summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorthomascube <thomas@roundcube.net>2007-11-01 09:51:14 +0000
committerthomascube <thomas@roundcube.net>2007-11-01 09:51:14 +0000
commita08a60e974c63547eeb9399ee7243d585a309278 (patch)
tree77cf36b9c8ecfd558572ead0e15745eff7a543c1
parent6270699ba812e0ac8c3e5db348cb4f9770f77fb5 (diff)
Also remove unclosed script tags (fixes XSS vulnerability)
-rw-r--r--program/steps/mail/func.inc6
1 files changed, 3 insertions, 3 deletions
diff --git a/program/steps/mail/func.inc b/program/steps/mail/func.inc
index 02263292a..c072c9118 100644
--- a/program/steps/mail/func.inc
+++ b/program/steps/mail/func.inc
@@ -973,10 +973,10 @@ function rcmail_sanitize_html($body, $container_id)
// remove SCRIPT tags
foreach (array('script', 'applet', 'object', 'embed', 'iframe') as $tag)
{
- while (($pos = strpos($body_lc, '<'.$tag)) && ($pos2 = strpos($body_lc, '</'.$tag.'>', $pos)))
+ while (($pos = strpos($body_lc, '<'.$tag)) && (($pos2 = strpos($body_lc, '</'.$tag.'>', $pos)) || ($pos3 = strpos($body_lc, '>', $pos))))
{
- $pos2 += strlen('</'.$tag.'>');
- $body = substr($body, 0, $pos) . substr($body, $pos2, strlen($body)-$pos2);
+ $end = $pos2 ? $pos2 + strlen('</'.$tag.'>') : $pos3 + 1;
+ $body = substr($body, 0, $pos) . substr($body, $end, strlen($body)-$end);
$body_lc = strtolower($body);
}
}