From 1c499ae930907ecb37ba31997ffcb71827d524f9 Mon Sep 17 00:00:00 2001
From: thomascube <thomas@roundcube.net>
Date: Fri, 12 Sep 2008 11:14:34 -0400
Subject: [PATCH] Allow (sanitized) style elements in HTML messages

---
 program/include/main.inc |   19 ++++++++++++++++++-
 1 files changed, 18 insertions(+), 1 deletions(-)

diff --git a/program/include/main.inc b/program/include/main.inc
index 87c7277..0453b14 100644
--- a/program/include/main.inc
+++ b/program/include/main.inc
@@ -597,7 +597,8 @@
   $last_pos = 0;
   
   // ignore the whole block if evil styles are detected
-  if (stristr($source, 'expression') || stristr($source, 'behavior'))
+  $stripped = preg_replace('/[^a-z\(:]/', '', rcmail_xss_entitiy_decode($source));
+  if (preg_match('/expression|behavior|url\(|import/', $stripped))
     return '';
 
   // cut out all contents between { and }
@@ -633,6 +634,22 @@
 
 
 /**
+ * Decode escaped entities used by known XSS exploits.
+ * See http://downloads.securityfocus.com/vulnerabilities/exploits/26800.eml for examples
+ *
+ * @param string CSS content to decode
+ * @return string Decoded string
+ */
+function rcmail_xss_entitiy_decode($content)
+{
+  $out = html_entity_decode(html_entity_decode($content));
+  $out = preg_replace('/\\\00([a-z0-9]{2})/ie', "chr(hexdec('\\1'))", $out);
+  $out = preg_replace('#/\*.+\*/#Um', '', $out);
+  return $out;
+}
+
+
+/**
  * Compose a valid attribute string for HTML tags
  *
  * @param array Named tag attributes

--
Gitblit v1.9.1