2 files changed, 10 insertions, 5 deletions

diff --git a/tests/mailfunc.php b/tests/mailfunc.php
index bf9163b7d..8fd2cd3d5 100644
--- a/tests/mailfunc.php
+++ b/tests/mailfunc.php
@@ -19,6 +19,8 @@ class rcube_test_mailfunc extends UnitTestCase
     $IMAP = $RCMAIL->imap;
     
     require_once 'steps/mail/func.inc';
+    
+    $GLOBALS['EMAIL_ADDRESS_PATTERN'] = $EMAIL_ADDRESS_PATTERN;
   }
 
   /**
@@ -43,7 +45,7 @@ class rcube_test_mailfunc extends UnitTestCase
     $part->replaces = array('ex1.jpg' => 'part_1.2.jpg', 'ex2.jpg' => 'part_1.2.jpg');
     
     // render HTML in normal mode
-    $html = rcmail_print_body($part, array('safe' => false));
+    $html = rcmail_html4inline(rcmail_print_body($part, array('safe' => false)), 'foo');
 
     $this->assertPattern('/src="'.$part->replaces['ex1.jpg'].'"/', $html, "Replace reference to inline image");
     $this->assertPattern('#background="./program/blocked.gif"#', $html, "Replace external background image");
@@ -71,10 +73,13 @@ class rcube_test_mailfunc extends UnitTestCase
   {
     $part = $this->get_html_part('src/htmlxss.txt');
     $washed = rcmail_print_body($part, array('safe' => true));
-
+    
     $this->assertNoPattern('/src="skins/', $washed, "Remove local references");
-    $this->assertNoPattern('/\son[a-z]+/', $wahsed, "Remove on* attributes");
-    $this->assertNoPattern('/alert/', $wahsed, "Remove alerts");
+    $this->assertNoPattern('/\son[a-z]+/', $washed, "Remove on* attributes");
+    
+    $html = rcmail_html4inline($washed, 'foo');
+    $this->assertNoPattern('/onclick="return rcmail.command(\'compose\',\'xss@somehost.net\',this)"/', $html, "Clean mailto links");
+    $this->assertNoPattern('/alert/', $html, "Remove alerts");
   }
 
   /**
diff --git a/tests/src/htmlxss.txt b/tests/src/htmlxss.txt
index 60ceb944e..f6c43e353 100644
--- a/tests/src/htmlxss.txt
+++ b/tests/src/htmlxss.txt
@@ -3,7 +3,7 @@
 
 <p><img onLoad.="alert(document.cookie)" src="skins/default/images/roundcube_logo.png" /></p>
 
-<p><a href="javascript:alert(document.cookie)">mail me!</a>
+<p><a href="mailto:xss@somehost.net') && alert(document.cookie) || ignore('">mail me!</a>
 <a href="http://roundcube.net" target="_self">roundcube.net</a>
 <a href="http://roundcube.net" \onmouseover="alert('XSS')">roundcube.net (2)</a>