| | |
|---|
| | | $last_pos = 0; |
|---|
| | | |
|---|
| | | // ignore the whole block if evil styles are detected |
|---|
| | | if (stristr($source, 'expression') || stristr($source, 'behavior')) |
|---|
| | | $stripped = preg_replace('/[^a-z\(:]/', '', rcmail_xss_entitiy_decode($source)); |
|---|
| | | if (preg_match('/expression|behavior|url\(|import/', $stripped)) |
|---|
| | | return ''; |
|---|
| | | |
|---|
| | | // cut out all contents between { and } |
|---|
| | |
|---|
| | | |
|---|
| | | |
|---|
| | | /** |
|---|
| | | * Decode escaped entities used by known XSS exploits. |
|---|
| | | * See http://downloads.securityfocus.com/vulnerabilities/exploits/26800.eml for examples |
|---|
| | | * |
|---|
| | | * @param string CSS content to decode |
|---|
| | | * @return string Decoded string |
|---|
| | | */ |
|---|
| | | function rcmail_xss_entitiy_decode($content) |
|---|
| | | { |
|---|
| | | $out = html_entity_decode(html_entity_decode($content)); |
|---|
| | | $out = preg_replace('/\\\([0-9a-f]{4})/ie', "chr(hexdec('\\1'))", $out); |
|---|
| | | $out = preg_replace('#/\*.*\*/#Um', '', $out); |
|---|
| | | return $out; |
|---|
| | | } |
|---|
| | | |
|---|
| | | |
|---|
| | | /** |
|---|
| | | * Compose a valid attribute string for HTML tags |
|---|
| | | * |
|---|
| | | * @param array Named tag attributes |
|---|
