githubFork/roundcubemail.git

			@@ -1,6 +1,6 @@
			<?php

			/**
			/*
			+-----------------------------------------------------------------------+
			\| This file is part of the Roundcube Webmail client \|
			\| Copyright (C) 2008-2012, The Roundcube Dev Team \|
			@@ -18,7 +18,7 @@
			+-----------------------------------------------------------------------+
			*/

			/**
			/*
			* Washtml, a HTML sanityzer.
			*
			* Copyright (c) 2007 Frederic Motte <fmotte@ubixis.com>
			@@ -95,6 +95,7 @@
			'ins', 'label', 'legend', 'li', 'map', 'menu', 'nobr', 'ol', 'p', 'pre', 'q',
			's', 'samp', 'small', 'span', 'strike', 'strong', 'sub', 'sup', 'table',
			'tbody', 'td', 'tfoot', 'th', 'thead', 'tr', 'tt', 'u', 'ul', 'var', 'wbr', 'img',
			'video', 'source',
			// form elements
			'button', 'input', 'textarea', 'select', 'option', 'optgroup'
			);
			@@ -171,7 +172,7 @@
			*/
			private function wash_style($style)
			{
			$s = '';
			$result = array();

			foreach (explode(';', $style) as $declaration) {
			if (preg_match('/^\s([a-z\-]+)\s:\s(.)\s*$/i', $declaration, $match)) {
			@@ -179,54 +180,48 @@
			$str = $match[2];
			$value = '';

			while (sizeof($str) > 0 &&
			preg_match('/^(url$\s[\'"]?([^\'"$])[\'"]?\s\)'./1,2*/
			'\|rgb$\s[0-9]+\s,\s[0-9]+\s,\s[0-9]+\s$'.
			'\|-?[0-9.]+\s*(em\|ex\|px\|cm\|mm\|in\|pt\|pc\|deg\|rad\|grad\|ms\|s\|hz\|khz\|%)?'.
			'\|#[0-9a-f]{3,6}'.
			'\|[a-z0-9", -]+'.
			')\s*/i', $str, $match)
			) {
			if ($match[2]) {
			if (($src = $this->config['cid_map'][$match[2]])
			\|\| ($src = $this->config['cid_map'][$this->config['base_url'].$match[2]])
			) {
			$value .= ' url('.htmlspecialchars($src, ENT_QUOTES) . ')';
			}
			else if (preg_match('!^(https?:)?//[a-z0-9/._+-]+$!i', $match[2], $url)) {
			if ($this->config['allow_remote']) {
			$value .= ' url('.htmlspecialchars($url[0], ENT_QUOTES).')';
			foreach ($this->explode_style($str) as $val) {
			if (preg_match('/^url\(/i', $val)) {
			if (preg_match('/^url$\s[\'"]?([^\'"$])[\'"]?\s*\)/iu', $val, $match)) {
			$url = $match[1];
			if (($src = $this->config['cid_map'][$url])
			\|\| ($src = $this->config['cid_map'][$this->config['base_url'].$url])
			) {
			$value .= ' url('.htmlspecialchars($src, ENT_QUOTES) . ')';
			}
			else {
			$this->extlinks = true;
			else if (preg_match('!^(https?:)?//[a-z0-9/._+-]+$!i', $url, $m)) {
			if ($this->config['allow_remote']) {
			$value .= ' url('.htmlspecialchars($m[0], ENT_QUOTES).')';
			}
			else {
			$this->extlinks = true;
			}
			}
			}
			else if (preg_match('/^data:.+/i', $match[2])) { // RFC2397
			$value .= ' url('.htmlspecialchars($match[2], ENT_QUOTES).')';
			else if (preg_match('/^data:.+/i', $url)) { // RFC2397
			$value .= ' url('.htmlspecialchars($url, ENT_QUOTES).')';
			}
			}
			}
			else {
			else if (!preg_match('/^(behavior\|expression)/i', $val)) {
			// whitelist ?
			$value .= ' ' . $match[0];
			$value .= ' ' . $val;

			// #1488535: Fix size units, so width:800 would be changed to width:800px
			if (preg_match('/(left\|right\|top\|bottom\|width\|height)/i', $cssid)
			&& preg_match('/^[0-9]+$/', $match[0])
			if (preg_match('/^(left\|right\|top\|bottom\|width\|height)/i', $cssid)
			&& preg_match('/^[0-9]+$/', $val)
			) {
			$value .= 'px';
			}
			}

			$str = substr($str, strlen($match[0]));
			}

			if (isset($value[0])) {
			$s .= ($s?' ':'') . $cssid . ':' . $value . ';';
			$result[] = $cssid . ':' . $value;
			}
			}
			}

			return $s;
			return implode('; ', $result);
			}

			/**
			@@ -249,10 +244,13 @@
			$t .= ' ' . $key . '="' . htmlspecialchars($value, ENT_QUOTES) . '"';
			}
			else if ($key == 'style' && ($style = $this->wash_style($value))) {
			$quot = strpos($style, '"') !== false ? "'" : '"';
			$t .= ' style=' . $quot . $style . $quot;
			// replace double quotes to prevent syntax error and XSS issues (#1490227)
			$t .= ' style="' . str_replace('"', '"', $style) . '"';
			}
			else if ($key == 'background' \|\| ($key == 'src' && strtolower($node->tagName) == 'img')) { //check tagName anyway
			else if ($key == 'background'
			\|\| ($key == 'src' && preg_match('/^(img\|source)$/i', $node->tagName))
			\|\| ($key == 'poster' && strtolower($node->tagName) == 'video')
			) {
			if (($src = $this->config['cid_map'][$value])
			\|\| ($src = $this->config['cid_map'][$this->config['base_url'].$value])
			) {
			@@ -283,10 +281,12 @@

			/**
			* The main loop that recurse on a node tree.
			* It output only allowed tags with allowed attributes
			* and allowed inline styles
			* It output only allowed tags with allowed attributes and allowed inline styles
			*
			* @param DOMNode $node HTML element
			* @param int $level Recurrence level (safe initial value found empirically)
			*/
			private function dumpHtml($node, $level = 0)
			private function dumpHtml($node, $level = 20)
			{
			if (!$node->hasChildNodes()) {
			return '';
			@@ -377,7 +377,14 @@
			// Detect max nesting level (for dumpHTML) (#1489110)
			$this->max_nesting_level = (int) @ini_get('xdebug.max_nesting_level');

			@$node->loadHTML($html);
			// Use optimizations if supported
			if (PHP_VERSION_ID >= 50400) {
			@$node->loadHTML($html, LIBXML_PARSEHUGE \| LIBXML_COMPACT);
			}
			else {
			@$node->loadHTML($html);
			}

			return $this->dumpHtml($node);
			}

			@@ -396,14 +403,21 @@
			{
			// special replacements (not properly handled by washtml class)
			$html_search = array(
			'/(<\/nobr>)(\s+)(<nobr>)/i', // space(s) between <NOBR>
			'/<title[^>]>[^<]<\/title>/i', // PHP bug #32547 workaround: remove title tag
			'/^(\0\0\xFE\xFF\|\xFF\xFE\0\0\|\xFE\xFF\|\xFF\xFE\|\xEF\xBB\xBF)/', // byte-order mark (only outlook?)
			'/<html\s[^>]+>/i', // washtml/DOMDocument cannot handle xml namespaces
			// space(s) between <NOBR>
			'/(<\/nobr>)(\s+)(<nobr>)/i',
			// PHP bug #32547 workaround: remove title tag
			'/<title[^>]>[^<]<\/title>/i',
			// remove <!doctype> before BOM (#1490291)
			'/<\!doctype[^>]+>[^<]*/im',
			// byte-order mark (only outlook?)
			'/^(\0\0\xFE\xFF\|\xFF\xFE\0\0\|\xFE\xFF\|\xFF\xFE\|\xEF\xBB\xBF)/',
			// washtml/DOMDocument cannot handle xml namespaces
			'/<html\s[^>]+>/i',
			);

			$html_replace = array(
			'\\1'.'   '.'\\3',
			'',
			'',
			'',
			'<html>',
			@@ -411,7 +425,7 @@
			$html = preg_replace($html_search, $html_replace, trim($html));

			//-> Replace all of those weird MS Word quotes and other high characters
			$badwordchars=array(
			$badwordchars = array(
			"\xe2\x80\x98", // left single quote
			"\xe2\x80\x99", // right single quote
			"\xe2\x80\x9c", // left double quote
			@@ -419,7 +433,7 @@
			"\xe2\x80\x94", // em dash
			"\xe2\x80\xa6" // elipses
			);
			$fixedwordchars=array(
			$fixedwordchars = array(
			"'",
			"'",
			'"',
			@@ -427,7 +441,7 @@
			'—',
			'...'
			);
			$html = str_replace($badwordchars,$fixedwordchars, $html);
			$html = str_replace($badwordchars, $fixedwordchars, $html);

			// PCRE errors handling (#1486856), should we use something like for every preg_* use?
			if ($html === null && ($preg_error = preg_last_error()) != PREG_NO_ERROR) {
			@@ -448,12 +462,15 @@
			}

			// fix (unknown/malformed) HTML tags before "wash"
			$html = preg_replace_callback('/(<[\/]*)([^\s>]+)/', array($this, 'html_tag_callback'), $html);
			$html = preg_replace_callback('/(<(?!\!)[\/])([^\s>]+)([^>])/', array($this, 'html_tag_callback'), $html);

			// Remove invalid HTML comments (#1487759)
			// Don't remove valid conditional comments
			// Don't remove MSOutlook (<!-->) conditional comments (#1489004)
			$html = preg_replace('/<!--[^->\[\n]+>/', '', $html);
			$html = preg_replace('/<!--[^-<>\[\n]+>/', '', $html);

			// fix broken nested lists
			self::fix_broken_lists($html);

			// turn relative into absolute urls
			$html = self::resolve_base($html);
			@@ -472,7 +489,12 @@
			'/[^a-z0-9_\[\]\!-]/i', // forbidden characters
			), '', $tagname);

			return $matches[1] . $tagname;
			// fix invalid closing tags - remove any attributes (#1489446)
			if ($matches[1] == '</') {
			$matches[3] = '';
			}

			return $matches[1] . $tagname . $matches[3];
			}

			/**
			@@ -488,5 +510,122 @@

			return $body;
			}
			}

			/**
			* Fix broken nested lists, they are not handled properly by DOMDocument (#1488768)
			*/
			public static function fix_broken_lists(&$html)
			{
			// do two rounds, one for <ol>, one for <ul>
			foreach (array('ol', 'ul') as $tag) {
			$pos = 0;
			while (($pos = stripos($html, '<' . $tag, $pos)) !== false) {
			$pos++;

			// make sure this is an ol/ul tag
			if (!in_array($html[$pos+2], array(' ', '>'))) {
			continue;
			}

			$p = $pos;
			$in_li = false;
			$li_pos = 0;

			while (($p = strpos($html, '<', $p)) !== false) {
			$tt = strtolower(substr($html, $p, 4));

			// li open tag
			if ($tt == '<li>' \|\| $tt == '<li ') {
			$in_li = true;
			$p += 4;
			}
			// li close tag
			else if ($tt == '</li' && in_array($html[$p+4], array(' ', '>'))) {
			$li_pos = $p;
			$p += 4;
			$in_li = false;
			}
			// ul/ol closing tag
			else if ($tt == '</' . $tag && in_array($html[$p+4], array(' ', '>'))) {
			break;
			}
			// nested ol/ul element out of li
			else if (!$in_li && $li_pos && ($tt == '<ol>' \|\| $tt == '<ol ' \|\| $tt == '<ul>' \|\| $tt == '<ul ')) {
			// find closing tag of this ul/ol element
			$element = substr($tt, 1, 2);
			$cpos = $p;
			do {
			$tpos = stripos($html, '<' . $element, $cpos+1);
			$cpos = stripos($html, '</' . $element, $cpos+1);
			}
			while ($tpos !== false && $cpos !== false && $cpos > $tpos);

			// not found, this is invalid HTML, skip it
			if ($cpos === false) {
			break;
			}

			// get element content
			$end = strpos($html, '>', $cpos);
			$len = $end - $p + 1;
			$element = substr($html, $p, $len);

			// move element to the end of the last li
			$html = substr_replace($html, '', $p, $len);
			$html = substr_replace($html, $element, $li_pos, 0);

			$p = $end;
			}
			else {
			$p++;
			}
			}
			}
			}
			}

			/**
			* Explode css style value
			*/
			protected function explode_style($style)
			{
			$style = trim($style);

			// first remove comments
			$pos = 0;
			while (($pos = strpos($style, '/*', $pos)) !== false) {
			$end = strpos($style, '*/', $pos+2);

			if ($end === false) {
			$style = substr($style, 0, $pos);
			}
			else {
			$style = substr_replace($style, '', $pos, $end - $pos + 2);
			}
			}

			$strlen = strlen($style);
			$result = array();

			// explode value
			for ($p=$i=0; $i < $strlen; $i++) {
			if (($style[$i] == "\"" \|\| $style[$i] == "'") && $style[$i-1] != "\\") {
			if ($q == $style[$i]) {
			$q = false;
			}
			else if (!$q) {
			$q = $style[$i];
			}
			}

			if (!$q && $style[$i] == ' ' && !preg_match('/[,\(]/', $style[$i-1])) {
			$result[] = substr($style, $p, $i - $p);
			$p = $i + 1;
			}
			}

			$result[] = (string) substr($style, $p);

			return $result;
			}
			}