+/**
+ * This function filters url's
+ *
+ * @param $attvalue String with attribute value to filter
+ * @param $message message object
+ * @param $id message id
+ * @param $mailbox mailbox
+ * @param $sQuote quoting characters around url's
+ */
+function sq_fix_url($attname, &$attvalue, $message, $id, $mailbox,$sQuote = '"') {
+ $attvalue = trim($attvalue);
+ if ($attvalue && ($attvalue[0] =='"'|| $attvalue[0] == "'")) {
+ // remove the double quotes
+ $sQuote = $attvalue[0];
+ $attvalue = trim(substr($attvalue,1,-1));
+ }
+
+ // If there's no "view_unsafe_images" variable in the URL, turn unsafe
+ // images off by default.
+ sqgetGlobalVar('view_unsafe_images', $view_unsafe_images, SQ_GET, FALSE);
+
+ $secremoveimg = '../images/' . _("sec_remove_eng.png");
+
+ /**
+ * Replace empty src tags with the blank image. src is only used
+ * for frames, images, and image inputs. Doing a replace should
+ * not affect them working as should be, however it will stop
+ * IE from being kicked off when src for img tags are not set
+ */
+ if ($attvalue == '') {
+ $attvalue = '"' . SM_PATH . 'images/blank.png"';
+ } else {
+ // first, disallow 8 bit characters and control characters
+ if (preg_match('/[\0-\37\200-\377]+/',$attvalue)) {
+ switch ($attname) {
+ case 'href':
+ $attvalue = $sQuote . 'http://invalid-stuff-detected.example.com' . $sQuote;
+ break;
+ default:
+ $attvalue = $sQuote . SM_PATH . 'images/blank.png'. $sQuote;
+ break;
+ }
+ } else {
+ $aUrl = parse_url($attvalue);
+ if (isset($aUrl['scheme'])) {
+ switch(strtolower($aUrl['scheme'])) {
+ case 'mailto':
+ case 'http':
+ case 'https':
+ case 'ftp':
+ if ($attname != 'href') {
+ if ($view_unsafe_images == false) {
+ $attvalue = $sQuote . $secremoveimg . $sQuote;
+ } else {
+ if (isset($aUrl['path'])) {
+ // validate image extension.
+ $ext = strtolower(substr($aUrl['path'],strrpos($aUrl['path'],'.')));
+ if (!in_array($ext,array('.jpeg','.jpg','xjpeg','.gif','.bmp','.jpe','.png','.xbm'))) {
+ $attvalue = $sQuote . SM_PATH . 'images/blank.png'. $sQuote;
+ }
+ } else {
+ $attvalue = $sQuote . SM_PATH . 'images/blank.png'. $sQuote;
+ }
+ }
+ }
+ break;
+ case 'outbind':
+ /**
+ * "Hack" fix for Outlook using propriatary outbind:// protocol in img tags.
+ * One day MS might actually make it match something useful, for now, falling
+ * back to using cid2http, so we can grab the blank.png.
+ */
+ $attvalue = sq_cid2http($message, $id, $attvalue, $mailbox);
+ break;
+ case 'cid':
+ /**
+ * Turn cid: urls into http-friendly ones.
+ */
+ $attvalue = sq_cid2http($message, $id, $attvalue, $mailbox);
+ break;
+ default:
+ $attvalue = $sQuote . SM_PATH . 'images/blank.png' . $sQuote;
+ break;
+ }
+ } else {
+ if (!(isset($aUrl['path']) && $aUrl['path'] == $secremoveimg)) {
+ // parse_url did not lead to satisfying result
+ $attvalue = $sQuote . SM_PATH . 'images/blank.png' . $sQuote;
+ }
+ }
+ }
+ }
+}
+