From 7d06541f28122c47f53159b14d5bd03bae9baafb Mon Sep 17 00:00:00 2001 From: graf25 Date: Sun, 29 Jun 2003 17:50:30 +0000 Subject: [PATCH 1/1] Applied bugfixes to htmlfilter code from stable. git-svn-id: https://svn.code.sf.net/p/squirrelmail/code/trunk/squirrelmail@5166 7612ce4b-ef26-0410-bec9-ea0150e637f0 --- ChangeLog | 1 + functions/mime.php | 55 +++++++++++++++++++++++++++------------------- 2 files changed, 33 insertions(+), 23 deletions(-) diff --git a/ChangeLog b/ChangeLog index 6dd9c8e7..3fcd6589 100644 --- a/ChangeLog +++ b/ChangeLog @@ -41,6 +41,7 @@ Version 1.5.0 -- CVS bad formatted addresses. - Modified conf.pl: default to force usernames lowercase for servers which are case-insensitive + - Applied bugfixes from stable to htmlfilter code. ************************************** *** SquirrelMail Stable Series 1.4 *** diff --git a/functions/mime.php b/functions/mime.php index 4fe14937..ec703c34 100644 --- a/functions/mime.php +++ b/functions/mime.php @@ -927,8 +927,8 @@ function sq_findnxreg($body, $offset, $reg){ $me = 'sq_findnxreg'; $matches = Array(); $retarr = Array(); - preg_match("%^(.*?)($reg)%s", substr($body, $offset), $matches); - if (!$matches{0}){ + preg_match("%^(.*?)($reg)%si", substr($body, $offset), $matches); + if (!isset($matches{0}) || !$matches{0}){ $retarr = false; } else { $retarr{0} = $offset + strlen($matches{1}); @@ -1057,7 +1057,7 @@ function sq_getnxtag($body, $offset){ /** * This is an invalid tag! Look for the next closing ">". */ - $gt = sq_findnxstr($body, $offset, ">"); + $gt = sq_findnxstr($body, $lt, ">"); return Array(false, false, false, $lt, $gt); } break; @@ -1369,9 +1369,15 @@ function sq_fixatts($tagname, * @param $content a string with whatever is between * @return a string with edited content. */ -function sq_fixstyle($message, $id, $content){ +function sq_fixstyle($body, $pos, $message, $id){ global $view_unsafe_images; $me = 'sq_fixstyle'; + $ret = sq_findnxreg($body, $pos, ''); + if ($ret == FALSE){ + return array(FALSE, strlen($body)); + } + $newpos = $ret[0] + strlen($ret[2]); + $content = $ret[1]; /** * First look for general BODY style declaration, which would be * like so: @@ -1383,25 +1389,25 @@ function sq_fixstyle($message, $id, $content){ /** * Fix url('blah') declarations. */ - $content = preg_replace("|url\(([\'\"])\s*\S+script\s*:.*?([\'\"])\)|si", + $content = preg_replace("|url\s*\(\s*([\'\"])\s*\S+script\s*:.*?([\'\"])\s*\)|si", "url(\\1$secremoveimg\\2)", $content); /** * Fix url('https*://.*) declarations but only if $view_unsafe_images * is false. */ if (!$view_unsafe_images){ - $content = preg_replace("|url\(([\'\"])\s*https*:.*?([\'\"])\)|si", + $content = preg_replace("|url\s*\(\s*([\'\"])\s*https*:.*?([\'\"])\s*\)|si", "url(\\1$secremoveimg\\2)", $content); } /** * Fix urls that refer to cid: */ - while (preg_match("|url\(([\'\"]\s*cid:.*?[\'\"])\)|si", $content, - $matches)){ + while (preg_match("|url\s*\(\s*([\'\"]\s*cid:.*?[\'\"])\s*\)|si", + $content, $matches)){ $cidurl = $matches{1}; $httpurl = sq_cid2http($message, $id, $cidurl); - $content = preg_replace("|url\($cidurl\)|si", + $content = preg_replace("|url\s*\(\s*$cidurl\s*\)|si", "url($httpurl)", $content); } @@ -1414,7 +1420,7 @@ function sq_fixstyle($message, $id, $content){ '/binding/i'); $replace = Array('idiocy', 'idiocy', 'idiocy'); $content = preg_replace($match, $replace, $content); - return $content; + return array($content, $newpos); } /** @@ -1514,10 +1520,11 @@ function sq_sanitize($body, $mailbox ){ $me = 'sq_sanitize'; + $rm_tags = array_shift($tag_list); /** * Normalize rm_tags and rm_tags_with_content. */ - @array_walk($rm_tags, 'sq_casenormalize'); + @array_walk($tag_list, 'sq_casenormalize'); @array_walk($rm_tags_with_content, 'sq_casenormalize'); @array_walk($self_closing_tags, 'sq_casenormalize'); /** @@ -1525,7 +1532,6 @@ function sq_sanitize($body, * false means remove these tags * true means allow these tags */ - $rm_tags = array_shift($tag_list); $curpos = 0; $open_tags = Array(); $trusted = "\n"; @@ -1536,18 +1542,21 @@ function sq_sanitize($body, */ $body = preg_replace("/&(\{.*?\};)/si", "&\\1", $body); - while (($curtag=sq_getnxtag($body, $curpos)) != FALSE){ + while (($curtag = sq_getnxtag($body, $curpos)) != FALSE){ list($tagname, $attary, $tagtype, $lt, $gt) = $curtag; $free_content = substr($body, $curpos, $lt-$curpos); /** * Take care of . Edit the - * content before we apply it. - */ - $free_content = sq_fixstyle($message, $id, $free_content); + if ($tagname == "style" && $tagtype == 1){ + list($free_content, $curpos) = + sq_fixstyle($body, $gt+1, $message, $id); + if ($free_content != FALSE){ + $trusted .= sq_tagprint($tagname, $attary, $tagtype); + $trusted .= $free_content; + $trusted .= sq_tagprint($tagname, false, 2); + } + continue; } if ($skip_content == false){ $trusted .= $free_content; @@ -1746,10 +1755,10 @@ function magicHTML($body, $id, $message, $mailbox = 'INBOX') { "/expression/i", "/binding/i", "/behaviou*r/i", - "|url\(([\'\"])\s*\.\./.*([\'\"])\)|si", - "/url\(([\'\"])\s*\S+script\s*:.*([\'\"])\)/si", - "/url\(([\'\"])\s*mocha\s*:.*([\'\"])\)/si", - "/url\(([\'\"])\s*about\s*:.*([\'\"])\)/si" + "|url\s*\(\s*([\'\"])\s*\.\./.*([\'\"])\s*\)|si", + "/url\s*\(\s*([\'\"])\s*\S+script\s*:.*([\'\"])\s*\)/si", + "/url\s*\(\s*([\'\"])\s*mocha\s*:.*([\'\"])\s*\)/si", + "/url\s*\(\s*([\'\"])\s*about\s*:.*([\'\"])\s*\)/si" ), Array( "idiocy", -- 2.25.1