require_once(SM_PATH . 'functions/imap.php');
require_once(SM_PATH . 'functions/attachment_common.php');
-/* --------------------------------------------------------------------------------- */
-/* MIME DECODING */
-/* --------------------------------------------------------------------------------- */
+/* -------------------------------------------------------------------------- */
+/* MIME DECODING */
+/* -------------------------------------------------------------------------- */
/* This function gets the structure of a message and stores it in the "message" class.
* It will return this object for use with all relevant header information and
if (!is_object($msg)) {
include_once(SM_PATH . 'functions/display_messages.php');
global $color, $mailbox;
- displayPageHeader( $color, urldecode($mailbox) );
- echo "<BODY TEXT=\"$color[8]\" BGCOLOR=\"$color[4]\" LINK=\"$color[7]\" VLINK=\"$color[7]\" ALINK=\"$color[7]\">\n\n" .
- '<CENTER>';
+ /* removed urldecode because $_GET is auto urldecoded ??? */
+ displayPageHeader( $color, $mailbox );
$errormessage = _("SquirrelMail could not decode the bodystructure of the message");
$errormessage .= '<BR>'._("the provided bodystructure by your imap-server").':<BR><BR>';
- $errormessage .= '<table><tr><td>' . htmlspecialchars($read) . '</td></tr></table>';
+ $errormessage .= '<pre>' . htmlspecialchars($read) . '</pre>';
plain_error_message( $errormessage, $color );
echo '</body></html>';
exit;
/* Do a bit of error correction. If we couldn't find the entity id, just guess
* that it is the first one. That is usually the case anyway.
*/
+
if (!$ent_id) {
- $cmd = "FETCH $id BODY[]";
+ $cmd = "FETCH $id BODY[]";
} else {
- $cmd = "FETCH $id BODY[$ent_id]";
+ $cmd = "FETCH $id BODY[$ent_id]";
}
$data = sqimap_run_command ($imap_stream, $cmd, true, $response, $message, $uid_support);
/* There is some information in the content info header that could be important
* in order to parse html messages. Let's get them here.
*/
- if ($ret{0} == '<') {
- $data = sqimap_run_command ($imap_stream, "FETCH $id BODY[$ent_id.MIME]", true, $response, $message, $uid_support);
- }
+// if ($ret{0} == '<') {
+// $data = sqimap_run_command ($imap_stream, "FETCH $id BODY[$ent_id.MIME]", true, $response, $message, $uid_support);
+// }
} else if (ereg('"([^"]*)"', $topline, $regs)) {
$ret = $regs[1];
} else {
function mime_print_body_lines ($imap_stream, $id, $ent_id=1, $encoding) {
global $uid_support;
- $sid = sqimap_session_id($uid_support);
/* Don't kill the connection if the browser is over a dialup
* and it would take over 30 seconds to download it.
* DonĀ“t call set_time_limit in safe mode.
if (!ini_get('safe_mode')) {
set_time_limit(0);
}
- if ($uid_support) {
- $sid_s = substr($sid,0,strpos($sid, ' '));
+ /* in case of base64 encoded attachments, do not buffer them.
+ Instead, echo the decoded attachment directly to screen */
+ if (strtolower($encoding) == 'base64') {
+ if (!$ent_id) {
+ $query = "FETCH $id BODY[]";
+ } else {
+ $query = "FETCH $id BODY[$ent_id]";
+ }
+ sqimap_run_command($imap_stream,$query,true,$response,$message,$uid_support,'sqimap_base64_decode','php://stdout',true);
} else {
- $sid_s = $sid;
+ $body = mime_fetch_body ($imap_stream, $id, $ent_id);
+ echo decodeBody($body, $encoding);
}
- $body = mime_fetch_body ($imap_stream, $id, $ent_id);
- echo decodeBody($body, $encoding);
+ /*
+ TODO, use the same method for quoted printable.
+ However, I assume that quoted printable attachments aren't that large
+ so the performancegain / memory usage drop will be minimal.
+ If we decide to add that then we need to adapt sqimap_fread because
+ we need to split te result on \n and fread doesn't stop at \n. That
+ means we also should provide $results from sqimap_fread (by ref) to
+ te function and set $no_return to false. The $filter function for
+ quoted printable should handle unsetting of $results.
+ */
+ /*
+ TODO 2: find out how we write to the output stream php://stdout. fwrite
+ doesn't work because 'php://stdout isn't a stream.
+ */
+
return;
/*
fputs ($imap_stream, "$sid FETCH $id BODY[$ent_id]\r\n");
}
}
- if ($quotes > 1) {
- if (!isset($color[14])) {
- $color[14] = '#FF0000';
- }
- $line = '<FONT COLOR="' . $color[14] . '">' . $line . '</FONT>';
- } elseif ($quotes) {
+ if ($quotes % 2) {
if (!isset($color[13])) {
$color[13] = '#800000';
}
- $line = '<FONT COLOR="' . $color[13] . '">' . $line . '</FONT>';
+ $line = '<font color="' . $color[13] . '">' . $line . '</font>';
+ } elseif ($quotes) {
+ if (!isset($color[14])) {
+ $color[14] = '#FF0000';
+ }
+ $line = '<font color="' . $color[14] . '">' . $line . '</font>';
}
$body_ary[$i] = $line;
$body = '<pre>' . implode("\n", $body_ary) . '</pre>';
}
-
/* This returns a parsed string called $body. That string can then
* be displayed as the actual message in the HTML. It contains
* everything needed, including HTML Tags, Attachments at the
*/
global $startMessage, $username, $key, $imapServerAddress, $imapPort,
$show_html_default, $sort, $has_unsafe_images, $passed_ent_id;
+ global $languages, $squirrelmail_language;
if( !sqgetGlobalVar('view_unsafe_images', $view_unsafe_images, SQ_GET) ) {
$view_unsafe_images = false;
($body_message->header->type0 == 'rfc822')) {
$body = mime_fetch_body ($imap_stream, $id, $ent_num);
$body = decodeBody($body, $body_message->header->encoding);
+
+ if (isset($languages[$squirrelmail_language]['XTRA_CODE']) &&
+ function_exists($languages[$squirrelmail_language]['XTRA_CODE'])) {
+ if (mb_detect_encoding($body) != 'ASCII') {
+ $body = $languages[$squirrelmail_language]['XTRA_CODE']('decode', $body);
+ }
+ }
$hookResults = do_hook("message_body", $body);
$body = $hookResults[1];
translateText($body, $wrap_at,
$body_message->header->getParameter('charset'));
}
- $link = 'read_body.php?passed_id=' . $id . '&ent_id='.$ent_num.
- '&mailbox=' . $urlmailbox .'&sort=' . $sort .
- '&startMessage=' . $startMessage . '&show_more=0';
- if (isset($passed_ent_id)) {
- $link .= '&passed_ent_id='.$passed_ent_id;
- }
+ $link = 'read_body.php?passed_id=' . $id . '&ent_id='.$ent_num.
+ '&mailbox=' . $urlmailbox .'&sort=' . $sort .
+ '&startMessage=' . $startMessage . '&show_more=0';
+ if (isset($passed_ent_id)) {
+ $link .= '&passed_ent_id='.$passed_ent_id;
+ }
if ($view_unsafe_images) {
$text = _("Hide Unsafe Images");
} else {
- if (isset($has_unsafe_images) && $has_unsafe_images) {
- $link .= '&view_unsafe_images=1';
- $text = _("View Unsafe Images");
- } else {
- $text = '';
- }
+ if (isset($has_unsafe_images) && $has_unsafe_images) {
+ $link .= '&view_unsafe_images=1';
+ $text = _("View Unsafe Images");
+ } else {
+ $text = '';
+ }
}
$body .= '<center><small><a href="'.$link.'">'.$text.
- '</a></small></center><br>' . "\n";
+ '</a></small></center><br>' . "\n";
}
return $body;
}
$urlMailbox = urlencode($mailbox);
foreach ($att_ar as $att) {
- $ent = urldecode($att->entity_id);
+ $ent = $att->entity_id;
$header = $att->header;
$type0 = strtolower($header->type0);
$type1 = strtolower($header->type1);
$name = '';
$links['download link']['text'] = _("download");
- $links['download link']['href'] =
- "../src/download.php?absolute_dl=true&passed_id=$id&mailbox=$urlMailbox&ent_id=$ent";
+ $links['download link']['href'] = SM_PATH .
+ "src/download.php?absolute_dl=true&passed_id=$id&mailbox=$urlMailbox&ent_id=$ent";
$ImageURL = '';
if ($type0 =='message' && $type1 == 'rfc822') {
- $default_page = '../src/read_body.php';
+ $default_page = SM_PATH . 'src/read_body.php';
$rfc822_header = $att->rfc822_header;
- $filename = decodeHeader($rfc822_header->subject);
+ $filename = $rfc822_header->subject;
if (trim( $filename ) == '') {
$filename = 'untitled-[' . $ent . ']' ;
- }
+ }
$from_o = $rfc822_header->from;
if (is_object($from_o)) {
$from_name = $from_o->getAddress(false);
} else {
$from_name = _("Unknown sender");
}
- $from_name = decodeHeader(htmlspecialchars($from_name));
+ $from_name = decodeHeader(($from_name));
$description = $from_name;
} else {
- $default_page = '../src/download.php';
+ $default_page = SM_PATH . 'src/download.php';
if (is_object($header->disposition)) {
- $filename = decodeHeader($header->disposition->getProperty('filename'));
+ $filename = $header->disposition->getProperty('filename');
if (trim($filename) == '') {
$name = decodeHeader($header->disposition->getProperty('name'));
if (trim($name) == '') {
- $name = decodeHeader($header->getParameter('name'));
+ $name = $header->getParameter('name');
if(trim($name) == '') {
if (trim( $header->id ) == '') {
$filename = 'untitled-[' . $ent . ']' ;
} else {
$filename = 'cid: ' . $header->id;
- }
+ }
} else {
- $filename = $name;
+ $filename = $name;
}
} else {
$filename = $name;
}
}
} else {
- $filename = decodeHeader($header->getParameter('name'));
- if (!trim($filename)) {
- if (trim( $header->id ) == '') {
- $filename = 'untitled-[' . $ent . ']' ;
- } else {
- $filename = 'cid: ' . $header->id;
- }
- }
- }
+ $filename = $header->getParameter('name');
+ if (!trim($filename)) {
+ if (trim( $header->id ) == '') {
+ $filename = 'untitled-[' . $ent . ']' ;
+ } else {
+ $filename = 'cid: ' . $header->id;
+ }
+ }
+ }
if ($header->description) {
- $description = htmlspecialchars($header->description);
+ $description = decodeHeader($header->description);
} else {
$description = '';
}
}
$defaultlink = $default_page . "?startMessage=$startMessage"
. "&passed_id=$id&mailbox=$urlMailbox"
- . '&ent_id='.$ent.$passed_ent_id_link.'&absolute_dl=true';
+ . '&ent_id='.$ent.$passed_ent_id_link;
if ($where && $what) {
$defaultlink .= '&where='. urlencode($where).'&what='.urlencode($what);
}
$defaultlink = $hookresults[6];
$attachments .= '<TR><TD>' .
- '<A HREF="'.$defaultlink.'">'.htmlspecialchars($display_filename).'</A> </TD>' .
+ '<A HREF="'.$defaultlink.'">'.decodeHeader($display_filename).'</A> </TD>' .
'<TD><SMALL><b>' . show_readable_size($header->size) .
'</b> </small></TD>' .
"<TD><SMALL>[ $type0/$type1 ] </SMALL></TD>" .
unset($links);
$attachments .= "</TD></TR>\n";
}
+ $attachmentadd = do_hook_function('attachments_bottom',$attachments);
+ if ($attachmentadd != '')
+ $attachments = $attachmentadd;
return $attachments;
}
+function sqimap_base64_decode(&$string) {
+ $string = str_replace("\r\n", "\n", $string);
+ $string = base64_decode($string);
+}
+
/* This function decodes the body depending on the encoding type. */
function decodeBody($body, $encoding) {
- global $languages, $squirrelmail_language;
global $show_html_default;
$body = str_replace("\r\n", "\n", $body);
$body = base64_decode($body);
}
- if (isset($languages[$squirrelmail_language]['XTRA_CODE']) &&
- function_exists($languages[$squirrelmail_language]['XTRA_CODE'])) {
- $body = $languages[$squirrelmail_language]['XTRA_CODE']('decode', $body);
- }
-
// All other encodings are returned raw.
return $body;
}
* RFC1522 (MIME Part Two: Message Header Extensions for Non-ASCII Text).
* Patched by Christian Schmidt <christian@ostenfeld.dk> 23/03/2002
*/
-function decodeHeader ($string, $utfencode=true) {
+function decodeHeader ($string, $utfencode=true,$htmlsave=true) {
global $languages, $squirrelmail_language;
if (is_array($string)) {
$string = implode("\n", $string);
}
-
+
if (isset($languages[$squirrelmail_language]['XTRA_CODE']) &&
function_exists($languages[$squirrelmail_language]['XTRA_CODE'])) {
$string = $languages[$squirrelmail_language]['XTRA_CODE']('decodeheader', $string);
+ // Do we need to return at this point?
+ // return $string;
}
-
$i = 0;
- while (preg_match('/^(.{' . $i . '})(.*)=\?([^?]*)\?(Q|B)\?([^?]*)\?=/Ui',
- $string, $res)) {
- $prefix = $res[1];
- /* Ignore white-space between consecutive encoded-words. */
- if (strspn($res[2], " \t") != strlen($res[2])) {
- $prefix .= $res[2];
- }
+ $iLastMatch = -2;
+ $encoded = false;
- if (ucfirst($res[4]) == 'B') {
- $replace = base64_decode($res[5]);
- $replace = charset_decode($res[3],$replace);
-
- } else {
- $replace = str_replace('_', ' ', $res[5]);
- $replace = preg_replace('/=([0-9a-f]{2})/ie', 'chr(hexdec("\1"))',
+ $aString = explode(' ',$string);
+ $ret = '';
+ foreach ($aString as $chunk) {
+ if ($encoded && !$chunk) {
+ continue;
+ } elseif (!$chunk) {
+ $ret .= ' ';
+ continue;
+ }
+ $encoded = false;
+ /* if encoded words are not separated by a linear-space-white we still catch them */
+ $j = $i-1;
+// if ($chunk{0} === '=') { /* performance, saves an unnessecarry preg call */
+ while ($match = preg_match('/^(.*)=\?([^?]*)\?(Q|B)\?([^?]*)\?=(.*)$/Ui',$chunk,$res)) {
+ /* if the last chunk isn't an encoded string then put back the space, otherwise don't */
+ if ($iLastMatch !== $j) {
+ if ($htmlsave) {
+ $ret .= ' ';
+ } else {
+ $ret .= ' ';
+ }
+ }
+ $iLastMatch = $i;
+ $j = $i;
+ $ret .= $res[1];
+ $encoding = ucfirst($res[3]);
+ switch ($encoding)
+ {
+ case 'B':
+ $replace = base64_decode($res[4]);
+ $ret .= charset_decode($res[2],$replace);
+ break;
+ case 'Q':
+ $replace = str_replace('_', ' ', $res[4]);
+ $replace = preg_replace('/=([0-9a-f]{2})/ie', 'chr(hexdec("\1"))',
$replace);
- /* Only encode into entities by default. Some places
- * don't need the encoding, like the compose form.
- */
- if ($utfencode) {
- $replace = charset_decode($res[3], $replace);
+ /* Only encode into entities by default. Some places
+ * don't need the encoding, like the compose form.
+ */
+ if ($utfencode) {
+ $replace = charset_decode($res[2], $replace);
+ } else {
+ if ($htmlsave) {
+ $replace = htmlspecialchars($replace);
+ }
+ }
+ $ret .= $replace;
+ break;
+ default:
+ break;
}
+ $chunk = $res[5];
+ $encoded = true;
}
- $string = $prefix . $replace . substr($string, strlen($res[0]));
- $i = strlen($prefix) + strlen($replace);
+// }
+ if (!$encoded) {
+ if ($htmlsave) {
+ $ret .= ' ';
+ } else {
+ $ret .= ' ';
+ }
+ }
+
+ if (!$encoded && $htmlsave) {
+ $ret .= htmlspecialchars($chunk);
+ } else {
+ $ret .= $chunk;
+ }
+ ++$i;
}
- return $string;
+ /* remove the first added space */
+ if ($ret) {
+ if ($htmlsave) {
+ $ret = substr($ret,6);
+ } else {
+ $ret = substr($ret,1);
+ }
+ }
+
+ return $ret;
}
/*
function_exists($languages[$squirrelmail_language]['XTRA_CODE'])) {
return $languages[$squirrelmail_language]['XTRA_CODE']('encodeheader', $string);
}
+ if (strtolower($default_charset) == 'iso-8859-1') {
+ $string = str_replace("\240",' ',$string);
+ }
// Encode only if the string contains 8-bit characters or =?
$j = strlen($string);
- $l = strstr($string, '=?'); // Must be encoded ?
+ $max_l = 75 - strlen($default_charset) - 7;
+ $aRet = array();
$ret = '';
+ $iEncStart = $enc_init = false;
+ $cur_l = $iOffset = 0;
for($i = 0; $i < $j; ++$i) {
- switch($string{$i}) {
- case '=':
- $ret .= '=3D';
- break;
- case '?':
- $ret .= '=3F';
- break;
- case '_':
- $ret .= '=5F';
- break;
- case ' ':
- $ret .= '_';
- break;
- default:
- $k = ord($string{$i});
- if ($k > 126) {
- $ret .= sprintf("=%02X", $k);
- $l = TRUE;
+ switch($string{$i})
+ {
+ case '=':
+ case '<':
+ case '>':
+ case ',':
+ case '?':
+ case '_':
+ if ($iEncStart === false) {
+ $iEncStart = $i;
+ }
+ $cur_l+=3;
+ if ($cur_l > ($max_l-2)) {
+ /* if there is an stringpart that doesn't need encoding, add it */
+ $aRet[] = substr($string,$iOffset,$iEncStart-$iOffset);
+ $aRet[] = "=?$default_charset?Q?$ret?=";
+ $iOffset = $i;
+ $cur_l = 0;
+ $ret = '';
+ $iEncStart = false;
+ } else {
+ $ret .= sprintf("=%02X",ord($string{$i}));
+ }
+ break;
+ case '(':
+ case ')':
+ if ($iEncStart !== false) {
+ $aRet[] = substr($string,$iOffset,$iEncStart-$iOffset);
+ $aRet[] = "=?$default_charset?Q?$ret?=";
+ $iOffset = $i;
+ $cur_l = 0;
+ $ret = '';
+ $iEncStart = false;
+ }
+ break;
+ case ' ':
+ if ($iEncStart !== false) {
+ $cur_l++;
+ if ($cur_l > $max_l) {
+ $aRet[] = substr($string,$iOffset,$iEncStart-$iOffset);
+ $aRet[] = "=?$default_charset?Q?$ret?=";
+ $iOffset = $i;
+ $cur_l = 0;
+ $ret = '';
+ $iEncStart = false;
} else {
- $ret .= $string{$i};
+ $ret .= '_';
}
- break;
+ }
+ break;
+ default:
+ $k = ord($string{$i});
+ if ($k > 126) {
+ if ($iEncStart === false) {
+ // do not start encoding in the middle of a string, also take the rest of the word.
+ $sLeadString = substr($string,0,$i);
+ $aLeadString = explode(' ',$sLeadString);
+ $sToBeEncoded = array_pop($aLeadString);
+ $iEncStart = $i - strlen($sToBeEncoded);
+ $ret .= $sToBeEncoded;
+ $cur_l += strlen($sToBeEncoded);
+ }
+ $cur_l += 3;
+ /* first we add the encoded string that reached it's max size */
+ if ($cur_l > ($max_l-2)) {
+ $aRet[] = substr($string,$iOffset,$iEncStart-$iOffset);
+ $aRet[] = "=?$default_charset?Q?$ret?= "; /* the next part is also encoded => separate by space */
+ $cur_l = 3;
+ $ret = '';
+ $iOffset = $i;
+ $iEncStart = $i;
+ }
+ $enc_init = true;
+ $ret .= sprintf("=%02X", $k);
+ } else {
+ if ($iEncStart !== false) {
+ $cur_l++;
+ if ($cur_l > $max_l) {
+ $aRet[] = substr($string,$iOffset,$iEncStart-$iOffset);
+ $aRet[] = "=?$default_charset?Q?$ret?=";
+ $iEncStart = false;
+ $iOffset = $i;
+ $cur_l = 0;
+ $ret = '';
+ } else {
+ $ret .= $string{$i};
+ }
+ }
+ }
+ break;
}
}
- if ($l) {
- $string = "=?$default_charset?Q?$ret?=";
+ if ($enc_init) {
+ if ($iEncStart !== false) {
+ $aRet[] = substr($string,$iOffset,$iEncStart-$iOffset);
+ $aRet[] = "=?$default_charset?Q?$ret?=";
+ } else {
+ $aRet[] = substr($string,$iOffset);
+ }
+ $string = implode('',$aRet);
}
-
return $string;
}
$me = 'sq_findnxreg';
$matches = Array();
$retarr = Array();
- preg_match("%^(.*?)($reg)%s", substr($body, $offset), $matches);
- if (!$matches{0}){
+ preg_match("%^(.*?)($reg)%si", substr($body, $offset), $matches);
+ if (!isset($matches{0}) || !$matches{0}){
$retarr = false;
} else {
$retarr{0} = $offset + strlen($matches{1});
/**
* This is an invalid tag! Look for the next closing ">".
*/
- $gt = sq_findnxstr($body, $offset, ">");
+ $gt = sq_findnxstr($body, $lt, ">");
return Array(false, false, false, $lt, $gt);
}
break;
* @param $content a string with whatever is between <style> and </style>
* @return a string with edited content.
*/
-function sq_fixstyle($message, $id, $content){
+function sq_fixstyle($body, $pos, $message, $id){
global $view_unsafe_images;
$me = 'sq_fixstyle';
+ $ret = sq_findnxreg($body, $pos, '</\s*style\s*>');
+ if ($ret == FALSE){
+ return array(FALSE, strlen($body));
+ }
+ $newpos = $ret[0] + strlen($ret[2]);
+ $content = $ret[1];
/**
* First look for general BODY style declaration, which would be
* like so:
/**
* Fix url('blah') declarations.
*/
- $content = preg_replace("|url\(([\'\"])\s*\S+script\s*:.*?([\'\"])\)|si",
+ $content = preg_replace("|url\s*\(\s*([\'\"])\s*\S+script\s*:.*?([\'\"])\s*\)|si",
"url(\\1$secremoveimg\\2)", $content);
/**
* Fix url('https*://.*) declarations but only if $view_unsafe_images
* is false.
*/
if (!$view_unsafe_images){
- $content = preg_replace("|url\(([\'\"])\s*https*:.*?([\'\"])\)|si",
+ $content = preg_replace("|url\s*\(\s*([\'\"])\s*https*:.*?([\'\"])\s*\)|si",
"url(\\1$secremoveimg\\2)", $content);
}
-
+
/**
* Fix urls that refer to cid:
*/
- while (preg_match("|url\(([\'\"]\s*cid:.*?[\'\"])\)|si", $content,
- $matches)){
+ while (preg_match("|url\s*\(\s*([\'\"]\s*cid:.*?[\'\"])\s*\)|si",
+ $content, $matches)){
$cidurl = $matches{1};
$httpurl = sq_cid2http($message, $id, $cidurl);
- $content = preg_replace("|url\($cidurl\)|si",
+ $content = preg_replace("|url\s*\(\s*$cidurl\s*\)|si",
"url($httpurl)", $content);
}
* Fix stupid css declarations which lead to vulnerabilities
* in IE.
*/
- $match = Array('/expression/si',
- '/behaviou*r/si',
- '/binding/si');
+ $match = Array('/expression/i',
+ '/behaviou*r/i',
+ '/binding/i');
$replace = Array('idiocy', 'idiocy', 'idiocy');
$content = preg_replace($match, $replace, $content);
- return $content;
+ return array($content, $newpos);
}
/**
unsave link image */
$httpurl = '';
if ($linkurl) {
- $httpurl = $quotchar . '../src/download.php?absolute_dl=true&' .
+ $httpurl = $quotchar . SM_PATH . 'src/download.php?absolute_dl=true&' .
"passed_id=$id&mailbox=" . urlencode($mailbox) .
'&ent_id=' . $linkurl . $quotchar;
}
$mailbox
){
$me = 'sq_sanitize';
+ $rm_tags = array_shift($tag_list);
/**
* Normalize rm_tags and rm_tags_with_content.
*/
- @array_walk($rm_tags, 'sq_casenormalize');
+ @array_walk($tag_list, 'sq_casenormalize');
@array_walk($rm_tags_with_content, 'sq_casenormalize');
@array_walk($self_closing_tags, 'sq_casenormalize');
/**
* false means remove these tags
* true means allow these tags
*/
- $rm_tags = array_shift($tag_list);
$curpos = 0;
$open_tags = Array();
$trusted = "<!-- begin sanitized html -->\n";
*/
$body = preg_replace("/&(\{.*?\};)/si", "&\\1", $body);
- while (($curtag=sq_getnxtag($body, $curpos)) != FALSE){
+ while (($curtag = sq_getnxtag($body, $curpos)) != FALSE){
list($tagname, $attary, $tagtype, $lt, $gt) = $curtag;
$free_content = substr($body, $curpos, $lt-$curpos);
/**
* Take care of <style>
*/
- if ($tagname == "style" && $tagtype == 2){
- /**
- * This is a closing </style>. Edit the
- * content before we apply it.
- */
- $free_content = sq_fixstyle($message, $id, $free_content);
+ if ($tagname == "style" && $tagtype == 1){
+ list($free_content, $curpos) =
+ sq_fixstyle($body, $gt+1, $message, $id);
+ if ($free_content != FALSE){
+ $trusted .= sq_tagprint($tagname, $attary, $tagtype);
+ $trusted .= $free_content;
+ $trusted .= sq_tagprint($tagname, false, 2);
+ }
+ continue;
}
if ($skip_content == false){
$trusted .= $free_content;
$rm_attnames = Array(
"/.*/" =>
Array(
- "/target/si",
- "/^on.*/si",
- "/^dynsrc/si",
- "/^data.*/si"
+ "/target/i",
+ "/^on.*/i",
+ "/^dynsrc/i",
+ "/^data.*/i",
+ "/^lowsrc.*/i"
)
);
"\\1#\\2"
)
),
- "/^style/si" =>
+ "/^style/i" =>
Array(
Array(
- "/expression/si",
- "/binding/si",
- "/behaviou*r/si",
- "|url\(([\'\"])\s*\.\./.*([\'\"])\)|si",
- "/url\(([\'\"])\s*\S+script\s*:.*([\'\"])\)/si",
- "/url\(([\'\"])\s*mocha\s*:.*([\'\"])\)/si",
- "/url\(([\'\"])\s*about\s*:.*([\'\"])\)/si"
+ "/expression/i",
+ "/binding/i",
+ "/behaviou*r/i",
+ "|url\s*\(\s*([\'\"])\s*\.\./.*([\'\"])\s*\)|si",
+ "/url\s*\(\s*([\'\"])\s*\S+script\s*:.*([\'\"])\s*\)/si",
+ "/url\s*\(\s*([\'\"])\s*mocha\s*:.*([\'\"])\s*\)/si",
+ "/url\s*\(\s*([\'\"])\s*about\s*:.*([\'\"])\s*\)/si"
),
Array(
"idiocy",
'/^([\'\"])\s*https*:.*([\'\"])/si');
array_push($bad_attvals{'/.*/'}{'/^src|background/i'}[1],
"\\1$secremoveimg\\2");
- array_push($bad_attvals{'/.*/'}{'/^style/si'}[0],
+ array_push($bad_attvals{'/.*/'}{'/^style/i'}[0],
'/url\(([\'\"])\s*https*:.*([\'\"])\)/si');
- array_push($bad_attvals{'/.*/'}{'/^style/si'}[1],
+ array_push($bad_attvals{'/.*/'}{'/^style/i'}[1],
"url(\\1$secremoveimg\\2)");
}
$add_attr_to_tag = Array(
- "/^a$/si" => Array('target'=>'"_new"')
+ "/^a$/i" => Array('target'=>'"_new"')
);
$trusted = sq_sanitize($body,
$tag_list,
$id,
$mailbox
);
- if (preg_match("|$secremoveimg|si", $trusted)){
+ if (preg_match("|$secremoveimg|i", $trusted)){
$has_unsafe_images = true;
}
return $trusted;