From fbf02ab360cbe003b9b90efb878969d82a3fc240 Mon Sep 17 00:00:00 2001
From: thomasb <thomasb@208e9e7b-5314-0410-a742-e7e81cd9613c>
Date: Fri, 22 Dec 2006 21:45:21 +0000
Subject: Applied security patches by Kees Cook (Ubuntu) + little visual
 enhancements

git-svn-id: https://svn.roundcube.net/trunk@425 208e9e7b-5314-0410-a742-e7e81cd9613c
---
 roundcubemail/program/steps/mail/func.inc | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

(limited to 'roundcubemail/program/steps/mail/func.inc')

diff --git a/roundcubemail/program/steps/mail/func.inc b/roundcubemail/program/steps/mail/func.inc
index f01e95bb9..57f20e57a 100644
--- a/roundcubemail/program/steps/mail/func.inc
+++ b/roundcubemail/program/steps/mail/func.inc
@@ -739,7 +739,7 @@ function rcmail_print_body($part, $safe=FALSE, $plain=FALSE)
                                '/url\s*\(["\']?([\.\/]+[^"\'\s]+)["\']?\)/i',
                                '/<script.+<\/script>/Umis');
 
-      $remote_replaces = array('<img \\1src=\\2./program/blank.gif\\4',
+      $remote_replaces = array('<img \\1src=\\2./program/blocked.gif\\4',
                                '',
                                '',
                                '',
@@ -1210,7 +1210,8 @@ function rcmail_mod_html_body($body, $container_id)
     }
 
   // replace event handlers on any object
-  $body = preg_replace('/\s(on[a-z]+)=/im', ' __removed=', $body);  
+  $body = preg_replace('/\s(on[^=]+)=/im', ' __removed=', $body);  
+  $body = preg_replace('/\shref=["\']?(javascript:)/im', 'null:', $body);
 
   // resolve <base href>
   $base_reg = '/(<base.*href=["\']?)([hftps]{3,5}:\/{2}[^"\'\s]+)([^<]*>)/i';
@@ -1251,7 +1252,7 @@ function rcmail_alter_html_link($in)
   if (stristr((string)$attrib['href'], 'mailto:'))
     $attrib['onclick'] = sprintf("return %s.command('compose','%s',this)",
                                  $GLOBALS['JS_OBJECT_NAME'],
-                                 substr($attrib['href'], 7));
+                                 JQ(substr($attrib['href'], 7)));
   else if (!empty($attrib['href']) && $attrib['href']{0}!='#')
     $attrib['target'] = '_blank';
   
-- 
cgit v1.2.3