githubFork/roundcubemail.git

			@@ -1,6 +1,6 @@
			<?php

			/**
			/*
			+-----------------------------------------------------------------------+
			\| This file is part of the Roundcube Webmail client \|
			\| Copyright (C) 2008-2012, The Roundcube Dev Team \|
			@@ -18,7 +18,7 @@
			+-----------------------------------------------------------------------+
			*/

			/**
			/*
			* Washtml, a HTML sanityzer.
			*
			* Copyright (c) 2007 Frederic Motte <fmotte@ubixis.com>
			@@ -95,6 +95,7 @@
			'ins', 'label', 'legend', 'li', 'map', 'menu', 'nobr', 'ol', 'p', 'pre', 'q',
			's', 'samp', 'small', 'span', 'strike', 'strong', 'sub', 'sup', 'table',
			'tbody', 'td', 'tfoot', 'th', 'thead', 'tr', 'tt', 'u', 'ul', 'var', 'wbr', 'img',
			'video', 'source',
			// form elements
			'button', 'input', 'textarea', 'select', 'option', 'optgroup'
			);
			@@ -171,7 +172,7 @@
			*/
			private function wash_style($style)
			{
			$s = '';
			$result = array();

			foreach (explode(';', $style) as $declaration) {
			if (preg_match('/^\s([a-z\-]+)\s:\s(.)\s*$/i', $declaration, $match)) {
			@@ -179,54 +180,48 @@
			$str = $match[2];
			$value = '';

			while (sizeof($str) > 0 &&
			preg_match('/^(url$\s[\'"]?([^\'"$])[\'"]?\s\)'./1,2*/
			'\|rgb$\s[0-9]+\s,\s[0-9]+\s,\s[0-9]+\s$'.
			'\|-?[0-9.]+\s*(em\|ex\|px\|cm\|mm\|in\|pt\|pc\|deg\|rad\|grad\|ms\|s\|hz\|khz\|%)?'.
			'\|#[0-9a-f]{3,6}'.
			'\|[a-z0-9", -]+'.
			')\s*/i', $str, $match)
			) {
			if ($match[2]) {
			if (($src = $this->config['cid_map'][$match[2]])
			\|\| ($src = $this->config['cid_map'][$this->config['base_url'].$match[2]])
			) {
			$value .= ' url('.htmlspecialchars($src, ENT_QUOTES) . ')';
			}
			else if (preg_match('!^(https?:)?//[a-z0-9/._+-]+$!i', $match[2], $url)) {
			if ($this->config['allow_remote']) {
			$value .= ' url('.htmlspecialchars($url[0], ENT_QUOTES).')';
			foreach ($this->explode_style($str) as $val) {
			if (preg_match('/^url\(/i', $val)) {
			if (preg_match('/^url$\s[\'"]?([^\'"$])[\'"]?\s*\)/iu', $val, $match)) {
			$url = $match[1];
			if (($src = $this->config['cid_map'][$url])
			\|\| ($src = $this->config['cid_map'][$this->config['base_url'].$url])
			) {
			$value .= ' url('.htmlspecialchars($src, ENT_QUOTES) . ')';
			}
			else {
			$this->extlinks = true;
			else if (preg_match('!^(https?:)?//[a-z0-9/._+-]+$!i', $url, $m)) {
			if ($this->config['allow_remote']) {
			$value .= ' url('.htmlspecialchars($m[0], ENT_QUOTES).')';
			}
			else {
			$this->extlinks = true;
			}
			}
			}
			else if (preg_match('/^data:.+/i', $match[2])) { // RFC2397
			$value .= ' url('.htmlspecialchars($match[2], ENT_QUOTES).')';
			else if (preg_match('/^data:.+/i', $url)) { // RFC2397
			$value .= ' url('.htmlspecialchars($url, ENT_QUOTES).')';
			}
			}
			}
			else {
			else if (!preg_match('/^(behavior\|expression)/i', $val)) {
			// whitelist ?
			$value .= ' ' . $match[0];
			$value .= ' ' . $val;

			// #1488535: Fix size units, so width:800 would be changed to width:800px
			if (preg_match('/(left\|right\|top\|bottom\|width\|height)/i', $cssid)
			&& preg_match('/^[0-9]+$/', $match[0])
			if (preg_match('/^(left\|right\|top\|bottom\|width\|height)/i', $cssid)
			&& preg_match('/^[0-9]+$/', $val)
			) {
			$value .= 'px';
			}
			}

			$str = substr($str, strlen($match[0]));
			}

			if (isset($value[0])) {
			$s .= ($s?' ':'') . $cssid . ':' . $value . ';';
			$result[] = $cssid . ':' . $value;
			}
			}
			}

			return $s;
			return implode('; ', $result);
			}

			/**
			@@ -249,10 +244,13 @@
			$t .= ' ' . $key . '="' . htmlspecialchars($value, ENT_QUOTES) . '"';
			}
			else if ($key == 'style' && ($style = $this->wash_style($value))) {
			$quot = strpos($style, '"') !== false ? "'" : '"';
			$t .= ' style=' . $quot . $style . $quot;
			// replace double quotes to prevent syntax error and XSS issues (#1490227)
			$t .= ' style="' . str_replace('"', '"', $style) . '"';
			}
			else if ($key == 'background' \|\| ($key == 'src' && strtolower($node->tagName) == 'img')) { //check tagName anyway
			else if ($key == 'background'
			\|\| ($key == 'src' && preg_match('/^(img\|source)$/i', $node->tagName))
			\|\| ($key == 'poster' && strtolower($node->tagName) == 'video')
			) {
			if (($src = $this->config['cid_map'][$value])
			\|\| ($src = $this->config['cid_map'][$this->config['base_url'].$value])
			) {
			@@ -283,10 +281,12 @@

			/**
			* The main loop that recurse on a node tree.
			* It output only allowed tags with allowed attributes
			* and allowed inline styles
			* It output only allowed tags with allowed attributes and allowed inline styles
			*
			* @param DOMNode $node HTML element
			* @param int $level Recurrence level (safe initial value found empirically)
			*/
			private function dumpHtml($node, $level = 0)
			private function dumpHtml($node, $level = 20)
			{
			if (!$node->hasChildNodes()) {
			return '';
			@@ -378,7 +378,7 @@
			$this->max_nesting_level = (int) @ini_get('xdebug.max_nesting_level');

			// Use optimizations if supported
			if (version_compare(PHP_VERSION, '5.4.0', '>=')) {
			if (PHP_VERSION_ID >= 50400) {
			@$node->loadHTML($html, LIBXML_PARSEHUGE \| LIBXML_COMPACT);
			}
			else {
			@@ -403,14 +403,21 @@
			{
			// special replacements (not properly handled by washtml class)
			$html_search = array(
			'/(<\/nobr>)(\s+)(<nobr>)/i', // space(s) between <NOBR>
			'/<title[^>]>[^<]<\/title>/i', // PHP bug #32547 workaround: remove title tag
			'/^(\0\0\xFE\xFF\|\xFF\xFE\0\0\|\xFE\xFF\|\xFF\xFE\|\xEF\xBB\xBF)/', // byte-order mark (only outlook?)
			'/<html\s[^>]+>/i', // washtml/DOMDocument cannot handle xml namespaces
			// space(s) between <NOBR>
			'/(<\/nobr>)(\s+)(<nobr>)/i',
			// PHP bug #32547 workaround: remove title tag
			'/<title[^>]>[^<]<\/title>/i',
			// remove <!doctype> before BOM (#1490291)
			'/<\!doctype[^>]+>[^<]*/im',
			// byte-order mark (only outlook?)
			'/^(\0\0\xFE\xFF\|\xFF\xFE\0\0\|\xFE\xFF\|\xFF\xFE\|\xEF\xBB\xBF)/',
			// washtml/DOMDocument cannot handle xml namespaces
			'/<html\s[^>]+>/i',
			);

			$html_replace = array(
			'\\1'.'   '.'\\3',
			'',
			'',
			'',
			'<html>',
			@@ -460,7 +467,7 @@
			// Remove invalid HTML comments (#1487759)
			// Don't remove valid conditional comments
			// Don't remove MSOutlook (<!-->) conditional comments (#1489004)
			$html = preg_replace('/<!--[^->\[\n]+>/', '', $html);
			$html = preg_replace('/<!--[^-<>\[\n]+>/', '', $html);

			// fix broken nested lists
			self::fix_broken_lists($html);
			@@ -576,4 +583,49 @@
			}
			}
			}

			/**
			* Explode css style value
			*/
			protected function explode_style($style)
			{
			$style = trim($style);

			// first remove comments
			$pos = 0;
			while (($pos = strpos($style, '/*', $pos)) !== false) {
			$end = strpos($style, '*/', $pos+2);

			if ($end === false) {
			$style = substr($style, 0, $pos);
			}
			else {
			$style = substr_replace($style, '', $pos, $end - $pos + 2);
			}
			}

			$strlen = strlen($style);
			$result = array();

			// explode value
			for ($p=$i=0; $i < $strlen; $i++) {
			if (($style[$i] == "\"" \|\| $style[$i] == "'") && $style[$i-1] != "\\") {
			if ($q == $style[$i]) {
			$q = false;
			}
			else if (!$q) {
			$q = $style[$i];
			}
			}

			if (!$q && $style[$i] == ' ' && !preg_match('/[,\(]/', $style[$i-1])) {
			$result[] = substr($style, $p, $i - $p);
			$p = $i + 1;
			}
			}

			$result[] = (string) substr($style, $p);

			return $result;
			}
			}