summaryrefslogtreecommitdiff
path: root/program/include/main.inc
diff options
context:
space:
mode:
Diffstat (limited to 'program/include/main.inc')
-rw-r--r--program/include/main.inc19
1 files changed, 18 insertions, 1 deletions
diff --git a/program/include/main.inc b/program/include/main.inc
index 87c727700..0453b14ad 100644
--- a/program/include/main.inc
+++ b/program/include/main.inc
@@ -597,7 +597,8 @@ function rcmail_mod_css_styles($source, $container_id, $base_url = '')
$last_pos = 0;
// ignore the whole block if evil styles are detected
- if (stristr($source, 'expression') || stristr($source, 'behavior'))
+ $stripped = preg_replace('/[^a-z\(:]/', '', rcmail_xss_entitiy_decode($source));
+ if (preg_match('/expression|behavior|url\(|import/', $stripped))
return '';
// cut out all contents between { and }
@@ -633,6 +634,22 @@ function rcmail_mod_css_styles($source, $container_id, $base_url = '')
/**
+ * Decode escaped entities used by known XSS exploits.
+ * See http://downloads.securityfocus.com/vulnerabilities/exploits/26800.eml for examples
+ *
+ * @param string CSS content to decode
+ * @return string Decoded string
+ */
+function rcmail_xss_entitiy_decode($content)
+{
+ $out = html_entity_decode(html_entity_decode($content));
+ $out = preg_replace('/\\\00([a-z0-9]{2})/ie', "chr(hexdec('\\1'))", $out);
+ $out = preg_replace('#/\*.+\*/#Um', '', $out);
+ return $out;
+}
+
+
+/**
* Compose a valid attribute string for HTML tags
*
* @param array Named tag attributes