Roundcubemail devel
parent: 10c92bef | patch | commit | ignore whitespace
thomascube
2006-09-01 ea206d3d9299ce32996dcd24d49790e36f2b89a2 
Improved message parsing and HTML validation

5 files modified
68 ■■■■ changed files
program/include/rcube_imap.inc 4 ●●●● patch | view | raw | blame | history
program/steps/mail/func.inc 31 ●●●● patch | view | raw | blame | history
program/steps/mail/get.inc 14 ●●●●● patch | view | raw | blame | history
program/steps/mail/show.inc 2 ●●● patch | view | raw | blame | history
program/steps/settings/save_identity.inc 17 ●●●● patch | view | raw | blame | history 
 program/include/rcube_imap.inc


@@ -1010,9 +1010,9 @@


    // get part size


    if (!empty($part[6]) && $part[6]!='NIL')


      $struct->size = intval($part[6]);




	  


    // read part disposition


    $di = count($part) - 3;


    $di = count($part) - 2;


    if (is_array($part[$di]))


      {


      $struct->disposition = strtolower($part[$di][0]);




 program/steps/mail/func.inc


@@ -676,18 +676,18 @@




    if (!$safe)  // remove remote images and scripts


      {


      $remote_patterns = array('/(src|background)=(["\']?)([hftps]{3,5}:\/{2}[^"\'\s]+)(\2|\s|>)/Ui',


                           //  '/(src|background)=(["\']?)([\.\/]+[^"\'\s]+)(\2|\s|>)/Ui',


      $remote_patterns = array('/<img\s+(.*)src=(["\']?)([hftps]{3,5}:\/{2}[^"\'\s]+)(\2|\s|>)/Ui',


                               '/(src|background)=(["\']?)([hftps]{3,5}:\/{2}[^"\'\s]+)(\2|\s|>)/Ui',


                               '/(<base.*href=["\']?)([hftps]{3,5}:\/{2}[^"\'\s]+)([^<]*>)/i',


                               '/(<link.*href=["\']?)([hftps]{3,5}:\/{2}[^"\'\s]+)([^<]*>)/i',


                               '/url\s*\(["\']?([hftps]{3,5}:\/{2}[^"\'\s]+)["\']?\)/i',


                               '/url\s*\(["\']?([\.\/]+[^"\'\s]+)["\']?\)/i',


                               '/<script.+<\/script>/Umis');




      $remote_replaces = array('',  // '\\1=\\2#\\4',


                            // '\\1=\\2#\\4',


      $remote_replaces = array('<img \\1src=\\2./program/blank.gif\\4',


                               '',


                               '',  // '\\1#\\3',


                               '',


                               '',


                               'none',


                               'none',


                               '');


@@ -766,7 +766,7 @@


    // insert the links for urls and mailtos


    $body = preg_replace("/##string_replacement\{([0-9]+)\}##/e", "\$replace_strings[\\1]", join("\n", $a_lines));


    


    return "<div class=\"pre\">\n".$body."\n</div>";


    return "<div class=\"pre\">".$body."\n</div>";


    }


  }




@@ -947,7 +947,7 @@


      $a_replaces = array();


        


      foreach ($sa_inline_objects as $inline_object)


        $a_replaces['cid:'.$inline_object->content_id] = sprintf($get_url, $inline_object->mime_id);


        $a_replaces['cid:'.$inline_object->content_id] = htmlspecialchars(sprintf($get_url, $inline_object->mime_id));


      


      // add replace array to each content part


      // (will be applied later when part body is available)


@@ -1092,8 +1092,8 @@


    foreach ($MESSAGE['attachments'] as $attach_prop)


      {


      if (strpos($attach_prop->mimetype, 'image/')===0)


        $out .= sprintf("\n<hr />\n<p align=\"center\"><img src=\"%s&_part=%s\" alt=\"%s\" title=\"%s\" /></p>\n",


                        $GET_URL, $attach_prop->mime_id,


        $out .= sprintf("\n<hr />\n<p align=\"center\"><img src=\"%s&amp;_part=%s\" alt=\"%s\" title=\"%s\" /></p>\n",


                        htmlspecialchars($GET_URL), $attach_prop->mime_id,


                        $attach_prop->filename,


                        $attach_prop->filename);


      }


@@ -1121,15 +1121,12 @@


  // find STYLE tags


  while (($pos = strpos($body_lc, '<style', $last_style_pos)) && ($pos2 = strpos($body_lc, '</style>', $pos)))


    {


    $pos2 += 8;


    $body_pre = substr($body, 0, $pos);


    $styles = substr($body, $pos, $pos2-$pos);


    $body_post = substr($body, $pos2, strlen($body)-$pos2);


    


    $pos = strpos($body_lc, '>', $pos)+1;




    // replace all css definitions with #container [def]


    $styles = rcmail_mod_css_styles($styles, $container_id);


    


    $body = $body_pre . $styles . $body_post;


    $styles = rcmail_mod_css_styles(substr($body, $pos, $pos2-$pos), $container_id);




    $body = substr($body, 0, $pos) . $styles . substr($body, $pos2);    


    $last_style_pos = $pos2;


    }






 program/steps/mail/get.inc


@@ -87,17 +87,19 @@


    // deliver part content


    if ($ctype_primary=='text' && $ctype_secondary=='html')


      {


      // we have to analyze the whole structure again to find inline objects


      list($MESSAGE['parts']) = rcmail_parse_message($MESSAGE['structure'],


                                                     array('safe' => (bool)$_GET['_safe'],


                                                           'prefer_html' => TRUE,


                                                           'get_url' => $GET_URL.'&_part=%s'));


      $part = &$MESSAGE['parts'][0];




      // get part body if not available


      if (!$part->body)


        $part->body = $IMAP->get_message_part($MESSAGE['UID'], $part->mime_id, $part);      




      list($MESSAGE['parts']) = rcmail_parse_message($part,


                                                     array('safe' => (bool)$_GET['_safe'],


                                                           'prefer_html' => TRUE,


                                                           'get_url' => $GET_URL.'&_part=%s'));




      $OUTPUT = new rcube_html_page();


      $OUTPUT->write(rcmail_print_body($MESSAGE['parts'][0], (bool)$_GET['_safe']));


      $OUTPUT->write(rcmail_print_body($part, (bool)$_GET['_safe']));


      }


    else


      {




 program/steps/mail/show.inc


@@ -108,7 +108,7 @@


                        show_bytes($attach_prop->size));


      else


        $out .= sprintf('<li><a href="%s&amp;_part=%s" onclick="return %s.command(\'load-attachment\',{part:\'%s\', mimetype:\'%s\'},this)">%s</a></li>'."\n",


                        htmlentities($GET_URL),


                        htmlspecialchars($GET_URL),


                        $attach_prop->mime_id,


                        $JS_OBJECT_NAME,


                        $attach_prop->mime_id,




 program/steps/settings/save_identity.inc


@@ -61,18 +61,19 @@


    $updated = $DB->affected_rows();


    }


       


  if ($updated && !empty($_POST['_standard']))


  if ($updated)


    {


    show_message('successfullysaved', 'confirmation');




    // mark all other identities as 'not-default'


    $DB->query("UPDATE ".get_table_name('identities')."


                SET ".$DB->quoteIdentifier('standard')."='0'


                WHERE  user_id=?


                AND    identity_id<>?


                AND    del<>1",


                $_SESSION['user_id'],


                get_input_value('_iid', RCUBE_INPUT_POST));


    if (!empty($_POST['_standard']))


      $DB->query("UPDATE ".get_table_name('identities')."


                  SET ".$DB->quoteIdentifier('standard')."='0'


                  WHERE  user_id=?


                  AND    identity_id<>?


                  AND    del<>1",


                  $_SESSION['user_id'],


                  get_input_value('_iid', RCUBE_INPUT_POST));


    


    if ($_POST['_framed'])


      {