| | |
|---|
| | | return $str; |
|---|
| | | |
|---|
| | | $aliases = array( |
|---|
| | | 'US-ASCII' => 'ISO-8859-1', |
|---|
| | | 'UNKNOWN-8BIT' => 'ISO-8859-15', |
|---|
| | | 'X-UNKNOWN' => 'ISO-8859-15', |
|---|
| | | 'X-USER-DEFINED' => 'ISO-8859-15', |
|---|
| | |
|---|
| | | $str = strip_tags($str); |
|---|
| | | |
|---|
| | | // avoid douple quotation of & |
|---|
| | | $out = preg_replace('/&([a-z]{2,5}|#[0-9]{2,4});/', '&\\1;', strtr($str, $encode_arr)); |
|---|
| | | $out = preg_replace('/&([A-Za-z]{2,6}|#[0-9]{2,4});/', '&\\1;', strtr($str, $encode_arr)); |
|---|
| | | |
|---|
| | | return $newlines ? nl2br($out) : $out; |
|---|
| | | } |
|---|
| | |
|---|
| | | $last_pos = 0; |
|---|
| | | |
|---|
| | | // ignore the whole block if evil styles are detected |
|---|
| | | if (stristr($source, 'expression') || stristr($source, 'behavior')) |
|---|
| | | $stripped = preg_replace('/[^a-z\(:]/', '', rcmail_xss_entitiy_decode($source)); |
|---|
| | | if (preg_match('/expression|behavior|url\(|import/', $stripped)) |
|---|
| | | return ''; |
|---|
| | | |
|---|
| | | // cut out all contents between { and } |
|---|
| | |
|---|
| | | |
|---|
| | | |
|---|
| | | /** |
|---|
| | | * Decode escaped entities used by known XSS exploits. |
|---|
| | | * See http://downloads.securityfocus.com/vulnerabilities/exploits/26800.eml for examples |
|---|
| | | * |
|---|
| | | * @param string CSS content to decode |
|---|
| | | * @return string Decoded string |
|---|
| | | */ |
|---|
| | | function rcmail_xss_entitiy_decode($content) |
|---|
| | | { |
|---|
| | | $out = html_entity_decode(html_entity_decode($content)); |
|---|
| | | $out = preg_replace('/\\\([0-9a-f]{4})/ie', "chr(hexdec('\\1'))", $out); |
|---|
| | | $out = preg_replace('#/\*.*\*/#Um', '', $out); |
|---|
| | | return $out; |
|---|
| | | } |
|---|
| | | |
|---|
| | | |
|---|
| | | /** |
|---|
| | | * Compose a valid attribute string for HTML tags |
|---|
| | | * |
|---|
| | | * @param array Named tag attributes |
|---|
