XSS Fixes
authorjangliss <jangliss@7612ce4b-ef26-0410-bec9-ea0150e637f0>
Fri, 6 Feb 2004 19:23:50 +0000 (19:23 +0000)
committerjangliss <jangliss@7612ce4b-ef26-0410-bec9-ea0150e637f0>
Fri, 6 Feb 2004 19:23:50 +0000 (19:23 +0000)
git-svn-id: https://svn.code.sf.net/p/squirrelmail/code/trunk/squirrelmail@6526 7612ce4b-ef26-0410-bec9-ea0150e637f0

ChangeLog
functions/mime.php

index 34b2666..de4cb75 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -5,6 +5,7 @@
 Version 1.5.1 -- CVS
 --------------------
   - New reply citation to include date and author.
+  - XSS fix.
 
 
 Version 1.5.0
index 32bdcb2..55779e5 100644 (file)
@@ -1395,6 +1395,12 @@ function sq_fixatts($tagname,
         $attvalue = sq_unspace($attvalue);
 
         /**
+         * Remove \r \n \t \0 " " "\\"
+         */
+        $attvalue = str_replace(Array("\r", "\n", "\t", "\0", " ", "\\"), 
+                        Array('', '','','','',''), $attvalue);
+
+        /**
          * Now let's run checks on the attvalues.
          * I don't expect anyone to comprehend this. If you do,
          * get in touch with me so I can drive to where you live and
@@ -1857,7 +1863,8 @@ function magicHTML($body, $id, $message, $mailbox = 'INBOX') {
                                 "/include-source/i",
                                 "/url\s*\(\s*([\'\"])\s*\S+script\s*:.*([\'\"])\s*\)/si",
                                 "/url\s*\(\s*([\'\"])\s*mocha\s*:.*([\'\"])\s*\)/si",
-                                "/url\s*\(\s*([\'\"])\s*about\s*:.*([\'\"])\s*\)/si"
+                                "/url\s*\(\s*([\'\"])\s*about\s*:.*([\'\"])\s*\)/si",
+                                "/(.*)\s*:\s*url\s*\(\s*([\'\"]*)\s*\S+script\s*:.*([\'\"]*)\s*\)/si"
                                ),
                           Array(
                                 "idiocy",
@@ -1867,7 +1874,8 @@ function magicHTML($body, $id, $message, $mailbox = 'INBOX') {
                                 "url(\\1#\\1)",
                                 "url(\\1#\\1)",
                                 "url(\\1#\\1)",
-                                "url(\\1#\\1)"
+                                "url(\\1#\\1)",
+                                "\\1:url(\\2#\\3)"
                                )
                           )
                 )