Mirrors/roundcubemail
2
0
Fork 0
mirror of https://github.com/roundcube/roundcubemail.git synced 2026-02-19 17:11:20 +01:00
Code Issues Packages Projects Releases Wiki Activity

Fix regression

Browse Source
This commit is contained in:
Aleksander Machniak
2026-02-08 10:25:02 +01:00
parent 2b5625f1d2
commit 53d75d5dfe
1 changed files with 3 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
program/lib/Roundcube/rcube_utils.php
View File

@@ -432,7 +432,7 @@ class rcube_utils
*/
public static function mod_css_styles($source, $container_id, $allow_remote = false, $prefix = '')
{
$source = self::xss_entity_decode($source);
$source = self::xss_entity_decode($source);
// No @import allowed
// TODO: We should just remove it, not invalidate the whole content
@@ -447,7 +447,6 @@ class rcube_utils
// remove html and css comments
$source = preg_replace('/(^\s*<\!--)|(-->\s*$)/m', '', $source);
$source = self::remove_css_comments($source);
// To prevent from a double-escaping tricks we consider a script with
// any escape sequences (after de-escaping them above) an evil script.
@@ -457,6 +456,8 @@ class rcube_utils
}
// If after removing comments there are still comments it's most likely a hack
// Note: In <=1.6 comments are being removed by xss_entity_decode() above
// $source = self::remove_css_comments($source);
if (strpos($source, '/*') !== false || strpos($source, '<!--') !== false) {
return '/* evil! */';
}