From 53d75d5dfebef235a344d476b900c20c12d52b01 Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Sun, 8 Feb 2026 10:25:02 +0100
Subject: [PATCH] Fix regression

---
 program/lib/Roundcube/rcube_utils.php | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/program/lib/Roundcube/rcube_utils.php b/program/lib/Roundcube/rcube_utils.php
index ead506b5e..55c0158fc 100644
--- a/program/lib/Roundcube/rcube_utils.php
+++ b/program/lib/Roundcube/rcube_utils.php
@@ -432,7 +432,7 @@ class rcube_utils
      */
     public static function mod_css_styles($source, $container_id, $allow_remote = false, $prefix = '')
     {
-        $source   = self::xss_entity_decode($source);
+        $source = self::xss_entity_decode($source);
 
         // No @import allowed
         // TODO: We should just remove it, not invalidate the whole content
@@ -447,7 +447,6 @@ class rcube_utils
 
         // remove html and css comments
         $source = preg_replace('/(^\s*<\!--)|(-->\s*$)/m', '', $source);
-        $source = self::remove_css_comments($source);
 
         // To prevent from a double-escaping tricks we consider a script with
         // any escape sequences (after de-escaping them above) an evil script.
@@ -457,6 +456,8 @@ class rcube_utils
         }
 
         // If after removing comments there are still comments it's most likely a hack
+        // Note: In <=1.6 comments are being removed by xss_entity_decode() above
+        // $source = self::remove_css_comments($source);
         if (strpos($source, '/*') !== false || strpos($source, '<!--') !== false) {
             return '/* evil! */';
         }