From af861a3477467e5e1fd9f5de3f641d41b9aa4280 Mon Sep 17 00:00:00 2001 From: jangliss Date: Fri, 6 Feb 2004 19:23:50 +0000 Subject: [PATCH] XSS Fixes git-svn-id: https://svn.code.sf.net/p/squirrelmail/code/trunk/squirrelmail@6526 7612ce4b-ef26-0410-bec9-ea0150e637f0 --- ChangeLog | 1 + functions/mime.php | 12 ++++++++++-- 2 files changed, 11 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 34b26668..de4cb754 100644 --- a/ChangeLog +++ b/ChangeLog @@ -5,6 +5,7 @@ Version 1.5.1 -- CVS -------------------- - New reply citation to include date and author. + - XSS fix. Version 1.5.0 diff --git a/functions/mime.php b/functions/mime.php index 32bdcb22..55779e5f 100644 --- a/functions/mime.php +++ b/functions/mime.php @@ -1394,6 +1394,12 @@ function sq_fixatts($tagname, $attvalue = sq_deent($attvalue); $attvalue = sq_unspace($attvalue); + /** + * Remove \r \n \t \0 " " "\\" + */ + $attvalue = str_replace(Array("\r", "\n", "\t", "\0", " ", "\\"), + Array('', '','','','',''), $attvalue); + /** * Now let's run checks on the attvalues. * I don't expect anyone to comprehend this. If you do, @@ -1857,7 +1863,8 @@ function magicHTML($body, $id, $message, $mailbox = 'INBOX') { "/include-source/i", "/url\s*\(\s*([\'\"])\s*\S+script\s*:.*([\'\"])\s*\)/si", "/url\s*\(\s*([\'\"])\s*mocha\s*:.*([\'\"])\s*\)/si", - "/url\s*\(\s*([\'\"])\s*about\s*:.*([\'\"])\s*\)/si" + "/url\s*\(\s*([\'\"])\s*about\s*:.*([\'\"])\s*\)/si", + "/(.*)\s*:\s*url\s*\(\s*([\'\"]*)\s*\S+script\s*:.*([\'\"]*)\s*\)/si" ), Array( "idiocy", @@ -1867,7 +1874,8 @@ function magicHTML($body, $id, $message, $mailbox = 'INBOX') { "url(\\1#\\1)", "url(\\1#\\1)", "url(\\1#\\1)", - "url(\\1#\\1)" + "url(\\1#\\1)", + "\\1:url(\\2#\\3)" ) ) ) -- 2.25.1