Mirrors/roundcubemail
2
0
Fork 0
mirror of https://github.com/roundcube/roundcubemail.git synced 2026-03-09 09:36:50 +01:00
Code Issues Packages Projects Releases Wiki Activity
13,052 Commits 72 Branches 205 Tags
8adb052d353f187404ec525d2c7764d486f7f4f7
Commit Graph

64 Commits

Author SHA1 Message Date
Michael Voříšek
332c165d28 Fix some basic JS CS (#9328) 
* fix "nonblock-statement-body-position" (fixed already)

* fix "comma-dangle"

* fix "no-regex-spaces"

* fix "new-parens"

* fix "object-curly-newline"

* fix "object-property-newline"

* fix "spaced-comment" semimanually

* fix "no-constant-condition" manually

* fix "unicorn/no-hex-escape"

* fix "unicorn/escape-case"

* fix "quote-props"

* fix "no-whitespace-before-property" - fix bug/typo

* fix "unicorn/empty-brace-spaces"

* fix "keyword-spacing"

* fix "dot-notation"

* fix "no-return-assign" manually

* fix "padding-line-between-statements"

* fix "key-spacing"

* fix "no-else-return" semimanually

* fix some "no-undef"

* fix case cs

* Revert "fix "padding-line-between-statements""

* improve switch/case format I.

* improve switch/case format II.

regex: (^ *(break|return).*)\n *(\n)

* fix safe "eqeqeq"

* fix "radix"

* fix v3.49.0 CS (static providers)

* fix "string_implicit_backslashes" in php files

* fix comments align

* fix test static providers

* fix stan

* disable "final_internal_class" rule
 2024-02-06 08:28:19 +01:00
Michael Voříšek
d18406a8bd Fix binary operator spaces CS (#9330) 
* align_single_space_minimal for assign

* assign operators grouping is not supported by PHP CS Fixer

* binary_operator_spaces = single_space

* fix anonymous function on single line

* align comments manually
 2024-02-02 07:53:34 +01:00
Michael Voříšek
54f4aa33f9 Fix CS - imports (#9316) 
* fix Tests\Browser\TestCase imports

* fix remaining imports

* fix PHPUnit\Framework\TestCase imports

* import GuzzleHttp\Client

* fix remaining

* "php_unit_method_casing" is not todo

* fix "single_line_comment_spacing"

* fix 2nd commit done using older fixer
 2024-01-21 19:13:31 +01:00
Michael Voříšek
b1a0067e5d Fix more CS (#9303) 
* fix "class_attributes_separation"

* fix "ternary_to_null_coalescing"

* fix "no_extra_blank_lines"

* fix "php_unit_data_provider_name" - use snake_case

* fix remaining "function data_" manually

* move "php_unit_test_case_static_method_calls" to a better place in cnf

* fix 3.47.1 CS
 2024-01-20 08:22:32 +01:00
Michael Voříšek
6a53a1d853 Fix CS (whitespace, visibility) (#9297) 
* Fix "method_argument_space"

* Fix "control_structure_continuation_position"

* Fix "new_with_parentheses"

* Fix "blank_line_before_statement"

* Fix "visibility_required"

* Fix some "array_indentation"

* Fix some "array_indentation" - unify all "rcube::raise_error" calls

* rm useless eslint ignores and add rules counts

* sort eslint ignores

* fix eslint ignores grammar

* Revert "Fix "blank_line_before_statement""

* fix CS 3.46.0
 2024-01-04 14:26:35 +01:00
Michael Voříšek
2643be3eaa Fix single quotes CS (#9283) 
* Fix "single_quote"

* fix "escape_implicit_backslashes"

* fix typo from f363481c

* fix single quotes in JS

* fix some minor JS CS

* fix CS v3.45.0
 2023-12-31 16:36:55 +01:00
Michael Voříšek
8c82b29baf Assert expected data types in tests (#9268) 
* fix test skips for local testing

* fix Actions_Mail_Search tests when run /w non-UTC default TZ

* improve tests before PHP CS Fixer is run

* fix "php_unit_strict"
 2023-12-17 15:03:08 +01:00
Michael Voříšek
e7d7e62146 Modernize more basic CS II (#9254) 
* fix "integer_literal_case"

* fix "phpdoc_separation"

* fix "phpdoc_var_without_name"

* fix "operator_linebreak"

* fix "no_alias_language_construct_call"

* fix "list_syntax"

* fix "concat_space"

* fix "array_syntax"

* fix "binary_operator_spaces"

* fix "binary_operator_spaces" relaxed

* fix "phpdoc_types_order"

* fix "phpdoc_trim"

* fix "native_type_declaration_casing"

* fix "method_chaining_indentation"

* fix "phpdoc_no_package"

* fix "elseif"

* fix PHP CS Fixer config itself too

* fix "native_type_declaration_casing"
 2023-12-17 13:14:45 +01:00
Michael Voříšek
ca8b17d191 Modernize more basic CS (#9258) 
* fix "yoda_style"

* fix "is_null"

* rm useless rule ignores

* add full "PhpCsFixer:risky" ruleset

* fix "implode_call"

* fix "no_alias_functions"

* fix "array_push"

* fix "long_to_shorthand_operator"

* fix "ternary_to_elvis_operator"

* fix "logical_operators"

* fix "fopen_flags"

* rename "returns" phpdoc tags to "return"

* fix "php_unit_construct"

* fix "function_to_constant"

* fix "php_unit_data_provider_return_type"

* fix "php_unit_set_up_tear_down_visibility"

* some safe "string_length_to_empty"

* fix "phpdoc_align"

* fix "phpdoc_no_alias_tag"

* fix "trailing_comma_in_multiline"

---------

Co-authored-by: Aleksander Machniak <alec@alec.pl>
 2023-12-17 09:51:11 +01:00
Aleksander Machniak
6ee6e7ae30 Fix cross-site scripting (XSS) vulnerability in handling of SVG in HTML messages (#9168) 2023-10-14 18:16:22 +02:00
Aleksander Machniak
2847154cd0 Fix bug where multiline data:image URI's in emails were stripped from the message on display (#8613) 2022-09-10 09:53:34 +02:00
Aleksander Machniak
5c4e18820e Fix anchor links in HTML mail (#8632) 2022-07-30 08:59:52 +02:00
Aleksander Machniak
282f0a2830 Fix bug where title tag content was displayed in the body if it contained HTML tags (#8540) 2022-05-28 09:10:57 +02:00
Aleksander Machniak
693b7f0ecb Security: Fix cross-site scripting (XSS) via HTML messages with malicious CSS content 2021-12-29 19:02:43 +01:00
Aleksander Machniak
e00795b48b Add workaround for the HTML5 parser performance issue, remove the size limit 2021-10-29 11:01:58 +02:00
Aleksander Machniak
89e54718ca Migration to PHPUnit v9 2021-07-25 11:07:56 +02:00
Aleksander Machniak
2f42fa2eaf Fix HTML5 parser issue with a messy HTML code from Outlook (#7356) 2021-04-05 10:39:00 +02:00
Aleksander Machniak
f4ed1024dc PHP8 fixes, CS fixes, short array syntax, tests 2020-12-02 20:15:00 +01:00
Aleksander Machniak
545a1569f1 Steps -> Actions refactoring (#7688) 
* Move action handling code to rcmail class
* Add rcmail_action class
* Add action aliases
* Get rid of $OUTPUT global
* Move some methods from rcmail to rcmail_action
* PHP8 compat. fixes
* Add framework for testing actions
* Fix obvious code mistakes
 2020-11-01 11:25:38 +01:00
Aleksander Machniak
bde383d051 PHP8: Fix various issues 
for now only these I found by running our unit tests, there will be much more
 2020-10-11 10:32:41 +02:00
Aleksander Machniak
d81b8447fb Fix empty output from HTML5 parser when content contains XML tag (#7624) 2020-09-23 15:15:02 +02:00
Aleksander Machniak
ec4cc29c88 Fix cross-site scripting (XSS) via HTML messages with malicious svg or math content 2020-08-09 18:02:16 +02:00
Achim Leitner
8e0ee8b1c4 Fix: Keep children of object tag (#6453) 
The HTML tag <object> optionally has embedded (child) tags that serve as an
alternative (fallback) HTML representation for the object. Of course, the
object and its parameters are considered harmful in HTML mail, but the
alternative representation is meant for exactly this kind of situation. They
should display the object contents without loading possibly insecure code.

- By ignoring <object> tags, roundcube also removes all their child nodes
- As <object> is not in the list of allowed $html_elements and <param> gets
  cleaned through $void_elements, they get ignored anyway, without removing the
  valuable child nodes.

Co-authored-by: root <root@coreboso-kolab.coreboso.de>
 2020-08-07 11:06:14 +02:00
Aleksander Machniak
17deadfe56 Fix handling links without defined protocol (#7454) 2020-07-29 15:17:48 +02:00
Aleksander Machniak
0d9bffa878 Fix incorrect rewriting of internal links in HTML content (#7512) 2020-07-29 14:19:02 +02:00
Aleksander Machniak
32a7709ddf Fix cross-site scripting (XSS) via HTML messages with malicious svg/namespace 
Credits to SSD Secure Disclosure (https://ssd-disclosure.com/)
 2020-07-03 11:29:50 +02:00
Aleksander Machniak
87e4cd0cf2 Fix XSS issue in handling of CDATA in HTML messages 2020-04-26 07:59:47 +02:00
Aleksander Machniak
47d9ed6d0c Add support for PHPUnit 6 and 7 (#6870) 
Fixes composer dependencies: Package phpunit/phpunit-mock-objects is abandoned

We cannot support v8 yet because of errors like:
Declaration of MailFunc::setUp() must be compatible with PHPUnit\Framework\TestCase::setUp(): void
It would require dropping PHP < 7.1 support.
 2019-12-28 09:37:45 +01:00
Aleksander Machniak
cf90c69ad7 Fix bug where 'text' attribute on body tag was ignored when displaying HTML message (#7109) 2019-12-14 17:42:55 +01:00
Aleksander Machniak
21ebf3ff5a Fix bug where it was possible to bypass href URI check with data:application/xhtml+xml URIs (#6896) 2019-08-27 15:57:47 +02:00
Aleksander Machniak
55cca61134 Workaround more invalid HTML cases parsed incorrectly by Mastermind/HTML5 (#6713) 2019-04-28 12:43:10 +02:00
Aleksander Machniak
92ed0154d5 Followup fix on handling HTML content w/o html/head/body tag (#6713) 2019-04-15 09:25:12 +02:00
Aleksander Machniak
03d56926d8 Fix bug in HTML parser that could cause missing text fragments when there was no head/body tag (#6713) 2019-04-14 09:53:02 +02:00
dsoares
00cc13a1b9 Fix bug where HTML messages with a xml:namespace tag were not rendered. 2019-03-26 15:10:43 +00:00
Aleksander Machniak
0a0ac045fe Fix bug where valid content between HTML comments could have been skipped in some cases (#6464) 2018-09-27 16:00:54 +02:00
Aleksander Machniak
086e781b8f Fix bug where some HTML comments could have been malformed by HTML parser (#6333) 2018-06-22 14:16:20 +02:00
Aleksander Machniak
0716d499bc Fix bug where some escape sequences in html styles could bypass security checks 2018-05-05 17:12:18 +02:00
Aleksander Machniak
63d3ad11fb Use Masterminds/HTML5 parser for HTML5 support (#5761) 2018-04-21 13:14:42 +02:00
Aleksander Machniak
5e08a6ac59 Handle remote stylesheets the same as remote images, ask the user to allow them (#5994) 
Fixes the issue where remote stylesheet could have been blocked
if the message contained no remote images and user have no way to
allow that content.
 2017-10-13 12:48:13 +02:00
Aleksander Machniak
3196d656db Fix css conflicts in user interface and e-mail content (#5891) 
... by adding prefix to element/class identifiers
Also cleaned up some code and removed global variable use.
 2017-10-12 10:48:54 +02:00
Thomas Bruederli
919338d4ba Escape textarea contents in Washtml 2017-08-18 09:49:54 +02:00
Aleksander Machniak
e08f22ef28 Fix bug where external content in src attribute of input/video tags was not secured (#5583) 2017-01-07 20:00:18 +01:00
Aleksander Machniak
dcabc1d814 Merge remote-tracking branch 'upstream/master' 
Conflicts:
	tests/Framework/Washtml.php
 2016-07-31 09:26:19 +02:00
Aleksander Machniak
bf5b3072c4 Fix MathML test on older PHP versions 2016-07-18 11:19:53 +02:00
Aleksander Machniak
edfd9da42a Support MathML in HTML message preview (#5182) 2016-07-17 11:15:37 +02:00
Aleksander Machniak
6737e293bb Wash position:fixed style in HTML mail for better security (#5264) 2016-05-29 17:09:41 +02:00
Aleksander Machniak
ca9ad75d96 Add some more tests for HREF attribute washing 2016-05-08 10:06:24 +02:00
Aleksander Machniak
6652367d65 Fix XSS issue in href attribute on area tag (#5240, #5241) 2016-05-06 08:28:15 +02:00
Aleksander Machniak
ed1d212ae2 Improved SVG cleanup code 2016-01-16 09:03:51 +01:00
Aleksander Machniak
9234903287 Fix HTML sanitizer to skip <!-- node type X --> in output (#1490583) 2015-11-05 08:46:43 +01:00