Fix typos + only add callback for style tags when safe-flag is set
| | |
| | | protected $content; |
| | | |
| | | public static $common_attrib = array('id','class','style','title','align'); |
| | | public static $containers = array('div','span','p','h1','h2','h3','form','textarea','table','tr','th','td'); |
| | | public static $containers = array('div','span','p','h1','h2','h3','form','textarea','table','tr','th','td','style'); |
| | | public static $lc_tags = true; |
| | | |
| | | /** |
| | |
| | | $wash_opts['html_elements'] = array('html','head','title','body'); |
| | | } |
| | | |
| | | // allow CSS styles, will be sanitized by rcmail_washtml_callback() |
| | | if ($p['safe']) { |
| | | $wash_opts['html_elements'][] = 'style'; |
| | | } |
| | | |
| | | $washer = new washtml($wash_opts); |
| | | $washer->add_callback('form', 'rcmail_washtml_callback'); |
| | | $washer->add_callback('style', 'rcmail_washtml_callback'); |
| | | |
| | | if ($p['safe']) { // allow CSS styles, will be sanitized by rcmail_washtml_callback() |
| | | $washer->add_callback('style', 'rcmail_washtml_callback'); |
| | | } |
| | | |
| | | $body = $washer->wash($html); |
| | | $REMOTE_OBJECTS = $washer->extlinks; |
| | | |
| | |
| | | |
| | | case 'style': |
| | | // decode all escaped entities and reduce to ascii strings |
| | | $stripped = preg_replace('/[^a-zA-Z\(:]/', '', rcmail_xss_entitiy_decode($source)); |
| | | $stripped = preg_replace('/[^a-zA-Z\(:]/', '', rcmail_xss_entitiy_decode($content)); |
| | | |
| | | // now check for evli strings like expression, behavior or url() |
| | | if (!preg_match('/expression|behavior|url\(|import/', $css)) { |
| | | // now check for evil strings like expression, behavior or url() |
| | | if (!preg_match('/expression|behavior|url\(|import/', $stripped)) { |
| | | $out = html::tag('style', array('type' => 'text/css'), $content); |
| | | break; |
| | | } |