diff options
| author | thomascube <thomas@roundcube.net> | 2008-09-12 15:14:34 +0000 |
|---|---|---|
| committer | thomascube <thomas@roundcube.net> | 2008-09-12 15:14:34 +0000 |
| commit | 1c499ae930907ecb37ba31997ffcb71827d524f9 (patch) | |
| tree | 46fd821372165050720ce5bc3c806499c6980e96 /program/include/main.inc | |
| parent | 9bed2d86d55fe755f0bd0ba8c001bfc3889f6509 (diff) | |
Allow (sanitized) style elements in HTML messages
Diffstat (limited to 'program/include/main.inc')
| -rw-r--r-- | program/include/main.inc | 19 |
1 files changed, 18 insertions, 1 deletions
diff --git a/program/include/main.inc b/program/include/main.inc index 87c727700..0453b14ad 100644 --- a/program/include/main.inc +++ b/program/include/main.inc @@ -597,7 +597,8 @@ function rcmail_mod_css_styles($source, $container_id, $base_url = '') $last_pos = 0; // ignore the whole block if evil styles are detected - if (stristr($source, 'expression') || stristr($source, 'behavior')) + $stripped = preg_replace('/[^a-z\(:]/', '', rcmail_xss_entitiy_decode($source)); + if (preg_match('/expression|behavior|url\(|import/', $stripped)) return ''; // cut out all contents between { and } @@ -633,6 +634,22 @@ function rcmail_mod_css_styles($source, $container_id, $base_url = '') /** + * Decode escaped entities used by known XSS exploits. + * See http://downloads.securityfocus.com/vulnerabilities/exploits/26800.eml for examples + * + * @param string CSS content to decode + * @return string Decoded string + */ +function rcmail_xss_entitiy_decode($content) +{ + $out = html_entity_decode(html_entity_decode($content)); + $out = preg_replace('/\\\00([a-z0-9]{2})/ie', "chr(hexdec('\\1'))", $out); + $out = preg_replace('#/\*.+\*/#Um', '', $out); + return $out; +} + + +/** * Compose a valid attribute string for HTML tags * * @param array Named tag attributes |