diff options
Diffstat (limited to 'program/lib/Roundcube/html.php')
| -rw-r--r-- | program/lib/Roundcube/html.php | 14 |
1 files changed, 11 insertions, 3 deletions
diff --git a/program/lib/Roundcube/html.php b/program/lib/Roundcube/html.php index 33517fbcd..a88570d75 100644 --- a/program/lib/Roundcube/html.php +++ b/program/lib/Roundcube/html.php @@ -269,19 +269,27 @@ class html return ''; } - $allowed_f = array_flip((array)$allowed); + $allowed_f = array_flip((array)$allowed); $attrib_arr = array(); + foreach ($attrib as $key => $value) { // skip size if not numeric if ($key == 'size' && !is_numeric($value)) { continue; } - // ignore "internal" or not allowed attributes - if ($key == 'nl' || ($allowed && !isset($allowed_f[$key])) || $value === null) { + // ignore "internal" or empty attributes + if ($key == 'nl' || $value === null) { continue; } + // ignore not allowed attributes, except data-* + if (!empty($allowed)) { + if (!isset($allowed_f[$key]) && @substr_compare($key, 'data-', 0, 5) !== 0) { + continue; + } + } + // skip empty eventhandlers if (preg_match('/^on[a-z]+/', $key) && !$value) { continue; |