diff options
| author | Aleksander Machniak <alec@alec.pl> | 2014-05-20 19:25:45 +0200 |
|---|---|---|
| committer | Aleksander Machniak <alec@alec.pl> | 2014-05-20 19:26:27 +0200 |
| commit | 2d233bf49c7d1eee76c2d0b9591a4576a99b5e66 (patch) | |
| tree | f349536aeb05b264e40aecf7c04902ed8b202bbd | |
| parent | 5c8e60d45de9dd2e44ef4fde77ab777ae7f9410f (diff) | |
Fix incorrect handling of HTML comments in messages sanitization code (#1489904)
| -rw-r--r-- | CHANGELOG | 1 | ||||
| -rw-r--r-- | program/lib/Roundcube/rcube_washtml.php | 2 | ||||
| -rw-r--r-- | tests/Framework/Washtml.php | 10 |
3 files changed, 12 insertions, 1 deletions
@@ -5,6 +5,7 @@ CHANGELOG Roundcube Webmail - Fix unintentional draft autosave request if autosave is disabled (#1489882) - Fix malformed References: header in send/saved mail (#1489891) - Fix handling unicode characters in links (#1489898) +- Fix incorrect handling of HTML comments in messages sanitization code (#1489904) RELEASE 1.0.1 ------------- diff --git a/program/lib/Roundcube/rcube_washtml.php b/program/lib/Roundcube/rcube_washtml.php index e23e5b21d..5f40eecf4 100644 --- a/program/lib/Roundcube/rcube_washtml.php +++ b/program/lib/Roundcube/rcube_washtml.php @@ -456,7 +456,7 @@ class rcube_washtml // Remove invalid HTML comments (#1487759) // Don't remove valid conditional comments // Don't remove MSOutlook (<!-->) conditional comments (#1489004) - $html = preg_replace('/<!--[^->\[\n]+>/', '', $html); + $html = preg_replace('/<!--[^-<>\[\n]+>/', '', $html); // fix broken nested lists self::fix_broken_lists($html); diff --git a/tests/Framework/Washtml.php b/tests/Framework/Washtml.php index ab1ada05f..5c15c692c 100644 --- a/tests/Framework/Washtml.php +++ b/tests/Framework/Washtml.php @@ -53,6 +53,16 @@ class Framework_Washtml extends PHPUnit_Framework_TestCase $washed = $washer->wash($html); $this->assertEquals('<!-- html ignored --><!-- body ignored --><p>test</p>', $washed, "HTML invalid comments (#1487759)"); + + $html = "<p>para1</p><!-- comment --><p>para2</p>"; + $washed = $washer->wash($html); + + $this->assertEquals('<!-- html ignored --><!-- body ignored --><p>para1</p><!-- node type 8 --><p>para2</p>', $washed, "HTML comments - simple comment"); + + $html = "<p>para1</p><!-- <hr> comment --><p>para2</p>"; + $washed = $washer->wash($html); + + $this->assertEquals('<!-- html ignored --><!-- body ignored --><p>para1</p><!-- node type 8 --><p>para2</p>', $washed, "HTML comments - tags inside (#1489904)"); } /** |