Mirrors/roundcubemail
2
0
Fork 0
mirror of https://github.com/roundcube/roundcubemail.git synced 2026-03-05 07:44:01 +01:00
Code Issues Packages Projects Releases Wiki Activity
13,570 Commits 72 Branches 205 Tags
master
Commit Graph

109 Commits

Author SHA1 Message Date
Aleksander Machniak
26d7677471 Fix remote image blocking bypass via SVG content reported by nullcathedral 2026-02-08 09:21:34 +01:00
Aleksander Machniak
5162a0d9d7 Fix Cross-Site-Scripting vulnerability via SVG's animate tag 
reported by Valentin T., CrowdStrike.
 2025-12-14 09:01:26 +01:00
Pablo Zmdl
14c263c608 Also "wash" the name attribute of textarea and select 2025-09-17 14:37:45 +02:00
Pablo Zmdl
0c667c5859 Wash the name attribute also on more elements 
It can pollute the document's namespace unless handled.
 2025-09-17 14:37:45 +02:00
Aleksander Machniak
3139bff247 CS-Fixer: Enable modernize_strpos 2025-08-15 13:20:24 +02:00
Michael Voříšek
026eb8c801 Enforce leading backslash for non-namespaced non-Roundcube uses (#9935) 2025-08-15 10:27:00 +02:00
Aleksander Machniak
9afeb0174e Use PHPStan v2 2025-03-16 13:33:15 +01:00
Michael Voříšek
efcdce84ba Keep phpstan strict rules testing (#9424) 
* Revert "Get rid of phpstan/phpstan-strict-rules"

This reverts commit ff59ade31a.

* drop phpstan baseline

* fix foreach phpstan issue

* adjust for rebase

* fix method call case

* ignore one phpstan error even after isset
 2024-11-20 08:13:16 +01:00
Aleksander Machniak
7c8968f4fe Use new HTML5 parser available on PHP >= 8.4 2024-09-01 15:27:35 +02:00
Aleksander Machniak
58721e3037 Fix regression where HTML messages were displayed unstyled (#9586) 2024-08-16 19:56:51 +02:00
Aleksander Machniak
c99dcacddb - Fix information leak (access to remote content) via insufficient CSS filtering [CVE-2024-42010] 
Credits to Oskar Zeino-Mahmalat (https://www.sonarsource.com)
 2024-08-04 10:27:18 +02:00
Aleksander Machniak
40a4a71b67 Fix XSS vulnerability in post-processing of sanitized HTML content [CVE-2024-42009] 
Credits to Oskar Zeino-Mahmalat (https://www.sonarsource.com)
 2024-08-04 10:25:49 +02:00
Aleksander Machniak
ba252dc5e2 Fix cross-site scripting (XSS) vulnerability in handling SVG animate attributes 
Reported by Valentin T. and Lutz Wolf of CrowdStrike.
 2024-05-19 10:20:09 +02:00
Michael Voříšek
a30e0ad438 Infer file/line location in rcube::raise_error() from backtrace (#9422) 
* \n\s+'file' => __FILE__,

* \n\s+'line' => __LINE__,

* 'line' => __LINE__, 'file' => __FILE__,

* 'file' => __FILE__, 'line' => __LINE__,

* rest

* more

* improve cs

* more cs

* revert rcube_utils::preg_error changes

* impl file/line from backtrace

* Revert "revert rcube_utils::preg_error changes"
 2024-04-21 11:48:35 +02:00
Aleksander Machniak
2f5f3bd0de Code improvements 2024-03-24 10:29:31 +01:00
Aleksander Machniak
91816ca187 Fix phpstan errors 2024-02-10 09:23:12 +01:00
Michael Voříšek
332c165d28 Fix some basic JS CS (#9328) 
* fix "nonblock-statement-body-position" (fixed already)

* fix "comma-dangle"

* fix "no-regex-spaces"

* fix "new-parens"

* fix "object-curly-newline"

* fix "object-property-newline"

* fix "spaced-comment" semimanually

* fix "no-constant-condition" manually

* fix "unicorn/no-hex-escape"

* fix "unicorn/escape-case"

* fix "quote-props"

* fix "no-whitespace-before-property" - fix bug/typo

* fix "unicorn/empty-brace-spaces"

* fix "keyword-spacing"

* fix "dot-notation"

* fix "no-return-assign" manually

* fix "padding-line-between-statements"

* fix "key-spacing"

* fix "no-else-return" semimanually

* fix some "no-undef"

* fix case cs

* Revert "fix "padding-line-between-statements""

* improve switch/case format I.

* improve switch/case format II.

regex: (^ *(break|return).*)\n *(\n)

* fix safe "eqeqeq"

* fix "radix"

* fix v3.49.0 CS (static providers)

* fix "string_implicit_backslashes" in php files

* fix comments align

* fix test static providers

* fix stan

* disable "final_internal_class" rule
 2024-02-06 08:28:19 +01:00
Michael Voříšek
d18406a8bd Fix binary operator spaces CS (#9330) 
* align_single_space_minimal for assign

* assign operators grouping is not supported by PHP CS Fixer

* binary_operator_spaces = single_space

* fix anonymous function on single line

* align comments manually
 2024-02-02 07:53:34 +01:00
Aleksander Machniak
34500a4fa4 Fix "missing return statement" phpstan errors 2024-01-27 19:07:52 +01:00
Michael Voříšek
ff2d721680 Fix more CS whitespace (#9318) 
* fix "no_useless_else" manually

* fix some "blank_line_before_statement"

* two manual changes

* Revert "fix some "blank_line_before_statement""

This reverts commit 2cc857c00e.

* fix some "blank_line_before_statement" using patched fixer (after "}" only)

* fix continue/break too
 2024-01-25 19:17:29 +01:00
Michael Voříšek
4ee79b9e84 fix "explicit_string_variable" (#9315) 2024-01-22 08:05:59 +01:00
Michael Voříšek
54f4aa33f9 Fix CS - imports (#9316) 
* fix Tests\Browser\TestCase imports

* fix remaining imports

* fix PHPUnit\Framework\TestCase imports

* import GuzzleHttp\Client

* fix remaining

* "php_unit_method_casing" is not todo

* fix "single_line_comment_spacing"

* fix 2nd commit done using older fixer
 2024-01-21 19:13:31 +01:00
Michael Voříšek
b1a0067e5d Fix more CS (#9303) 
* fix "class_attributes_separation"

* fix "ternary_to_null_coalescing"

* fix "no_extra_blank_lines"

* fix "php_unit_data_provider_name" - use snake_case

* fix remaining "function data_" manually

* move "php_unit_test_case_static_method_calls" to a better place in cnf

* fix 3.47.1 CS
 2024-01-20 08:22:32 +01:00
Michael Voříšek
6a53a1d853 Fix CS (whitespace, visibility) (#9297) 
* Fix "method_argument_space"

* Fix "control_structure_continuation_position"

* Fix "new_with_parentheses"

* Fix "blank_line_before_statement"

* Fix "visibility_required"

* Fix some "array_indentation"

* Fix some "array_indentation" - unify all "rcube::raise_error" calls

* rm useless eslint ignores and add rules counts

* sort eslint ignores

* fix eslint ignores grammar

* Revert "Fix "blank_line_before_statement""

* fix CS 3.46.0
 2024-01-04 14:26:35 +01:00
Michael Voříšek
2643be3eaa Fix single quotes CS (#9283) 
* Fix "single_quote"

* fix "escape_implicit_backslashes"

* fix typo from f363481c

* fix single quotes in JS

* fix some minor JS CS

* fix CS v3.45.0
 2023-12-31 16:36:55 +01:00
Michael Voříšek
3e458fa5fd Refer native constants unambiguously (#9275) 
* Fix "native_constant_invocation" CS

* "self_accessor" was fixed in 9269 PR

* "php_unit_strict" was fixed in 9268 PR
 2023-12-23 17:02:19 +01:00
Michael Voříšek
e7d7e62146 Modernize more basic CS II (#9254) 
* fix "integer_literal_case"

* fix "phpdoc_separation"

* fix "phpdoc_var_without_name"

* fix "operator_linebreak"

* fix "no_alias_language_construct_call"

* fix "list_syntax"

* fix "concat_space"

* fix "array_syntax"

* fix "binary_operator_spaces"

* fix "binary_operator_spaces" relaxed

* fix "phpdoc_types_order"

* fix "phpdoc_trim"

* fix "native_type_declaration_casing"

* fix "method_chaining_indentation"

* fix "phpdoc_no_package"

* fix "elseif"

* fix PHP CS Fixer config itself too

* fix "native_type_declaration_casing"
 2023-12-17 13:14:45 +01:00
Michael Voříšek
ca8b17d191 Modernize more basic CS (#9258) 
* fix "yoda_style"

* fix "is_null"

* rm useless rule ignores

* add full "PhpCsFixer:risky" ruleset

* fix "implode_call"

* fix "no_alias_functions"

* fix "array_push"

* fix "long_to_shorthand_operator"

* fix "ternary_to_elvis_operator"

* fix "logical_operators"

* fix "fopen_flags"

* rename "returns" phpdoc tags to "return"

* fix "php_unit_construct"

* fix "function_to_constant"

* fix "php_unit_data_provider_return_type"

* fix "php_unit_set_up_tear_down_visibility"

* some safe "string_length_to_empty"

* fix "phpdoc_align"

* fix "phpdoc_no_alias_tag"

* fix "trailing_comma_in_multiline"

---------

Co-authored-by: Aleksander Machniak <alec@alec.pl>
 2023-12-17 09:51:11 +01:00
Michael Voříšek
a8707ae220 Fix and assert basic CS using CI (#9246) 
* Assert CS using CI

* fix "single_blank_line_at_eof"

* fix "statement_indentation"

* fix "switch_case_semicolon_to_colon"

* fix "control_structure_braces"

* fix "statement_indentation"

* fix "no_whitespace_in_blank_line"

* fix "no_trailing_whitespace_in_comment"

* fix "no_trailing_whitespace"

* fix "single_space_around_construct"

* fix "spaces_inside_parentheses"

* fix "ternary_operator_spaces"

* fix "trim_array_spaces"

* fix "whitespace_after_comma_in_array"

* fix "cast_spaces"

* fix "unary_operator_spaces"

* fix "no_trailing_comma_in_singleline"

* fix "ordered_imports"

* fix "no_unused_imports"

* Check composer.json format

* fix CI job name

* file header comments are not phpdoc

* fix "phpdoc_indent"

* fix "braces_position"

* fix "phpdoc_types"

* fix "no_blank_lines_after_class_opening"

* fix "no_multiple_statements_per_line"

* fix "multiline_comment_opening_closing"

* fix "single_line_empty_body"

* fix "non_printable_character"

* fix "phpdoc_trim_consecutive_blank_line_separation"

* fix "include"

* fix "no_mixed_echo_print"

---------

Co-authored-by: Aleksander Machniak <alec@alec.pl>
 2023-12-16 15:37:43 +01:00
Michael Voříšek
5425d1a84a Fix invalid phpdocs (#9252) 
* fix missing return type in phpdoc
* fix "phpdoc_scalar"
* Fix phpdoc variable names typos
* fix wrong phpdoc tags
 2023-12-10 16:20:50 +01:00
Aleksander Machniak
6ee6e7ae30 Fix cross-site scripting (XSS) vulnerability in handling of SVG in HTML messages (#9168) 2023-10-14 18:16:22 +02:00
Aleksander Machniak
f211757286 Fix bug where a duplicate <title> tag in HTML email could cause some parts being cut off (#9029) 2023-07-09 14:46:19 +02:00
Aleksander Machniak
2847154cd0 Fix bug where multiline data:image URI's in emails were stripped from the message on display (#8613) 2022-09-10 09:53:34 +02:00
Aleksander Machniak
5c4e18820e Fix anchor links in HTML mail (#8632) 2022-07-30 08:59:52 +02:00
Aleksander Machniak
282f0a2830 Fix bug where title tag content was displayed in the body if it contained HTML tags (#8540) 2022-05-28 09:10:57 +02:00
Aleksander Machniak
693b7f0ecb Security: Fix cross-site scripting (XSS) via HTML messages with malicious CSS content 2021-12-29 19:02:43 +01:00
Aleksander Machniak
e00795b48b Add workaround for the HTML5 parser performance issue, remove the size limit 2021-10-29 11:01:58 +02:00
Aleksander Machniak
f2688ba492 Use ?? operator where applicable 2021-09-21 19:12:06 +02:00
Aleksander Machniak
a832a6943e Fix converting >1MB of HTML content into plain text (#8137) 2021-07-16 12:37:44 +02:00
Kizashi Nagata
551cfc713b Fix bug where 'start' and 'reversed' on ol tag were ignored (#8059) (#8060) 2021-05-15 09:05:59 +02:00
Josh Soref
203f456620 Spelling (#8001) 2021-04-18 08:43:18 +02:00
Aleksander Machniak
2f42fa2eaf Fix HTML5 parser issue with a messy HTML code from Outlook (#7356) 2021-04-05 10:39:00 +02:00
Aleksander Machniak
9f19b931e3 Fix cross-site scripting (XSS) via HTML messages with malicious CSS content 
and improve css parsing code.

Thanks to Mateusz Szymaniec (CERT Polska) for reporting the issue.
 2021-02-08 13:42:12 +01:00
Aleksander Machniak
66062846ec Fix "unitialized string offset" warnings 2020-12-19 19:43:36 +01:00
Aleksander Machniak
f4ed1024dc PHP8 fixes, CS fixes, short array syntax, tests 2020-12-02 20:15:00 +01:00
Aleksander Machniak
545a1569f1 Steps -> Actions refactoring (#7688) 
* Move action handling code to rcmail class
* Add rcmail_action class
* Add action aliases
* Get rid of $OUTPUT global
* Move some methods from rcmail to rcmail_action
* PHP8 compat. fixes
* Add framework for testing actions
* Fix obvious code mistakes
 2020-11-01 11:25:38 +01:00
Aleksander Machniak
bde383d051 PHP8: Fix various issues 
for now only these I found by running our unit tests, there will be much more
 2020-10-11 10:32:41 +02:00
Aleksander Machniak
d81b8447fb Fix empty output from HTML5 parser when content contains XML tag (#7624) 2020-09-23 15:15:02 +02:00
Aleksander Machniak
a5c2b4360c Fixes in context of undefined variables, and code style 2020-08-15 12:13:31 +02:00
Aleksander Machniak
ec4cc29c88 Fix cross-site scripting (XSS) via HTML messages with malicious svg or math content 2020-08-09 18:02:16 +02:00