From bb40a9c1d9766ba4212a3350fbd702af3e2d06ee Mon Sep 17 00:00:00 2001
From: pdontthink <pdontthink@7612ce4b-ef26-0410-bec9-ea0150e637f0>
Date: Tue, 12 Jul 2011 04:59:12 +0000
Subject: [PATCH 1/1] Fix XSS problem with unsanitized style tags in messages
 [CVE-2011-2023]

git-svn-id: https://svn.code.sf.net/p/squirrelmail/code/trunk/squirrelmail@14122 7612ce4b-ef26-0410-bec9-ea0150e637f0
---
 doc/ChangeLog      | 1 +
 functions/mime.php | 9 +++++++++
 2 files changed, 10 insertions(+)

diff --git a/doc/ChangeLog b/doc/ChangeLog
index 64fbb789..06cf9065 100644
--- a/doc/ChangeLog
+++ b/doc/ChangeLog
@@ -365,6 +365,7 @@ Version 1.5.2 - SVN
   - Fixed XSS holes in generic options inputs, XSS hole in the SquirrelSpell
     plugin, and added anti-CSRF protection to the empty trash feature (thanks
     to Nicholas Carlini for finding all these issues). [CVE-2010-4555]
+  - Fixed XSS problem with unsanitized style tags in messages. [CVE-2011-2023]
 
 Version 1.5.1 (branched on 2006-02-12)
 --------------------------------------
diff --git a/functions/mime.php b/functions/mime.php
index 57bdf2f2..1e8fc880 100644
--- a/functions/mime.php
+++ b/functions/mime.php
@@ -2350,6 +2350,15 @@ function sq_sanitize($body,
             list($free_content, $curpos) =
                 sq_fixstyle($body, $gt+1, $message, $id, $mailbox);
             if ($free_content != FALSE){
+                $attary = sq_fixatts($tagname,
+                                     $attary,
+                                     $rm_attnames,
+                                     $bad_attvals,
+                                     $add_attr_to_tag,
+                                     $message,
+                                     $id,
+                                     $mailbox
+                                     );
                 $trusted .= sq_tagprint($tagname, $attary, $tagtype);
                 $trusted .= $free_content;
                 $trusted .= sq_tagprint($tagname, false, 2);
-- 
2.25.1