } $cur_l+=3; if ($cur_l > ($max_l-2)) { /* if there is an stringpart that doesn't need encoding, add it */ $aRet[] = substr($string,$iOffset,$iEncStart-$iOffset); $aRet[] = "=?$default_charset?Q?$ret?="; $iOffset = $i; $cur_l = 0; $ret = ''; $iEncStart = false; } else { $ret .= sprintf("=%02X",ord($string{$i})); } break; case '(': case ')': if ($iEncStart !== false) { $aRet[] = substr($string,$iOffset,$iEncStart-$iOffset); $aRet[] = "=?$default_charset?Q?$ret?="; $iOffset = $i; $cur_l = 0; $ret = ''; $iEncStart = false; } break; case ' ': if ($iEncStart !== false) { $cur_l++; if ($cur_l > $max_l) { $aRet[] = substr($string,$iOffset,$iEncStart-$iOffset); $aRet[] = "=?$default_charset?Q?$ret?="; $iOffset = $i; $cur_l = 0; $ret = ''; $iEncStart = false; } else { $ret .= '_'; } } break; default: $k = ord($string{$i}); if ($k > 126) { if ($iEncStart === false) { // do not start encoding in the middle of a string, also take the rest of the word. $sLeadString = substr($string,0,$i); $aLeadString = explode(' ',$sLeadString); $sToBeEncoded = array_pop($aLeadString); $iEncStart = $i - strlen($sToBeEncoded); $ret .= $sToBeEncoded; $cur_l += strlen($sToBeEncoded); } $cur_l += 3; /* first we add the encoded string that reached it's max size */ if ($cur_l > ($max_l-2)) { $aRet[] = substr($string,$iOffset,$iEncStart-$iOffset); $aRet[] = "=?$default_charset?Q?$ret?= "; /* the next part is also encoded => separate by space */ $cur_l = 3; $ret = ''; $iOffset = $i; $iEncStart = $i; } $enc_init = true; $ret .= sprintf("=%02X", $k); } else { if ($iEncStart !== false) { $cur_l++; if ($cur_l > $max_l) { $aRet[] = substr($string,$iOffset,$iEncStart-$iOffset); $aRet[] = "=?$default_charset?Q?$ret?="; $iEncStart = false; $iOffset = $i; $cur_l = 0; $ret = ''; } else { $ret .= $string{$i}; } } } break; } } if ($enc_init) { if ($iEncStart !== false) { $aRet[] = substr($string,$iOffset,$iEncStart-$iOffset); $aRet[] = "=?$default_charset?Q?$ret?="; } else { $aRet[] = substr($string,$iOffset); } $string = implode('',$aRet); } return $string; } /** * Encodes string according to rfc2047 B encoding header formating rules * * It is recommended way to encode headers with character sets that store * symbols in more than one byte. * * Function requires mbstring support. If required mbstring functions are missing, * function returns false and sets E_USER_WARNING level error message. * * Minimal requirements - php 4.0.6 with mbstring extension. Please note, * that mbstring functions will generate E_WARNING errors, if unsupported * character set is used. mb_encode_mimeheader function provided by php * mbstring extension is not used in order to get better control of header * encoding. * * Used php code functions - function_exists(), trigger_error(), strlen() * (is used with charset names and base64 strings). Used php mbstring * functions - mb_strlen and mb_substr. * * Related documents: rfc 2045 (BASE64 encoding), rfc 2047 (mime header * encoding), rfc 2822 (header folding) * * @param string $string header string that must be encoded * @param string $charset character set. Must be supported by mbstring extension. * Use sq_mb_list_encodings() to detect supported charsets. * @return string string encoded according to rfc2047 B encoding formating rules * @since 1.5.1 * @todo First header line can be wrapped to $iMaxLength - $HeaderFieldLength - 1 * @todo Do we want to control max length of header? * @todo Do we want to control EOL (end-of-line) marker? * @todo Do we want to translate error message? */ function encodeHeaderBase64($string,$charset) { /** * Check mbstring function requirements. */ if (! function_exists('mb_strlen') || ! function_exists('mb_substr')) { // set E_USER_WARNING trigger_error('encodeHeaderBase64: Required mbstring functions are missing.',E_USER_WARNING); // return false return false; } // initial return array $aRet = array(); /** * header length = 75 symbols max (same as in encodeHeader) * remove $charset length * remove =? ? ?= (5 chars) * remove 2 more chars (\r\n ?) */ $iMaxLength = 75 - strlen($charset) - 7; // set first character position $iStartCharNum = 0; // loop through all characters. count characters and not bytes. for ($iCharNum=1; $iCharNum<=mb_strlen($string,$charset); $iCharNum++) { // encode string from starting character to current character. $encoded_string = base64_encode(mb_substr($string,$iStartCharNum,$iCharNum-$iStartCharNum,$charset)); // Check encoded string length if(strlen($encoded_string)>$iMaxLength) { // if string exceeds max length, reduce number of encoded characters and add encoded string part to array $aRet[] = base64_encode(mb_substr($string,$iStartCharNum,$iCharNum-$iStartCharNum-1,$charset)); // set new starting character $iStartCharNum = $iCharNum-1; // encode last char (in case it is last character in string) $encoded_string = base64_encode(mb_substr($string,$iStartCharNum,$iCharNum-$iStartCharNum,$charset)); } // if string is shorter than max length - add next character } // add last encoded string to array $aRet[] = $encoded_string; // set initial return string $sRet = ''; // loop through encoded strings foreach($aRet as $string) { // TODO: Do we want to control EOL (end-of-line) marker if ($sRet!='') $sRet.= " "; // add header tags and encoded string to return string $sRet.= '=?'.$charset.'?B?'.$string.'?='; } return $sRet; } /* This function trys to locate the entity_id of a specific mime element */ function find_ent_id($id, $message) { for ($i = 0, $ret = ''; $ret == '' && $i < count($message->entities); $i++) { if ($message->entities[$i]->header->type0 == 'multipart') { $ret = find_ent_id($id, $message->entities[$i]); } else { if (strcasecmp($message->entities[$i]->header->id, $id) == 0) { // if (sq_check_save_extension($message->entities[$i])) { return $message->entities[$i]->entity_id; // } } elseif (!empty($message->entities[$i]->header->parameters['name'])) { /** * This is part of a fix for Outlook Express 6.x generating * cid URLs without creating content-id headers * @@JA - 20050207 */ if (strcasecmp($message->entities[$i]->header->parameters['name'], $id) == 0) { return $message->entities[$i]->entity_id; } } } } return $ret; } function sq_check_save_extension($message) { $filename = $message->getFilename(); $ext = substr($filename, strrpos($filename,'.')+1); $save_extensions = array('jpg','jpeg','gif','png','bmp'); return in_array($ext, $save_extensions); } /** ** HTMLFILTER ROUTINES */ /** * This function checks attribute values for entity-encoded values * and returns them translated into 8-bit strings so we can run * checks on them. * * @param $attvalue A string to run entity check against. * @return Nothing, modifies a reference value. */ function sq_defang(&$attvalue){ $me = 'sq_defang'; /** * Skip this if there aren't ampersands or backslashes. */ if (strpos($attvalue, '&') === false && strpos($attvalue, '\\') === false){ return; } $m = false; // before deent, translate the dangerous unicode characters and ... to safe values // otherwise the regular expressions do not match. do { $m = false; $m = $m || sq_deent($attvalue, '/\�*(\d+);*/s'); $m = $m || sq_deent($attvalue, '/\�*((\d|[a-f])+);*/si', true); $m = $m || sq_deent($attvalue, '/\\\\(\d+)/s', true); } while ($m == true); $attvalue = stripslashes($attvalue); } /** * Kill any tabs, newlines, or carriage returns. Our friends the * makers of the browser with 95% market value decided that it'd * be funny to make "java[tab]script" be just as good as "javascript". * * @param attvalue The attribute value before extraneous spaces removed. * @return attvalue Nothing, modifies a reference value. */ function sq_unspace(&$attvalue){ $me = 'sq_unspace'; if (strcspn($attvalue, "\t\r\n\0 ") != strlen($attvalue)){ $attvalue = str_replace(Array("\t", "\r", "\n", "\0", " "), Array('', '', '', '', ''), $attvalue); } } /** * Translate all dangerous Unicode or Shift_JIS characters which are accepted by * IE as regular characters. * * @param attvalue The attribute value before dangerous characters are translated. * @return attvalue Nothing, modifies a reference value. * @author Marc Groot Koerkamp. */ function sq_fixIE_idiocy(&$attvalue) { // remove NUL $attvalue = str_replace("\0", "", $attvalue); // remove comments $attvalue = preg_replace("/(\/\*.*?\*\/)/","",$attvalue); // IE has the evil habit of accepting every possible value for the attribute expression. // The table below contains characters which are parsed by IE if they are used in the "expression" // attribute value. $aDangerousCharsReplacementTable = array( array('ʟ', 'ʟ' ,/* L UNICODE IPA Extension */ 'ʀ', 'ʀ' ,/* R UNICODE IPA Extension */ 'ɴ', 'ɴ' ,/* N UNICODE IPA Extension */ 'Ｅ', 'Ｅ' ,/* Unicode FULLWIDTH LATIN CAPITAL LETTER E */ 'ｅ', 'ｅ' ,/* Unicode FULLWIDTH LATIN SMALL LETTER E */ 'Ｘ', 'Ｘ',/* Unicode FULLWIDTH LATIN CAPITAL LETTER X */ 'ｘ', 'ｘ',/* Unicode FULLWIDTH LATIN SMALL LETTER X */ 'Ｐ', 'Ｐ',/* Unicode FULLWIDTH LATIN CAPITAL LETTER P */ 'ｐ', 'ｐ',/* Unicode FULLWIDTH LATIN SMALL LETTER P */ 'Ｒ', 'Ｒ',/* Unicode FULLWIDTH LATIN CAPITAL LETTER R */ 'ｒ', 'ｒ',/* Unicode FULLWIDTH LATIN SMALL LETTER R */ 'Ｓ', 'Ｓ',/* Unicode FULLWIDTH LATIN CAPITAL LETTER S */ 'ｓ', 'ｓ',/* Unicode FULLWIDTH LATIN SMALL LETTER S */ 'Ｉ', 'Ｉ',/* Unicode FULLWIDTH LATIN CAPITAL LETTER I */ 'ｉ', 'ｉ',/* Unicode FULLWIDTH LATIN SMALL LETTER I */ 'Ｏ', 'Ｏ',/* Unicode FULLWIDTH LATIN CAPITAL LETTER O */ 'ｏ', 'ｏ',/* Unicode FULLWIDTH LATIN SMALL LETTER O */ 'Ｎ', 'Ｎ',/* Unicode FULLWIDTH LATIN CAPITAL LETTER N */ 'ｎ', 'ｎ',/* Unicode FULLWIDTH LATIN SMALL LETTER N */ 'Ｌ', 'Ｌ',/* Unicode FULLWIDTH LATIN CAPITAL LETTER L */ 'ｌ', 'ｌ',/* Unicode FULLWIDTH LATIN SMALL LETTER L */ 'Ｕ', 'Ｕ',/* Unicode FULLWIDTH LATIN CAPITAL LETTER U */ 'ｕ', 'ｕ',/* Unicode FULLWIDTH LATIN SMALL LETTER U */ 'ⁿ', 'ⁿ' ,/* Unicode SUPERSCRIPT LATIN SMALL LETTER N */ "\xEF\xBC\xA5", /* Shift JIS FULLWIDTH LATIN CAPITAL LETTER E */ // in unicode this is some Chinese char range "\xEF\xBD\x85", /* Shift JIS FULLWIDTH LATIN SMALL LETTER E */ "\xEF\xBC\xB8", /* Shift JIS FULLWIDTH LATIN CAPITAL LETTER X */ "\xEF\xBD\x98", /* Shift JIS FULLWIDTH LATIN SMALL LETTER X */ "\xEF\xBC\xB0", /* Shift JIS FULLWIDTH LATIN CAPITAL LETTER P */ "\xEF\xBD\x90", /* Shift JIS FULLWIDTH LATIN SMALL LETTER P */ "\xEF\xBC\xB2", /* Shift JIS FULLWIDTH LATIN CAPITAL LETTER R */ "\xEF\xBD\x92", /* Shift JIS FULLWIDTH LATIN SMALL LETTER R */ "\xEF\xBC\xB3", /* Shift JIS FULLWIDTH LATIN CAPITAL LETTER S */ "\xEF\xBD\x93", /* Shift JIS FULLWIDTH LATIN SMALL LETTER S */ "\xEF\xBC\xA9", /* Shift JIS FULLWIDTH LATIN CAPITAL LETTER I */ "\xEF\xBD\x89", /* Shift JIS FULLWIDTH LATIN SMALL LETTER I */ "\xEF\xBC\xAF", /* Shift JIS FULLWIDTH LATIN CAPITAL LETTER O */ "\xEF\xBD\x8F", /* Shift JIS FULLWIDTH LATIN SMALL LETTER O */ "\xEF\xBC\xAE", /* Shift JIS FULLWIDTH LATIN CAPITAL LETTER N */ "\xEF\xBD\x8E", /* Shift JIS FULLWIDTH LATIN SMALL LETTER N */ "\xEF\xBC\xAC", /* Shift JIS FULLWIDTH LATIN CAPITAL LETTER L */ "\xEF\xBD\x8C", /* Shift JIS FULLWIDTH LATIN SMALL LETTER L */ "\xEF\xBC\xB5", /* Shift JIS FULLWIDTH LATIN CAPITAL LETTER U */ "\xEF\xBD\x95", /* Shift JIS FULLWIDTH LATIN SMALL LETTER U */ "\xE2\x81\xBF", /* Shift JIS FULLWIDTH SUPERSCRIPT N */ "\xCA\x9F", /* L UNICODE IPA Extension */ "\xCA\x80", /* R UNICODE IPA Extension */ "\xC9\xB4"), /* N UNICODE IPA Extension */ array('l', 'l', 'r','r','n','n', 'E','E','e','e','X','X','x','x','P','P','p','p','R','R','r','r','S','S','s','s','I','I', 'i','i','O','O','o','o','N','N','n','n','L','L','l','l','U','U','u','u','n','n', 'E','e','X','x','P','p','R','r','S','s','I','i','O','o','N','n','L','l','U','u','n','l','r','n')); $attvalue = str_replace($aDangerousCharsReplacementTable[0],$aDangerousCharsReplacementTable[1],$attvalue); // Escapes are useful for special characters like "{}[]()'&. In other cases they are // used for XSS. $attvalue = preg_replace("/(\\\\)([a-zA-Z]{1})/",'$2',$attvalue); } /** * This function returns the final tag out of the tag name, an array * of attributes, and the type of the tag. This function is called by * sq_sanitize internally. * * @param $tagname the name of the tag. * @param $attary the array of attributes and their values * @param $tagtype The type of the tag (see in comments). * @return a string with the final tag representation. */ function sq_tagprint($tagname, $attary, $tagtype){ $me = 'sq_tagprint'; if ($tagtype == 2){ $fulltag = ''; } else { $fulltag = '<' . $tagname; if (is_array($attary) && sizeof($attary)){ $atts = Array(); while (list($attname, $attvalue) = each($attary)){ array_push($atts, "$attname=$attvalue"); } $fulltag .= ' ' . join(" ", $atts); } if ($tagtype == 3){ $fulltag .= ' /'; } $fulltag .= '>'; } return $fulltag; } /** * A small helper function to use with array_walk. Modifies a by-ref * value and makes it lowercase. * * @param $val a value passed by-ref. * @return void since it modifies a by-ref value. */ function sq_casenormalize(&$val){ $val = strtolower($val); } /** * This function skips any whitespace from the current position within * a string and to the next non-whitespace value. * * @param $body the string * @param $offset the offset within the string where we should start * looking for the next non-whitespace character. * @return the location within the $body where the next * non-whitespace char is located. */ function sq_skipspace($body, $offset){ $me = 'sq_skipspace'; preg_match('/^(\s*)/s', substr($body, $offset), $matches); if (sizeof($matches{1})){ $count = strlen($matches{1}); $offset += $count; } return $offset; } /** * This function looks for the next character within a string. It's * really just a glorified "strpos", except it catches if failures * nicely. * * @param $body The string to look for needle in. * @param $offset Start looking from this position. * @param $needle The character/string to look for. * @return location of the next occurance of the needle, or * strlen($body) if needle wasn't found. */ function sq_findnxstr($body, $offset, $needle){ $me = 'sq_findnxstr'; $pos = strpos($body, $needle, $offset); if ($pos === FALSE){ $pos = strlen($body); } return $pos; } /** * This function takes a PCRE-style regexp and tries to match it * within the string. * * @param $body The string to look for needle in. * @param $offset Start looking from here. * @param $reg A PCRE-style regex to match. * @return Returns a false if no matches found, or an array * with the following members: * - integer with the location of the match within $body * - string with whatever content between offset and the match * - string with whatever it is we matched */ function sq_findnxreg($body, $offset, $reg){ $me = 'sq_findnxreg'; $matches = Array(); $retarr = Array(); preg_match("%^(.*?)($reg)%si", substr($body, $offset), $matches); if (!isset($matches{0}) || !$matches{0}){ $retarr = false; } else { $retarr{0} = $offset + strlen($matches{1}); $retarr{1} = $matches{1}; $retarr{2} = $matches{2}; } return $retarr; } /** * This function looks for the next tag. * * @param $body String where to look for the next tag. * @param $offset Start looking from here. * @return false if no more tags exist in the body, or * an array with the following members: * - string with the name of the tag * - array with attributes and their values * - integer with tag type (1, 2, or 3) * - integer where the tag starts (starting "<") * - integer where the tag ends (ending ">") * first three members will be false, if the tag is invalid. */ function sq_getnxtag($body, $offset){ $me = 'sq_getnxtag'; if ($offset > strlen($body)){ return false; } $lt = sq_findnxstr($body, $offset, "<"); if ($lt == strlen($body)){ return false; } /** * We are here: * blah blah * \---------^ */ $pos = sq_skipspace($body, $lt+1); if ($pos >= strlen($body)){ return Array(false, false, false, $lt, strlen($body)); } /** * There are 3 kinds of tags: * 1. Opening tag, e.g.: * * 2. Closing tag, e.g.: * * 3. XHTML-style content-less tag, e.g.: * */ $tagtype = false; switch (substr($body, $pos, 1)){ case '/': $tagtype = 2; $pos++; break; case '!': /** * A comment or an SGML declaration. */ if (substr($body, $pos+1, 2) == "--"){ $gt = strpos($body, "-->", $pos); if ($gt === false){ $gt = strlen($body); } else { $gt += 2; } return Array(false, false, false, $lt, $gt); } else { $gt = sq_findnxstr($body, $pos, ">"); return Array(false, false, false, $lt, $gt); } break; default: /** * Assume tagtype 1 for now. If it's type 3, we'll switch values * later. */ $tagtype = 1; break; } $tag_start = $pos; $tagname = ''; /** * Look for next [\W-_], which will indicate the end of the tag name. */ $regary = sq_findnxreg($body, $pos, "[^\w\-_]"); if ($regary == false){ return Array(false, false, false, $lt, strlen($body)); } list($pos, $tagname, $match) = $regary; $tagname = strtolower($tagname); /** * $match can be either of these: * '>' indicating the end of the tag entirely. * '\s' indicating the end of the tag name. * '/' indicating that this is type-3 xhtml tag. * * Whatever else we find there indicates an invalid tag. */ switch ($match){ case '/': /** * This is an xhtml-style tag with a closing / at the * end, like so: . Check if it's followed * by the closing bracket. If not, then this tag is invalid */ if (substr($body, $pos, 2) == "/>"){ $pos++; $tagtype = 3; } else { $gt = sq_findnxstr($body, $pos, ">"); $retary = Array(false, false, false, $lt, $gt); return $retary; } case '>': return Array($tagname, false, $tagtype, $lt, $pos); break; default: /** * Check if it's whitespace */ if (!preg_match('/\s/', $match)){ /** * This is an invalid tag! Look for the next closing ">". */ $gt = sq_findnxstr($body, $lt, ">"); return Array(false, false, false, $lt, $gt); } break; } /** * At this point we're here: * * \-------^ * * At this point we loop in order to find all attributes. */ $attname = ''; $atttype = false; $attary = Array(); while ($pos <= strlen($body)){ $pos = sq_skipspace($body, $pos); if ($pos == strlen($body)){ /** * Non-closed tag. */ return Array(false, false, false, $lt, $pos); } /** * See if we arrived at a ">" or "/>", which means that we reached * the end of the tag. */ $matches = Array(); if (preg_match("%^(\s*)(>|/>)%s", substr($body, $pos), $matches)) { /** * Yep. So we did. */ $pos += strlen($matches{1}); if ($matches{2} == "/>"){ $tagtype = 3; $pos++; } return Array($tagname, $attary, $tagtype, $lt, $pos); } /** * There are several types of attributes, with optional * [:space:] between members. * Type 1: * attrname[:space:]=[:space:]'CDATA' * Type 2: * attrname[:space:]=[:space:]"CDATA" * Type 3: * attr[:space:]=[:space:]CDATA * Type 4: * attrname * * We leave types 1 and 2 the same, type 3 we check for * '"' and convert to """ if needed, then wrap in * double quotes. Type 4 we convert into: * attrname="yes". */ $regary = sq_findnxreg($body, $pos, "[^:\w\-_]"); if ($regary == false){ /** * Looks like body ended before the end of tag. */ return Array(false, false, false, $lt, strlen($body)); } list($pos, $attname, $match) = $regary; $attname = strtolower($attname); /** * We arrived at the end of attribute name. Several things possible * here: * '>' means the end of the tag and this is attribute type 4 * '/' if followed by '>' means the same thing as above * '\s' means a lot of things -- look what it's followed by. * anything else means the attribute is invalid. */ switch($match){ case '/': /** * This is an xhtml-style tag with a closing / at the * end, like so: . Check if it's followed * by the closing bracket. If not, then this tag is invalid */ if (substr($body, $pos, 2) == "/>"){ $pos++; $tagtype = 3; } else { $gt = sq_findnxstr($body, $pos, ">"); $retary = Array(false, false, false, $lt, $gt); return $retary; } case '>': $attary{$attname} = '"yes"'; return Array($tagname, $attary, $tagtype, $lt, $pos); break; default: /** * Skip whitespace and see what we arrive at. */ $pos = sq_skipspace($body, $pos); $char = substr($body, $pos, 1); /** * Two things are valid here: * '=' means this is attribute type 1 2 or 3. * \w means this was attribute type 4. * anything else we ignore and re-loop. End of tag and * invalid stuff will be caught by our checks at the beginning * of the loop. */ if ($char == "="){ $pos++; $pos = sq_skipspace($body, $pos); /** * Here are 3 possibilities: * "'" attribute type 1 * '"' attribute type 2 * everything else is the content of tag type 3 */ $quot = substr($body, $pos, 1); if ($quot == "'"){ $regary = sq_findnxreg($body, $pos+1, "\'"); if ($regary == false){ return Array(false, false, false, $lt, strlen($body)); } list($pos, $attval, $match) = $regary; $pos++; $attary{$attname} = "'" . $attval . "'"; } else if ($quot == '"'){ $regary = sq_findnxreg($body, $pos+1, '\"'); if ($regary == false){ return Array(false, false, false, $lt, strlen($body)); } list($pos, $attval, $match) = $regary; $pos++; $attary{$attname} = '"' . $attval . '"'; } else { /** * These are hateful. Look for \s, or >. */ $regary = sq_findnxreg($body, $pos, "[\s>]"); if ($regary == false){ return Array(false, false, false, $lt, strlen($body)); } list($pos, $attval, $match) = $regary; /** * If it's ">" it will be caught at the top. */ $attval = preg_replace("/\"/s", """, $attval); $attary{$attname} = '"' . $attval . '"'; } } else if (preg_match("|[\w/>]|", $char)) { /** * That was attribute type 4. */ $attary{$attname} = '"yes"'; } else { /** * An illegal character. Find next '>' and return. */ $gt = sq_findnxstr($body, $pos, ">"); return Array(false, false, false, $lt, $gt); } break; } } /** * The fact that we got here indicates that the tag end was never * found. Return invalid tag indication so it gets stripped. */ return Array(false, false, false, $lt, strlen($body)); } /** * Translates entities into literal values so they can be checked. * * @param $attvalue the by-ref value to check. * @param $regex the regular expression to check against. * @param $hex whether the entites are hexadecimal. * @return True or False depending on whether there were matches. */ function sq_deent(&$attvalue, $regex, $hex=false){ $me = 'sq_deent'; $ret_match = false; // remove comments //$attvalue = preg_replace("/(\/\*.*\*\/)/","",$attvalue); preg_match_all($regex, $attvalue, $matches); if (is_array($matches) && sizeof($matches[0]) > 0){ $repl = Array(); for ($i = 0; $i < sizeof($matches[0]); $i++){ $numval = $matches[1][$i]; if ($hex){ $numval = hexdec($numval); } $repl{$matches[0][$i]} = chr($numval); } $attvalue = strtr($attvalue, $repl); return true; } else { return false; } } /** * This function runs various checks against the attributes. * * @param $tagname String with the name of the tag. * @param $attary Array with all tag attributes. * @param $rm_attnames See description for sq_sanitize * @param $bad_attvals See description for sq_sanitize * @param $add_attr_to_tag See description for sq_sanitize * @param $message message object * @param $id message id * @return Array with modified attributes. */ function sq_fixatts($tagname, $attary, $rm_attnames, $bad_attvals, $add_attr_to_tag, $message, $id, $mailbox ){ $me = 'sq_fixatts'; while (list($attname, $attvalue) = each($attary)){ /** * See if this attribute should be removed. */ foreach ($rm_attnames as $matchtag=>$matchattrs){ if (preg_match($matchtag, $tagname)){ foreach ($matchattrs as $matchattr){ if (preg_match($matchattr, $attname)){ unset($attary{$attname}); continue; } } } } /** * Workaround for IE quirks */ sq_fixIE_idiocy($attvalue); /** * Remove any backslashes, entities, and extraneous whitespace. */ $oldattvalue = $attvalue; sq_defang($attvalue); if ($attname == 'style' && $attvalue !== $oldattvalue) { // entities are used in the attribute value. In 99% of the cases it's there as XSS // i.e.