Don't block CSS styles having important keywords
| | |
|---|
| | | $replacements = new rcube_string_replacer; |
|---|
| | | |
|---|
| | | // ignore the whole block if evil styles are detected |
|---|
| | | $stripped = preg_replace('/[^a-z\(:]/', '', rcmail_xss_entity_decode($source)); |
|---|
| | | if (preg_match('/expression|behavior|url\(|import/', $stripped)) |
|---|
| | | $stripped = preg_replace('/[^a-z\(:;]/', '', rcmail_xss_entity_decode($source)); |
|---|
| | | if (preg_match('/expression|behavior|url\(|import[^a]/', $stripped)) |
|---|
| | | return '/* evil! */'; |
|---|
| | | |
|---|
| | | // remove css comments (sometimes used for some ugly hacks) |
|---|
| | |
|---|
| | | |
|---|
| | | case 'style': |
|---|
| | | // decode all escaped entities and reduce to ascii strings |
|---|
| | | $stripped = preg_replace('/[^a-zA-Z\(:]/', '', rcmail_xss_entity_decode($content)); |
|---|
| | | $stripped = preg_replace('/[^a-zA-Z\(:;]/', '', rcmail_xss_entity_decode($content)); |
|---|
| | | |
|---|
| | | // now check for evil strings like expression, behavior or url() |
|---|
| | | if (!preg_match('/expression|behavior|url\(|import/', $stripped)) { |
|---|
| | | if (!preg_match('/expression|behavior|url\(|import[^a]/', $stripped)) { |
|---|
| | | $out = html::tag('style', array('type' => 'text/css'), $content); |
|---|
| | | break; |
|---|
| | | } |
|---|
