From a3644638aaf0418598196a870204e0b632a4c8ad Mon Sep 17 00:00:00 2001
From: Thomas Bruederli <thomas@roundcube.net>
Date: Fri, 17 Apr 2015 06:28:40 -0400
Subject: [PATCH] Allow preference sections to define CSS class names
---
program/lib/Roundcube/rcube_washtml.php | 306 ++++++++++++++++++++++++++++++++++++++++----------
1 files changed, 243 insertions(+), 63 deletions(-)
diff --git a/program/lib/Roundcube/rcube_washtml.php b/program/lib/Roundcube/rcube_washtml.php
index 715c460..b042f5f 100644
--- a/program/lib/Roundcube/rcube_washtml.php
+++ b/program/lib/Roundcube/rcube_washtml.php
@@ -1,6 +1,6 @@
<?php
-/**
+/*
+-----------------------------------------------------------------------+
| This file is part of the Roundcube Webmail client |
| Copyright (C) 2008-2012, The Roundcube Dev Team |
@@ -18,7 +18,7 @@
+-----------------------------------------------------------------------+
*/
-/**
+/*
* Washtml, a HTML sanityzer.
*
* Copyright (c) 2007 Frederic Motte <fmotte@ubixis.com>
@@ -95,6 +95,7 @@
'ins', 'label', 'legend', 'li', 'map', 'menu', 'nobr', 'ol', 'p', 'pre', 'q',
's', 'samp', 'small', 'span', 'strike', 'strong', 'sub', 'sup', 'table',
'tbody', 'td', 'tfoot', 'th', 'thead', 'tr', 'tt', 'u', 'ul', 'var', 'wbr', 'img',
+ 'video', 'source',
// form elements
'button', 'input', 'textarea', 'select', 'option', 'optgroup'
);
@@ -113,10 +114,9 @@
'type', 'rows', 'cols', 'disabled', 'readonly', 'checked', 'multiple', 'value'
);
- /* Block elements which could be empty but cannot be returned in short form (<tag />) */
- static $block_elements = array('div', 'p', 'pre', 'blockquote', 'a', 'font', 'center',
- 'table', 'ul', 'h1', 'h2', 'h3', 'h4', 'h5', 'h6', 'ol', 'dl', 'strong',
- 'i', 'b', 'u', 'span',
+ /* Elements which could be empty and be returned in short form (<tag />) */
+ static $void_elements = array('area', 'base', 'br', 'col', 'command', 'embed', 'hr',
+ 'img', 'input', 'keygen', 'link', 'meta', 'param', 'source', 'track', 'wbr'
);
/* State for linked objects in HTML */
@@ -134,11 +134,14 @@
/* Ignore these HTML tags but process their content */
private $_ignore_elements = array();
- /* Block elements which could be empty but cannot be returned in short form (<tag />) */
- private $_block_elements = array();
+ /* Elements which could be empty and be returned in short form (<tag />) */
+ private $_void_elements = array();
/* Allowed HTML attributes */
private $_html_attribs = array();
+
+ /* Max nesting level */
+ private $max_nesting_level;
/**
@@ -149,9 +152,9 @@
$this->_html_elements = array_flip((array)$p['html_elements']) + array_flip(self::$html_elements) ;
$this->_html_attribs = array_flip((array)$p['html_attribs']) + array_flip(self::$html_attribs);
$this->_ignore_elements = array_flip((array)$p['ignore_elements']) + array_flip(self::$ignore_elements);
- $this->_block_elements = array_flip((array)$p['block_elements']) + array_flip(self::$block_elements);
+ $this->_void_elements = array_flip((array)$p['void_elements']) + array_flip(self::$void_elements);
- unset($p['html_elements'], $p['html_attribs'], $p['ignore_elements'], $p['block_elements']);
+ unset($p['html_elements'], $p['html_attribs'], $p['ignore_elements'], $p['void_elements']);
$this->config = $p + array('show_washed' => true, 'allow_remote' => false, 'cid_map' => array());
}
@@ -169,7 +172,7 @@
*/
private function wash_style($style)
{
- $s = '';
+ $result = array();
foreach (explode(';', $style) as $declaration) {
if (preg_match('/^\s*([a-z\-]+)\s*:\s*(.*)\s*$/i', $declaration, $match)) {
@@ -177,54 +180,48 @@
$str = $match[2];
$value = '';
- while (sizeof($str) > 0 &&
- preg_match('/^(url\(\s*[\'"]?([^\'"\)]*)[\'"]?\s*\)'./*1,2*/
- '|rgb\(\s*[0-9]+\s*,\s*[0-9]+\s*,\s*[0-9]+\s*\)'.
- '|-?[0-9.]+\s*(em|ex|px|cm|mm|in|pt|pc|deg|rad|grad|ms|s|hz|khz|%)?'.
- '|#[0-9a-f]{3,6}'.
- '|[a-z0-9", -]+'.
- ')\s*/i', $str, $match)
- ) {
- if ($match[2]) {
- if (($src = $this->config['cid_map'][$match[2]])
- || ($src = $this->config['cid_map'][$this->config['base_url'].$match[2]])
- ) {
- $value .= ' url('.htmlspecialchars($src, ENT_QUOTES) . ')';
- }
- else if (preg_match('!^(https?:)?//[a-z0-9/._+-]+$!i', $match[2], $url)) {
- if ($this->config['allow_remote']) {
- $value .= ' url('.htmlspecialchars($url[0], ENT_QUOTES).')';
+ foreach ($this->explode_style($str) as $val) {
+ if (preg_match('/^url\(/i', $val)) {
+ if (preg_match('/^url\(\s*[\'"]?([^\'"\)]*)[\'"]?\s*\)/iu', $val, $match)) {
+ $url = $match[1];
+ if (($src = $this->config['cid_map'][$url])
+ || ($src = $this->config['cid_map'][$this->config['base_url'].$url])
+ ) {
+ $value .= ' url('.htmlspecialchars($src, ENT_QUOTES) . ')';
}
- else {
- $this->extlinks = true;
+ else if (preg_match('!^(https?:)?//[a-z0-9/._+-]+$!i', $url, $m)) {
+ if ($this->config['allow_remote']) {
+ $value .= ' url('.htmlspecialchars($m[0], ENT_QUOTES).')';
+ }
+ else {
+ $this->extlinks = true;
+ }
}
- }
- else if (preg_match('/^data:.+/i', $match[2])) { // RFC2397
- $value .= ' url('.htmlspecialchars($match[2], ENT_QUOTES).')';
+ else if (preg_match('/^data:.+/i', $url)) { // RFC2397
+ $value .= ' url('.htmlspecialchars($url, ENT_QUOTES).')';
+ }
}
}
- else {
+ else if (!preg_match('/^(behavior|expression)/i', $val)) {
// whitelist ?
- $value .= ' ' . $match[0];
+ $value .= ' ' . $val;
// #1488535: Fix size units, so width:800 would be changed to width:800px
- if (preg_match('/(left|right|top|bottom|width|height)/i', $cssid)
- && preg_match('/^[0-9]+$/', $match[0])
+ if (preg_match('/^(left|right|top|bottom|width|height)/i', $cssid)
+ && preg_match('/^[0-9]+$/', $val)
) {
$value .= 'px';
}
}
-
- $str = substr($str, strlen($match[0]));
}
if (isset($value[0])) {
- $s .= ($s?' ':'') . $cssid . ':' . $value . ';';
+ $result[] = $cssid . ':' . $value;
}
}
}
- return $s;
+ return implode('; ', $result);
}
/**
@@ -240,16 +237,20 @@
$value = $node->getAttribute($key);
if (isset($this->_html_attribs[$key]) ||
- ($key == 'href' && !preg_match('!^(javascript|vbscript|data:text)!i', $value)
+ ($key == 'href' && ($value = trim($value))
+ && !preg_match('!^(javascript|vbscript|data:text)!i', $value)
&& preg_match('!^([a-z][a-z0-9.+-]+:|//|#).+!i', $value))
) {
$t .= ' ' . $key . '="' . htmlspecialchars($value, ENT_QUOTES) . '"';
}
else if ($key == 'style' && ($style = $this->wash_style($value))) {
- $quot = strpos($style, '"') !== false ? "'" : '"';
- $t .= ' style=' . $quot . $style . $quot;
+ // replace double quotes to prevent syntax error and XSS issues (#1490227)
+ $t .= ' style="' . str_replace('"', '"', $style) . '"';
}
- else if ($key == 'background' || ($key == 'src' && strtolower($node->tagName) == 'img')) { //check tagName anyway
+ else if ($key == 'background'
+ || ($key == 'src' && preg_match('/^(img|source)$/i', $node->tagName))
+ || ($key == 'poster' && strtolower($node->tagName) == 'video')
+ ) {
if (($src = $this->config['cid_map'][$value])
|| ($src = $this->config['cid_map'][$this->config['base_url'].$value])
) {
@@ -280,13 +281,29 @@
/**
* The main loop that recurse on a node tree.
- * It output only allowed tags with allowed attributes
- * and allowed inline styles
+ * It output only allowed tags with allowed attributes and allowed inline styles
+ *
+ * @param DOMNode $node HTML element
+ * @param int $level Recurrence level (safe initial value found empirically)
*/
- private function dumpHtml($node)
+ private function dumpHtml($node, $level = 20)
{
if (!$node->hasChildNodes()) {
return '';
+ }
+
+ $level++;
+
+ if ($this->max_nesting_level > 0 && $level == $this->max_nesting_level - 1) {
+ // log error message once
+ if (!$this->max_nesting_level_error) {
+ $this->max_nesting_level_error = true;
+ rcube::raise_error(array('code' => 500, 'type' => 'php',
+ 'line' => __LINE__, 'file' => __FILE__,
+ 'message' => "Maximum nesting level exceeded (xdebug.max_nesting_level={$this->max_nesting_level})"),
+ true, false);
+ }
+ return '<!-- ignored -->';
}
$node = $node->firstChild;
@@ -298,19 +315,19 @@
$tagName = strtolower($node->tagName);
if ($callback = $this->handlers[$tagName]) {
$dump .= call_user_func($callback, $tagName,
- $this->wash_attribs($node), $this->dumpHtml($node), $this);
+ $this->wash_attribs($node), $this->dumpHtml($node, $level), $this);
}
else if (isset($this->_html_elements[$tagName])) {
- $content = $this->dumpHtml($node);
+ $content = $this->dumpHtml($node, $level);
$dump .= '<' . $tagName . $this->wash_attribs($node) .
- ($content != '' || isset($this->_block_elements[$tagName]) ? ">$content</$tagName>" : ' />');
+ ($content === '' && isset($this->_void_elements[$tagName]) ? ' />' : ">$content</$tagName>");
}
else if (isset($this->_ignore_elements[$tagName])) {
$dump .= '<!-- ' . htmlspecialchars($tagName, ENT_QUOTES) . ' not allowed -->';
}
else {
$dump .= '<!-- ' . htmlspecialchars($tagName, ENT_QUOTES) . ' ignored -->';
- $dump .= $this->dumpHtml($node); // ignore tags not its content
+ $dump .= $this->dumpHtml($node, $level); // ignore tags not its content
}
break;
@@ -323,14 +340,14 @@
break;
case XML_HTML_DOCUMENT_NODE:
- $dump .= $this->dumpHtml($node);
+ $dump .= $this->dumpHtml($node, $level);
break;
case XML_DOCUMENT_TYPE_NODE:
break;
default:
- $dump . '<!-- node type ' . $node->nodeType . ' -->';
+ $dump .= '<!-- node type ' . $node->nodeType . ' -->';
}
} while($node = $node->nextSibling);
@@ -357,7 +374,17 @@
$this->config['base_url'] = '';
}
- @$node->loadHTML($html);
+ // Detect max nesting level (for dumpHTML) (#1489110)
+ $this->max_nesting_level = (int) @ini_get('xdebug.max_nesting_level');
+
+ // Use optimizations if supported
+ if (PHP_VERSION_ID >= 50400) {
+ @$node->loadHTML($html, LIBXML_PARSEHUGE | LIBXML_COMPACT);
+ }
+ else {
+ @$node->loadHTML($html);
+ }
+
return $this->dumpHtml($node);
}
@@ -376,19 +403,45 @@
{
// special replacements (not properly handled by washtml class)
$html_search = array(
- '/(<\/nobr>)(\s+)(<nobr>)/i', // space(s) between <NOBR>
- '/<title[^>]*>[^<]*<\/title>/i', // PHP bug #32547 workaround: remove title tag
- '/^(\0\0\xFE\xFF|\xFF\xFE\0\0|\xFE\xFF|\xFF\xFE|\xEF\xBB\xBF)/', // byte-order mark (only outlook?)
- '/<html\s[^>]+>/i', // washtml/DOMDocument cannot handle xml namespaces
+ // space(s) between <NOBR>
+ '/(<\/nobr>)(\s+)(<nobr>)/i',
+ // PHP bug #32547 workaround: remove title tag
+ '/<title[^>]*>[^<]*<\/title>/i',
+ // remove <!doctype> before BOM (#1490291)
+ '/<\!doctype[^>]+>[^<]*/im',
+ // byte-order mark (only outlook?)
+ '/^(\0\0\xFE\xFF|\xFF\xFE\0\0|\xFE\xFF|\xFF\xFE|\xEF\xBB\xBF)/',
+ // washtml/DOMDocument cannot handle xml namespaces
+ '/<html\s[^>]+>/i',
);
$html_replace = array(
'\\1'.' '.'\\3',
'',
'',
+ '',
'<html>',
);
$html = preg_replace($html_search, $html_replace, trim($html));
+
+ //-> Replace all of those weird MS Word quotes and other high characters
+ $badwordchars = array(
+ "\xe2\x80\x98", // left single quote
+ "\xe2\x80\x99", // right single quote
+ "\xe2\x80\x9c", // left double quote
+ "\xe2\x80\x9d", // right double quote
+ "\xe2\x80\x94", // em dash
+ "\xe2\x80\xa6" // elipses
+ );
+ $fixedwordchars = array(
+ "'",
+ "'",
+ '"',
+ '"',
+ '—',
+ '...'
+ );
+ $html = str_replace($badwordchars, $fixedwordchars, $html);
// PCRE errors handling (#1486856), should we use something like for every preg_* use?
if ($html === null && ($preg_error = preg_last_error()) != PREG_NO_ERROR) {
@@ -404,15 +457,20 @@
rcube::raise_error(array('code' => 620, 'type' => 'php',
'line' => __LINE__, 'file' => __FILE__,
'message' => $errstr), true, false);
+
return '';
}
// fix (unknown/malformed) HTML tags before "wash"
- $html = preg_replace_callback('/(<[\/]*)([^\s>]+)/', array($this, 'html_tag_callback'), $html);
+ $html = preg_replace_callback('/(<(?!\!)[\/]*)([^\s>]+)([^>]*)/', array($this, 'html_tag_callback'), $html);
// Remove invalid HTML comments (#1487759)
// Don't remove valid conditional comments
- $html = preg_replace('/<!--[^->[\n]*>/', '', $html);
+ // Don't remove MSOutlook (<!-->) conditional comments (#1489004)
+ $html = preg_replace('/<!--[^-<>\[\n]+>/', '', $html);
+
+ // fix broken nested lists
+ self::fix_broken_lists($html);
// turn relative into absolute urls
$html = self::resolve_base($html);
@@ -431,7 +489,12 @@
'/[^a-z0-9_\[\]\!-]/i', // forbidden characters
), '', $tagname);
- return $matches[1] . $tagname;
+ // fix invalid closing tags - remove any attributes (#1489446)
+ if ($matches[1] == '</') {
+ $matches[3] = '';
+ }
+
+ return $matches[1] . $tagname . $matches[3];
}
/**
@@ -447,5 +510,122 @@
return $body;
}
-}
+ /**
+ * Fix broken nested lists, they are not handled properly by DOMDocument (#1488768)
+ */
+ public static function fix_broken_lists(&$html)
+ {
+ // do two rounds, one for <ol>, one for <ul>
+ foreach (array('ol', 'ul') as $tag) {
+ $pos = 0;
+ while (($pos = stripos($html, '<' . $tag, $pos)) !== false) {
+ $pos++;
+
+ // make sure this is an ol/ul tag
+ if (!in_array($html[$pos+2], array(' ', '>'))) {
+ continue;
+ }
+
+ $p = $pos;
+ $in_li = false;
+ $li_pos = 0;
+
+ while (($p = strpos($html, '<', $p)) !== false) {
+ $tt = strtolower(substr($html, $p, 4));
+
+ // li open tag
+ if ($tt == '<li>' || $tt == '<li ') {
+ $in_li = true;
+ $p += 4;
+ }
+ // li close tag
+ else if ($tt == '</li' && in_array($html[$p+4], array(' ', '>'))) {
+ $li_pos = $p;
+ $p += 4;
+ $in_li = false;
+ }
+ // ul/ol closing tag
+ else if ($tt == '</' . $tag && in_array($html[$p+4], array(' ', '>'))) {
+ break;
+ }
+ // nested ol/ul element out of li
+ else if (!$in_li && $li_pos && ($tt == '<ol>' || $tt == '<ol ' || $tt == '<ul>' || $tt == '<ul ')) {
+ // find closing tag of this ul/ol element
+ $element = substr($tt, 1, 2);
+ $cpos = $p;
+ do {
+ $tpos = stripos($html, '<' . $element, $cpos+1);
+ $cpos = stripos($html, '</' . $element, $cpos+1);
+ }
+ while ($tpos !== false && $cpos !== false && $cpos > $tpos);
+
+ // not found, this is invalid HTML, skip it
+ if ($cpos === false) {
+ break;
+ }
+
+ // get element content
+ $end = strpos($html, '>', $cpos);
+ $len = $end - $p + 1;
+ $element = substr($html, $p, $len);
+
+ // move element to the end of the last li
+ $html = substr_replace($html, '', $p, $len);
+ $html = substr_replace($html, $element, $li_pos, 0);
+
+ $p = $end;
+ }
+ else {
+ $p++;
+ }
+ }
+ }
+ }
+ }
+
+ /**
+ * Explode css style value
+ */
+ protected function explode_style($style)
+ {
+ $style = trim($style);
+
+ // first remove comments
+ $pos = 0;
+ while (($pos = strpos($style, '/*', $pos)) !== false) {
+ $end = strpos($style, '*/', $pos+2);
+
+ if ($end === false) {
+ $style = substr($style, 0, $pos);
+ }
+ else {
+ $style = substr_replace($style, '', $pos, $end - $pos + 2);
+ }
+ }
+
+ $strlen = strlen($style);
+ $result = array();
+
+ // explode value
+ for ($p=$i=0; $i < $strlen; $i++) {
+ if (($style[$i] == "\"" || $style[$i] == "'") && $style[$i-1] != "\\") {
+ if ($q == $style[$i]) {
+ $q = false;
+ }
+ else if (!$q) {
+ $q = $style[$i];
+ }
+ }
+
+ if (!$q && $style[$i] == ' ' && !preg_match('/[,\(]/', $style[$i-1])) {
+ $result[] = substr($style, $p, $i - $p);
+ $p = $i + 1;
+ }
+ }
+
+ $result[] = (string) substr($style, $p);
+
+ return $result;
+ }
+}
--
Gitblit v1.9.1