diff options
| author | Aleksander Machniak <alec@alec.pl> | 2014-02-14 18:25:02 +0100 |
|---|---|---|
| committer | Aleksander Machniak <alec@alec.pl> | 2014-02-14 18:25:02 +0100 |
| commit | abecca8f4bc0898f952a3362bd42b4c78ac783c3 (patch) | |
| tree | cf1f70fee183c64f2da2f0d7b09afd055b41c0ab /program/lib/Roundcube/html.php | |
| parent | c6227fe7b08e2371f07250261a464cb86fdbc9d4 (diff) | |
| parent | 80102a2dde8d2870ee7d8c4ad8e8626a555ecc2f (diff) | |
Merge branch 'master' of github.com:roundcube/roundcubemail
Diffstat (limited to 'program/lib/Roundcube/html.php')
| -rw-r--r-- | program/lib/Roundcube/html.php | 15 |
1 files changed, 12 insertions, 3 deletions
diff --git a/program/lib/Roundcube/html.php b/program/lib/Roundcube/html.php index 33517fbcd..64324dd8e 100644 --- a/program/lib/Roundcube/html.php +++ b/program/lib/Roundcube/html.php @@ -269,19 +269,28 @@ class html return ''; } - $allowed_f = array_flip((array)$allowed); + $allowed_f = array_flip((array)$allowed); $attrib_arr = array(); + foreach ($attrib as $key => $value) { // skip size if not numeric if ($key == 'size' && !is_numeric($value)) { continue; } - // ignore "internal" or not allowed attributes - if ($key == 'nl' || ($allowed && !isset($allowed_f[$key])) || $value === null) { + // ignore "internal" or empty attributes + if ($key == 'nl' || $value === null) { continue; } + // ignore not allowed attributes + if (!empty($allowed)) { + $is_data_attr = substr_compare($key, 'data-', 0, 5) === 0; + if (!isset($allowed_f[$key]) && (!$is_data_attr || !isset($allowed_f['data-*']))) { + continue; + } + } + // skip empty eventhandlers if (preg_match('/^on[a-z]+/', $key) && !$value) { continue; |