diff options
| author | thomasb <thomasb@208e9e7b-5314-0410-a742-e7e81cd9613c> | 2007-11-01 09:51:14 +0000 |
|---|---|---|
| committer | thomasb <thomasb@208e9e7b-5314-0410-a742-e7e81cd9613c> | 2007-11-01 09:51:14 +0000 |
| commit | 6e0ae064bf6e11f7634771e44e5761977ba4362c (patch) | |
| tree | fcfccfecffb9041ac45e694ca9495cb35c039e16 | |
| parent | cc2b6a97283ed0d8d0a6a009de67a32b86a71fd8 (diff) | |
Also remove unclosed script tags (fixes XSS vulnerability)
git-svn-id: https://svn.roundcube.net/trunk@909 208e9e7b-5314-0410-a742-e7e81cd9613c
| -rw-r--r-- | roundcubemail/program/steps/mail/func.inc | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/roundcubemail/program/steps/mail/func.inc b/roundcubemail/program/steps/mail/func.inc index 02263292a..c072c9118 100644 --- a/roundcubemail/program/steps/mail/func.inc +++ b/roundcubemail/program/steps/mail/func.inc @@ -973,10 +973,10 @@ function rcmail_sanitize_html($body, $container_id) // remove SCRIPT tags foreach (array('script', 'applet', 'object', 'embed', 'iframe') as $tag) { - while (($pos = strpos($body_lc, '<'.$tag)) && ($pos2 = strpos($body_lc, '</'.$tag.'>', $pos))) + while (($pos = strpos($body_lc, '<'.$tag)) && (($pos2 = strpos($body_lc, '</'.$tag.'>', $pos)) || ($pos3 = strpos($body_lc, '>', $pos)))) { - $pos2 += strlen('</'.$tag.'>'); - $body = substr($body, 0, $pos) . substr($body, $pos2, strlen($body)-$pos2); + $end = $pos2 ? $pos2 + strlen('</'.$tag.'>') : $pos3 + 1; + $body = substr($body, 0, $pos) . substr($body, $end, strlen($body)-$end); $body_lc = strtolower($body); } } |