From 1c499ae930907ecb37ba31997ffcb71827d524f9 Mon Sep 17 00:00:00 2001
From: thomascube <thomas@roundcube.net>
Date: Fri, 12 Sep 2008 11:14:34 -0400
Subject: [PATCH] Allow (sanitized) style elements in HTML messages

---
 program/steps/mail/func.inc |   15 ++++++++++++---
 1 files changed, 12 insertions(+), 3 deletions(-)

diff --git a/program/steps/mail/func.inc b/program/steps/mail/func.inc
index 7de78a1..6a885a0 100644
--- a/program/steps/mail/func.inc
+++ b/program/steps/mail/func.inc
@@ -602,15 +602,14 @@
       $wash_opts['html_elements'] = array('html','head','title','body');
     }
     
-    /* CSS styles need to be sanitized!
+    // allow CSS styles, will be sanitized by rcmail_washtml_callback()
     if ($p['safe']) {
       $wash_opts['html_elements'][] = 'style';
-      $wash_opts['html_attribs'] = array('type');
     }
-    */
     
     $washer = new washtml($wash_opts);
     $washer->add_callback('form', 'rcmail_washtml_callback');
+    $washer->add_callback('style', 'rcmail_washtml_callback');
     $body = $washer->wash($html);
     $REMOTE_OBJECTS = $washer->extlinks;
 
@@ -698,6 +697,16 @@
       $out = html::div('form', $content);
       break;
       
+    case 'style':
+      // decode all escaped entities and reduce to ascii strings
+      $stripped = preg_replace('/[^a-zA-Z\(:]/', '', rcmail_xss_entitiy_decode($source));
+      
+      // now check for evli strings like expression, behavior or url()
+      if (!preg_match('/expression|behavior|url\(|import/', $css)) {
+        $out = html::tag('style', array('type' => 'text/css'), $content);
+        break;
+      }
+    
     default:
       $out = '';
   }

--
Gitblit v1.9.1