From 6e0ae064bf6e11f7634771e44e5761977ba4362c Mon Sep 17 00:00:00 2001
From: thomasb <thomasb@208e9e7b-5314-0410-a742-e7e81cd9613c>
Date: Thu, 1 Nov 2007 09:51:14 +0000
Subject: Also remove unclosed script tags (fixes XSS vulnerability)

git-svn-id: https://svn.roundcube.net/trunk@909 208e9e7b-5314-0410-a742-e7e81cd9613c
---
 roundcubemail/program/steps/mail/func.inc | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

(limited to 'roundcubemail/program')

diff --git a/roundcubemail/program/steps/mail/func.inc b/roundcubemail/program/steps/mail/func.inc
index 02263292a..c072c9118 100644
--- a/roundcubemail/program/steps/mail/func.inc
+++ b/roundcubemail/program/steps/mail/func.inc
@@ -973,10 +973,10 @@ function rcmail_sanitize_html($body, $container_id)
   // remove SCRIPT tags
   foreach (array('script', 'applet', 'object', 'embed', 'iframe') as $tag)
     {
-    while (($pos = strpos($body_lc, '<'.$tag)) && ($pos2 = strpos($body_lc, '</'.$tag.'>', $pos)))
+    while (($pos = strpos($body_lc, '<'.$tag)) && (($pos2 = strpos($body_lc, '</'.$tag.'>', $pos)) || ($pos3 = strpos($body_lc, '>', $pos))))
       {
-      $pos2 += strlen('</'.$tag.'>');
-      $body = substr($body, 0, $pos) . substr($body, $pos2, strlen($body)-$pos2);
+      $end = $pos2 ? $pos2 + strlen('</'.$tag.'>') : $pos3 + 1;
+      $body = substr($body, 0, $pos) . substr($body, $end, strlen($body)-$end);
       $body_lc = strtolower($body);
       }
     }
-- 
cgit v1.2.3