From ea206d3d9299ce32996dcd24d49790e36f2b89a2 Mon Sep 17 00:00:00 2001 From: thomascube Date: Fri, 1 Sep 2006 10:01:31 +0000 Subject: Improved message parsing and HTML validation --- program/steps/mail/func.inc | 31 ++++++++++++++----------------- program/steps/mail/get.inc | 14 ++++++++------ program/steps/mail/show.inc | 2 +- program/steps/settings/save_identity.inc | 17 +++++++++-------- 4 files changed, 32 insertions(+), 32 deletions(-) (limited to 'program/steps') diff --git a/program/steps/mail/func.inc b/program/steps/mail/func.inc index bae14a299..58da0ca45 100644 --- a/program/steps/mail/func.inc +++ b/program/steps/mail/func.inc @@ -676,18 +676,18 @@ function rcmail_print_body($part, $safe=FALSE, $plain=FALSE) if (!$safe) // remove remote images and scripts { - $remote_patterns = array('/(src|background)=(["\']?)([hftps]{3,5}:\/{2}[^"\'\s]+)(\2|\s|>)/Ui', - // '/(src|background)=(["\']?)([\.\/]+[^"\'\s]+)(\2|\s|>)/Ui', + $remote_patterns = array('/)/Ui', + '/(src|background)=(["\']?)([hftps]{3,5}:\/{2}[^"\'\s]+)(\2|\s|>)/Ui', '/()/i', '/()/i', '/url\s*\(["\']?([hftps]{3,5}:\/{2}[^"\'\s]+)["\']?\)/i', '/url\s*\(["\']?([\.\/]+[^"\'\s]+)["\']?\)/i', '//Umis'); - $remote_replaces = array('', // '\\1=\\2#\\4', - // '\\1=\\2#\\4', + $remote_replaces = array('\n".$body."\n"; + return "
".$body."\n
"; } } @@ -947,7 +947,7 @@ function rcmail_parse_message(&$structure, $arg=array(), $recursive=FALSE) $a_replaces = array(); foreach ($sa_inline_objects as $inline_object) - $a_replaces['cid:'.$inline_object->content_id] = sprintf($get_url, $inline_object->mime_id); + $a_replaces['cid:'.$inline_object->content_id] = htmlspecialchars(sprintf($get_url, $inline_object->mime_id)); // add replace array to each content part // (will be applied later when part body is available) @@ -1092,8 +1092,8 @@ function rcmail_message_body($attrib) foreach ($MESSAGE['attachments'] as $attach_prop) { if (strpos($attach_prop->mimetype, 'image/')===0) - $out .= sprintf("\n
\n

\"%s\"

\n", - $GET_URL, $attach_prop->mime_id, + $out .= sprintf("\n
\n

\"%s\"

\n", + htmlspecialchars($GET_URL), $attach_prop->mime_id, $attach_prop->filename, $attach_prop->filename); } @@ -1121,15 +1121,12 @@ function rcmail_mod_html_body($body, $container_id) // find STYLE tags while (($pos = strpos($body_lc, '', $pos))) { - $pos2 += 8; - $body_pre = substr($body, 0, $pos); - $styles = substr($body, $pos, $pos2-$pos); - $body_post = substr($body, $pos2, strlen($body)-$pos2); - + $pos = strpos($body_lc, '>', $pos)+1; + // replace all css definitions with #container [def] - $styles = rcmail_mod_css_styles($styles, $container_id); - - $body = $body_pre . $styles . $body_post; + $styles = rcmail_mod_css_styles(substr($body, $pos, $pos2-$pos), $container_id); + + $body = substr($body, 0, $pos) . $styles . substr($body, $pos2); $last_style_pos = $pos2; } diff --git a/program/steps/mail/get.inc b/program/steps/mail/get.inc index f05bbbd94..083de8664 100644 --- a/program/steps/mail/get.inc +++ b/program/steps/mail/get.inc @@ -87,17 +87,19 @@ else if ($pid = get_input_value('_part', RCUBE_INPUT_GET)) // deliver part content if ($ctype_primary=='text' && $ctype_secondary=='html') { - // get part body if not available - if (!$part->body) - $part->body = $IMAP->get_message_part($MESSAGE['UID'], $part->mime_id, $part); - - list($MESSAGE['parts']) = rcmail_parse_message($part, + // we have to analyze the whole structure again to find inline objects + list($MESSAGE['parts']) = rcmail_parse_message($MESSAGE['structure'], array('safe' => (bool)$_GET['_safe'], 'prefer_html' => TRUE, 'get_url' => $GET_URL.'&_part=%s')); + $part = &$MESSAGE['parts'][0]; + + // get part body if not available + if (!$part->body) + $part->body = $IMAP->get_message_part($MESSAGE['UID'], $part->mime_id, $part); $OUTPUT = new rcube_html_page(); - $OUTPUT->write(rcmail_print_body($MESSAGE['parts'][0], (bool)$_GET['_safe'])); + $OUTPUT->write(rcmail_print_body($part, (bool)$_GET['_safe'])); } else { diff --git a/program/steps/mail/show.inc b/program/steps/mail/show.inc index f381818ed..51633fa7b 100644 --- a/program/steps/mail/show.inc +++ b/program/steps/mail/show.inc @@ -108,7 +108,7 @@ function rcmail_message_attachments($attrib) show_bytes($attach_prop->size)); else $out .= sprintf('
  • %s
  • '."\n", - htmlentities($GET_URL), + htmlspecialchars($GET_URL), $attach_prop->mime_id, $JS_OBJECT_NAME, $attach_prop->mime_id, diff --git a/program/steps/settings/save_identity.inc b/program/steps/settings/save_identity.inc index 2d64dc7b3..ffbcfe3d9 100644 --- a/program/steps/settings/save_identity.inc +++ b/program/steps/settings/save_identity.inc @@ -61,18 +61,19 @@ if ($_POST['_iid']) $updated = $DB->affected_rows(); } - if ($updated && !empty($_POST['_standard'])) + if ($updated) { show_message('successfullysaved', 'confirmation'); // mark all other identities as 'not-default' - $DB->query("UPDATE ".get_table_name('identities')." - SET ".$DB->quoteIdentifier('standard')."='0' - WHERE user_id=? - AND identity_id<>? - AND del<>1", - $_SESSION['user_id'], - get_input_value('_iid', RCUBE_INPUT_POST)); + if (!empty($_POST['_standard'])) + $DB->query("UPDATE ".get_table_name('identities')." + SET ".$DB->quoteIdentifier('standard')."='0' + WHERE user_id=? + AND identity_id<>? + AND del<>1", + $_SESSION['user_id'], + get_input_value('_iid', RCUBE_INPUT_POST)); if ($_POST['_framed']) { -- cgit v1.2.3