[Bug 877] New - Cleaning style attribute for HTML documents [patch]
bugs@bugs.horde.org
bugs@bugs.horde.org
Mon, 18 Feb 2002 05:06:16 -0400
http://bugs.horde.org/show_bug.cgi?id=877
*** shadow/877 Mon Feb 18 05:06:16 2002
--- shadow/877.tmp.7917 Mon Feb 18 05:06:16 2002
***************
*** 0 ****
--- 1,44 ----
+ Bug#: 877
+ Product: Horde
+ Version: 2.2 Stable
+ Platform: PHP Code
+ OS/Version: All
+ Status: NEW
+ Resolution:
+ Severity: minor
+ Priority: P2
+ Component: IMP
+ Area: BUILD
+ AssignedTo: chuck@horde.org
+ ReportedBy: dexter@top.pl
+ URL:
+ Summary: Cleaning style attribute for HTML documents [patch]
+
+ IMP cleans up all tags with style attribute. I think it is not necessary as
+ far as cleaning style attribute should be enough. Especially IMP shouldn't
+ clean <a href> tags with style attribute.
+
+ Proposed patch:
+
+ diff -u -r1.4.2.3 html.php
+ --- html.php 2 Jan 2002 04:02:20 -0000 1.4.2.3
+ +++ html.php 18 Feb 2002 08:56:49 -0000
+ @@ -55,10 +55,12 @@
+ '|<([^>]*)meta|i',
+ '|<([^>]*)j\sa\sv\sa|i',
+ '|<([^>]*)object|i',
+ - '|<([^>]*)iframe|i',
+ - '|<([^>]*)style|i');
+ + '|<([^>]*)iframe|i');
+ $data = preg_replace($malicious, '<cleaned_tag', $data);
+ -
+ +
+ + /* Get all style attribute tags. */
+ + $data = preg_replace('|(<[^>]*)(style)|i', '\1cleaned', $data);
+ +
+ /* A few other matches. */
+ $data = preg_replace('|<([^>]*)&{.*}([^>]*)>|', '<&{;}\3>', $data);
+ $data = preg_replace('|<([^>]*)mocha:([^>]*)>|i', '<cleaned\2>',
+ $data);
+
+