diff options
Diffstat (limited to 'program/include/main.inc')
-rw-r--r-- | program/include/main.inc | 19 |
1 files changed, 18 insertions, 1 deletions
diff --git a/program/include/main.inc b/program/include/main.inc index 87c727700..0453b14ad 100644 --- a/program/include/main.inc +++ b/program/include/main.inc @@ -597,7 +597,8 @@ function rcmail_mod_css_styles($source, $container_id, $base_url = '') $last_pos = 0; // ignore the whole block if evil styles are detected - if (stristr($source, 'expression') || stristr($source, 'behavior')) + $stripped = preg_replace('/[^a-z\(:]/', '', rcmail_xss_entitiy_decode($source)); + if (preg_match('/expression|behavior|url\(|import/', $stripped)) return ''; // cut out all contents between { and } @@ -633,6 +634,22 @@ function rcmail_mod_css_styles($source, $container_id, $base_url = '') /** + * Decode escaped entities used by known XSS exploits. + * See http://downloads.securityfocus.com/vulnerabilities/exploits/26800.eml for examples + * + * @param string CSS content to decode + * @return string Decoded string + */ +function rcmail_xss_entitiy_decode($content) +{ + $out = html_entity_decode(html_entity_decode($content)); + $out = preg_replace('/\\\00([a-z0-9]{2})/ie', "chr(hexdec('\\1'))", $out); + $out = preg_replace('#/\*.+\*/#Um', '', $out); + return $out; +} + + +/** * Compose a valid attribute string for HTML tags * * @param array Named tag attributes |