[Svn] r3740 - trunk/roundcubemail/program/include

trac at roundcube.net trac at roundcube.net
Wed Jun 9 21:08:15 CEST 2010


Author: netbit
Date: 2010-06-09 14:08:15 -0500 (Wed, 09 Jun 2010)
New Revision: 3740

Modified:
   trunk/roundcubemail/program/include/main.inc
Log:
 - Sanitize CSS universal selector from e-mails. Without this fix any message can play with the CSS from entire mail window or mail preview frame. Test case: 
<style type="text/css">*{ background: #000; }</style>

Modified: trunk/roundcubemail/program/include/main.inc
===================================================================
--- trunk/roundcubemail/program/include/main.inc	2010-06-09 16:38:47 UTC (rev 3739)
+++ trunk/roundcubemail/program/include/main.inc	2010-06-09 19:08:15 UTC (rev 3740)
@@ -1,4 +1,4 @@
-<?php
+<?php
 
 /*
  +-----------------------------------------------------------------------+
@@ -843,7 +843,7 @@
   $styles = preg_replace(
     array(
       '/(^\s*<!--)|(-->\s*$)/',
-      '/(^\s*|,\s*|\}\s*)([a-z0-9\._#][a-z0-9\.\-_]*)/im',
+      '/(^\s*|,\s*|\}\s*)([a-z0-9\._#\*][a-z0-9\.\-_]*)/im',
       "/$container_id\s+body/i",
     ),
     array(

_______________________________________________
http://lists.roundcube.net/mailman/listinfo/svn


More information about the Svn mailing list