[Svn] [roundcube/roundcubemail] 8e0ee8: Fix: Keep children of object tag (#6453)
Achim Leitner
noreply at github.com
Fri Aug 7 11:06:30 CEST 2020
Branch: refs/heads/master
Home: https://github.com/roundcube/roundcubemail
Commit: 8e0ee8b1c4b677f2814b8aa7980e1434130439b3
https://github.com/roundcube/roundcubemail/commit/8e0ee8b1c4b677f2814b8aa7980e1434130439b3
Author: Achim Leitner <git at fjl.de>
Date: 2020-08-07 (Fri, 07 Aug 2020)
Changed paths:
M program/lib/Roundcube/rcube_washtml.php
M tests/Framework/Washtml.php
Log Message:
-----------
Fix: Keep children of object tag (#6453)
The HTML tag <object> optionally has embedded (child) tags that serve as an
alternative (fallback) HTML representation for the object. Of course, the
object and its parameters are considered harmful in HTML mail, but the
alternative representation is meant for exactly this kind of situation. They
should display the object contents without loading possibly insecure code.
- By ignoring <object> tags, roundcube also removes all their child nodes
- As <object> is not in the list of allowed $html_elements and <param> gets
cleaned through $void_elements, they get ignored anyway, without removing the
valuable child nodes.
Co-authored-by: root <root at coreboso-kolab.coreboso.de>
More information about the svn
mailing list