program/steps/mail/func.inc
@@ -861,7 +861,7 @@ case 'style': // decode all escaped entities and reduce to ascii strings $stripped = preg_replace('/[^a-zA-Z\(:]/', '', rcmail_xss_entitiy_decode($content)); $stripped = preg_replace('/[^a-zA-Z\(:]/', '', rcmail_xss_entity_decode($content)); // now check for evil strings like expression, behavior or url() if (!preg_match('/expression|behavior|url\(|import/', $stripped)) {
