[imp] Mail.app mail forwarding issue w/ 4.2RC3 / HEAD

[Ziba Scott]

Hi,

I've been working with Liam on the Apple Mail, multiple html tag issue.

Quoting Michael M Slusarz <slusarz <at> horde.org>:


> > Actually, I'm pretty sure that our HTML filter (specifically the preg  
> > regex I just fixed a week or two ago) will prevent this message from  
> > ever showing fully because it will purge all text after the 1st  
> > closing html tag.
>   


The xss filter (Text_Filter/Filter/xss.php) contains regular expressions
which strip html and body tags and anything outside of them. 

I know it's not Horde's responsibility to write workarounds for every
buggy mail client, but I think there is a small change that can be made
to accommodate multiple html or body tags without affecting the level of
xss protection.

The xss filter could comment out the html and body tags, instead of
stripping them and everything outside:
<!--<html>-->Begin forwarded message:<!--</html>-->

I'm unclear on the benefit of stripping everything outside of the html
tags if you've already commented them out.  Making this change shouldn't
allow a malicious user to get anything into the message that they
couldn't otherwise.

Here's a small patch with my proposed changes:

RCS file: /repository/framework/Text_Filter/Filter/xss.php,v
retrieving revision 1.12
diff -r1.12 xss.php
75,76c75,76
<             $patterns['/.*<(body|html)[^>]*>/si'] = '';
<             $patterns['/<\/(body|html)>.*/si'] = '';
---
>             $patterns['/(<body[^>]*>|<html[^>]*>)/si'] = '<!--\1--!>';
>             $patterns['/(<\/(body|html)>)/si'] = '<!--\1--!>';


Thanks,
Ziba