[imp] Mail.app mail forwarding issue w/ 4.2RC3 / HEAD
Michael M Slusarz
slusarz at horde.org
Mon Apr 7 17:18:32 UTC 2008
Quoting Ziba Scott <ziba at umich.edu>:
> Hi,
>
> I've been working with Liam on the Apple Mail, multiple html tag issue.
>
> Quoting Michael M Slusarz <slusarz <at> horde.org>:
>
>
>> > Actually, I'm pretty sure that our HTML filter (specifically the preg
>> > regex I just fixed a week or two ago) will prevent this message from
>> > ever showing fully because it will purge all text after the 1st
>> > closing html tag.
>>
>
>
> The xss filter (Text_Filter/Filter/xss.php) contains regular expressions
> which strip html and body tags and anything outside of them.
>
> I know it's not Horde's responsibility to write workarounds for every
> buggy mail client, but I think there is a small change that can be made
> to accommodate multiple html or body tags without affecting the level of
> xss protection.
>
> The xss filter could comment out the html and body tags, instead of
> stripping them and everything outside:
> <!--<html>-->Begin forwarded message:<!--</html>-->
>
> I'm unclear on the benefit of stripping everything outside of the html
> tags if you've already commented them out. Making this change shouldn't
> allow a malicious user to get anything into the message that they
> couldn't otherwise.
>
> Here's a small patch with my proposed changes:
>
> RCS file: /repository/framework/Text_Filter/Filter/xss.php,v
> retrieving revision 1.12
> diff -r1.12 xss.php
> 75,76c75,76
> < $patterns['/.*<(body|html)[^>]*>/si'] = '';
> < $patterns['/<\/(body|html)>.*/si'] = '';
> ---
>> $patterns['/(<body[^>]*>|<html[^>]*>)/si'] = '<!--\1--!>';
>> $patterns['/(<\/(body|html)>)/si'] = '<!--\1--!>';
>
>
> Thanks,
> Ziba
Just so this doesn't get lost, could you put this information in a
ticket (http://bugs.horde.org/)? Thanks.
michael
--
___________________________________
Michael Slusarz [slusarz at horde.org]
More information about the imp
mailing list