Mirrors/roundcubemail
2
0
Fork 0
mirror of https://github.com/roundcube/roundcubemail.git synced 2026-03-04 15:24:02 +01:00
Code Issues Packages Projects Releases Wiki Activity
12,379 Commits 72 Branches 205 Tags
ed4dc2139dd5c6cbf1732b1bf2ec45dfd35a178a
Commit Graph

72 Commits

Author SHA1 Message Date
Aleksander Machniak
f2688ba492 Use ?? operator where applicable 2021-09-21 19:12:06 +02:00
Aleksander Machniak
a832a6943e Fix converting >1MB of HTML content into plain text (#8137) 2021-07-16 12:37:44 +02:00
Kizashi Nagata
551cfc713b Fix bug where 'start' and 'reversed' on ol tag were ignored (#8059) (#8060) 2021-05-15 09:05:59 +02:00
Josh Soref
203f456620 Spelling (#8001) 2021-04-18 08:43:18 +02:00
Aleksander Machniak
2f42fa2eaf Fix HTML5 parser issue with a messy HTML code from Outlook (#7356) 2021-04-05 10:39:00 +02:00
Aleksander Machniak
9f19b931e3 Fix cross-site scripting (XSS) via HTML messages with malicious CSS content 
and improve css parsing code.

Thanks to Mateusz Szymaniec (CERT Polska) for reporting the issue.
 2021-02-08 13:42:12 +01:00
Aleksander Machniak
66062846ec Fix "unitialized string offset" warnings 2020-12-19 19:43:36 +01:00
Aleksander Machniak
f4ed1024dc PHP8 fixes, CS fixes, short array syntax, tests 2020-12-02 20:15:00 +01:00
Aleksander Machniak
545a1569f1 Steps -> Actions refactoring (#7688) 
* Move action handling code to rcmail class
* Add rcmail_action class
* Add action aliases
* Get rid of $OUTPUT global
* Move some methods from rcmail to rcmail_action
* PHP8 compat. fixes
* Add framework for testing actions
* Fix obvious code mistakes
 2020-11-01 11:25:38 +01:00
Aleksander Machniak
bde383d051 PHP8: Fix various issues 
for now only these I found by running our unit tests, there will be much more
 2020-10-11 10:32:41 +02:00
Aleksander Machniak
d81b8447fb Fix empty output from HTML5 parser when content contains XML tag (#7624) 2020-09-23 15:15:02 +02:00
Aleksander Machniak
a5c2b4360c Fixes in context of undefined variables, and code style 2020-08-15 12:13:31 +02:00
Aleksander Machniak
ec4cc29c88 Fix cross-site scripting (XSS) via HTML messages with malicious svg or math content 2020-08-09 18:02:16 +02:00
Achim Leitner
8e0ee8b1c4 Fix: Keep children of object tag (#6453) 
The HTML tag <object> optionally has embedded (child) tags that serve as an
alternative (fallback) HTML representation for the object. Of course, the
object and its parameters are considered harmful in HTML mail, but the
alternative representation is meant for exactly this kind of situation. They
should display the object contents without loading possibly insecure code.

- By ignoring <object> tags, roundcube also removes all their child nodes
- As <object> is not in the list of allowed $html_elements and <param> gets
  cleaned through $void_elements, they get ignored anyway, without removing the
  valuable child nodes.

Co-authored-by: root <root@coreboso-kolab.coreboso.de>
 2020-08-07 11:06:14 +02:00
Aleksander Machniak
17deadfe56 Fix handling links without defined protocol (#7454) 2020-07-29 15:17:48 +02:00
Aleksander Machniak
0d9bffa878 Fix incorrect rewriting of internal links in HTML content (#7512) 2020-07-29 14:19:02 +02:00
Aleksander Machniak
32a7709ddf Fix cross-site scripting (XSS) via HTML messages with malicious svg/namespace 
Credits to SSD Secure Disclosure (https://ssd-disclosure.com/)
 2020-07-03 11:29:50 +02:00
Aleksander Machniak
87e4cd0cf2 Fix XSS issue in handling of CDATA in HTML messages 2020-04-26 07:59:47 +02:00
Aleksander Machniak
b35b5a1a26 Fix typo 2020-04-22 12:36:51 +02:00
Aleksander Machniak
bf34e8cf9c Fix performance issue of parsing big HTML messages by disabling HTML5 parser for these (#7331) 2020-04-22 12:33:34 +02:00
Aleksander Machniak
cf90c69ad7 Fix bug where 'text' attribute on body tag was ignored when displaying HTML message (#7109) 2019-12-14 17:42:55 +01:00
Aleksander Machniak
21ebf3ff5a Fix bug where it was possible to bypass href URI check with data:application/xhtml+xml URIs (#6896) 2019-08-27 15:57:47 +02:00
Aleksander Machniak
1afa46d28d PHPDoc and CS fixes 2019-08-25 14:15:09 +02:00
Aleksander Machniak
55cca61134 Workaround more invalid HTML cases parsed incorrectly by Mastermind/HTML5 (#6713) 2019-04-28 12:43:10 +02:00
Aleksander Machniak
57c67db029 Remove year(s) from copyright headers + some cleanup 2019-04-16 10:42:45 +02:00
Aleksander Machniak
92ed0154d5 Followup fix on handling HTML content w/o html/head/body tag (#6713) 2019-04-15 09:25:12 +02:00
Aleksander Machniak
03d56926d8 Fix bug in HTML parser that could cause missing text fragments when there was no head/body tag (#6713) 2019-04-14 09:53:02 +02:00
dsoares
00cc13a1b9 Fix bug where HTML messages with a xml:namespace tag were not rendered. 2019-03-26 15:10:43 +00:00
Aleksander Machniak
0a0ac045fe Fix bug where valid content between HTML comments could have been skipped in some cases (#6464) 2018-09-27 16:00:54 +02:00
Aleksander Machniak
4310046993 Remove redundant trim() 2018-09-17 08:37:38 +02:00
Aleksander Machniak
c28242f63c Log errors caused by low pcre.backtrack_limit when sending a mail message (#6433) 2018-09-14 13:37:19 +02:00
Aleksander Machniak
086e781b8f Fix bug where some HTML comments could have been malformed by HTML parser (#6333) 2018-06-22 14:16:20 +02:00
Aleksander Machniak
0716d499bc Fix bug where some escape sequences in html styles could bypass security checks 2018-05-05 17:12:18 +02:00
Aleksander Machniak
63d3ad11fb Use Masterminds/HTML5 parser for HTML5 support (#5761) 2018-04-21 13:14:42 +02:00
Aleksander Machniak
73ea8f94d0 Use htmlspecialchars() with charset argument, simplify some code 2018-04-03 15:29:59 +02:00
Aleksander Machniak
9d2b303b51 Fix bug in remote content blocking on HTML image and style tags (#6178) 2018-02-14 20:19:32 +01:00
Aleksander Machniak
5e08a6ac59 Handle remote stylesheets the same as remote images, ask the user to allow them (#5994) 
Fixes the issue where remote stylesheet could have been blocked
if the message contained no remote images and user have no way to
allow that content.
 2017-10-13 12:48:13 +02:00
Aleksander Machniak
3196d656db Fix css conflicts in user interface and e-mail content (#5891) 
... by adding prefix to element/class identifiers
Also cleaned up some code and removed global variable use.
 2017-10-12 10:48:54 +02:00
Aleksander Machniak
72fe97ddfc Fix bug where HTML messages could have been rendered empty on some systems (#5957) 
Consistently use $nodeName instead of $tagName property.
 2017-09-17 08:44:08 +02:00
Thomas Bruederli
919338d4ba Escape textarea contents in Washtml 2017-08-18 09:49:54 +02:00
Aleksander Machniak
e08f22ef28 Fix bug where external content in src attribute of input/video tags was not secured (#5583) 2017-01-07 20:00:18 +01:00
Aleksander Machniak
dcabc1d814 Merge remote-tracking branch 'upstream/master' 
Conflicts:
	tests/Framework/Washtml.php
 2016-07-31 09:26:19 +02:00
Aleksander Machniak
edfd9da42a Support MathML in HTML message preview (#5182) 2016-07-17 11:15:37 +02:00
Aleksander Machniak
6737e293bb Wash position:fixed style in HTML mail for better security (#5264) 2016-05-29 17:09:41 +02:00
Aleksander Machniak
6652367d65 Fix XSS issue in href attribute on area tag (#5240, #5241) 2016-05-06 08:28:15 +02:00
Aleksander Machniak
0e77b6f1b3 Fix regression where xml mode could be used to parse xhtml messages causing empty result 2016-01-20 08:44:31 +01:00
Aleksander Machniak
ed1d212ae2 Improved SVG cleanup code 2016-01-16 09:03:51 +01:00
Aleksander Machniak
023d3eb031 Refactor wash_attribs() - fix regressions 2016-01-12 13:57:30 +01:00
Aleksander Machniak
a1fdb205f8 Extend rcube_washtml with SVG support 2016-01-09 18:26:09 +01:00
Aleksander Machniak
9234903287 Fix HTML sanitizer to skip <!-- node type X --> in output (#1490583) 2015-11-05 08:46:43 +01:00