From 1c499ae930907ecb37ba31997ffcb71827d524f9 Mon Sep 17 00:00:00 2001 From: thomascube Date: Fri, 12 Sep 2008 15:14:34 +0000 Subject: Allow (sanitized) style elements in HTML messages --- program/include/main.inc | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) (limited to 'program/include') diff --git a/program/include/main.inc b/program/include/main.inc index 87c727700..0453b14ad 100644 --- a/program/include/main.inc +++ b/program/include/main.inc @@ -597,7 +597,8 @@ function rcmail_mod_css_styles($source, $container_id, $base_url = '') $last_pos = 0; // ignore the whole block if evil styles are detected - if (stristr($source, 'expression') || stristr($source, 'behavior')) + $stripped = preg_replace('/[^a-z\(:]/', '', rcmail_xss_entitiy_decode($source)); + if (preg_match('/expression|behavior|url\(|import/', $stripped)) return ''; // cut out all contents between { and } @@ -632,6 +633,22 @@ function rcmail_mod_css_styles($source, $container_id, $base_url = '') } +/** + * Decode escaped entities used by known XSS exploits. + * See http://downloads.securityfocus.com/vulnerabilities/exploits/26800.eml for examples + * + * @param string CSS content to decode + * @return string Decoded string + */ +function rcmail_xss_entitiy_decode($content) +{ + $out = html_entity_decode(html_entity_decode($content)); + $out = preg_replace('/\\\00([a-z0-9]{2})/ie', "chr(hexdec('\\1'))", $out); + $out = preg_replace('#/\*.+\*/#Um', '', $out); + return $out; +} + + /** * Compose a valid attribute string for HTML tags * -- cgit v1.2.3