Mirrors/roundcubemail
2
0
Fork 0
mirror of https://github.com/roundcube/roundcubemail.git synced 2026-03-03 23:04:01 +01:00
Code Issues Packages Projects Releases Wiki Activity
12,379 Commits 72 Branches 205 Tags
ed4dc2139dd5c6cbf1732b1bf2ec45dfd35a178a
Commit Graph

49 Commits

Author SHA1 Message Date
Aleksander Machniak
89e54718ca Migration to PHPUnit v9 2021-07-25 11:07:56 +02:00
Aleksander Machniak
2f42fa2eaf Fix HTML5 parser issue with a messy HTML code from Outlook (#7356) 2021-04-05 10:39:00 +02:00
Aleksander Machniak
f4ed1024dc PHP8 fixes, CS fixes, short array syntax, tests 2020-12-02 20:15:00 +01:00
Aleksander Machniak
545a1569f1 Steps -> Actions refactoring (#7688) 
* Move action handling code to rcmail class
* Add rcmail_action class
* Add action aliases
* Get rid of $OUTPUT global
* Move some methods from rcmail to rcmail_action
* PHP8 compat. fixes
* Add framework for testing actions
* Fix obvious code mistakes
 2020-11-01 11:25:38 +01:00
Aleksander Machniak
bde383d051 PHP8: Fix various issues 
for now only these I found by running our unit tests, there will be much more
 2020-10-11 10:32:41 +02:00
Aleksander Machniak
d81b8447fb Fix empty output from HTML5 parser when content contains XML tag (#7624) 2020-09-23 15:15:02 +02:00
Aleksander Machniak
ec4cc29c88 Fix cross-site scripting (XSS) via HTML messages with malicious svg or math content 2020-08-09 18:02:16 +02:00
Achim Leitner
8e0ee8b1c4 Fix: Keep children of object tag (#6453) 
The HTML tag <object> optionally has embedded (child) tags that serve as an
alternative (fallback) HTML representation for the object. Of course, the
object and its parameters are considered harmful in HTML mail, but the
alternative representation is meant for exactly this kind of situation. They
should display the object contents without loading possibly insecure code.

- By ignoring <object> tags, roundcube also removes all their child nodes
- As <object> is not in the list of allowed $html_elements and <param> gets
  cleaned through $void_elements, they get ignored anyway, without removing the
  valuable child nodes.

Co-authored-by: root <root@coreboso-kolab.coreboso.de>
 2020-08-07 11:06:14 +02:00
Aleksander Machniak
17deadfe56 Fix handling links without defined protocol (#7454) 2020-07-29 15:17:48 +02:00
Aleksander Machniak
0d9bffa878 Fix incorrect rewriting of internal links in HTML content (#7512) 2020-07-29 14:19:02 +02:00
Aleksander Machniak
32a7709ddf Fix cross-site scripting (XSS) via HTML messages with malicious svg/namespace 
Credits to SSD Secure Disclosure (https://ssd-disclosure.com/)
 2020-07-03 11:29:50 +02:00
Aleksander Machniak
87e4cd0cf2 Fix XSS issue in handling of CDATA in HTML messages 2020-04-26 07:59:47 +02:00
Aleksander Machniak
47d9ed6d0c Add support for PHPUnit 6 and 7 (#6870) 
Fixes composer dependencies: Package phpunit/phpunit-mock-objects is abandoned

We cannot support v8 yet because of errors like:
Declaration of MailFunc::setUp() must be compatible with PHPUnit\Framework\TestCase::setUp(): void
It would require dropping PHP < 7.1 support.
 2019-12-28 09:37:45 +01:00
Aleksander Machniak
cf90c69ad7 Fix bug where 'text' attribute on body tag was ignored when displaying HTML message (#7109) 2019-12-14 17:42:55 +01:00
Aleksander Machniak
21ebf3ff5a Fix bug where it was possible to bypass href URI check with data:application/xhtml+xml URIs (#6896) 2019-08-27 15:57:47 +02:00
Aleksander Machniak
55cca61134 Workaround more invalid HTML cases parsed incorrectly by Mastermind/HTML5 (#6713) 2019-04-28 12:43:10 +02:00
Aleksander Machniak
92ed0154d5 Followup fix on handling HTML content w/o html/head/body tag (#6713) 2019-04-15 09:25:12 +02:00
Aleksander Machniak
03d56926d8 Fix bug in HTML parser that could cause missing text fragments when there was no head/body tag (#6713) 2019-04-14 09:53:02 +02:00
dsoares
00cc13a1b9 Fix bug where HTML messages with a xml:namespace tag were not rendered. 2019-03-26 15:10:43 +00:00
Aleksander Machniak
0a0ac045fe Fix bug where valid content between HTML comments could have been skipped in some cases (#6464) 2018-09-27 16:00:54 +02:00
Aleksander Machniak
086e781b8f Fix bug where some HTML comments could have been malformed by HTML parser (#6333) 2018-06-22 14:16:20 +02:00
Aleksander Machniak
0716d499bc Fix bug where some escape sequences in html styles could bypass security checks 2018-05-05 17:12:18 +02:00
Aleksander Machniak
63d3ad11fb Use Masterminds/HTML5 parser for HTML5 support (#5761) 2018-04-21 13:14:42 +02:00
Aleksander Machniak
5e08a6ac59 Handle remote stylesheets the same as remote images, ask the user to allow them (#5994) 
Fixes the issue where remote stylesheet could have been blocked
if the message contained no remote images and user have no way to
allow that content.
 2017-10-13 12:48:13 +02:00
Aleksander Machniak
3196d656db Fix css conflicts in user interface and e-mail content (#5891) 
... by adding prefix to element/class identifiers
Also cleaned up some code and removed global variable use.
 2017-10-12 10:48:54 +02:00
Thomas Bruederli
919338d4ba Escape textarea contents in Washtml 2017-08-18 09:49:54 +02:00
Aleksander Machniak
e08f22ef28 Fix bug where external content in src attribute of input/video tags was not secured (#5583) 2017-01-07 20:00:18 +01:00
Aleksander Machniak
dcabc1d814 Merge remote-tracking branch 'upstream/master' 
Conflicts:
	tests/Framework/Washtml.php
 2016-07-31 09:26:19 +02:00
Aleksander Machniak
bf5b3072c4 Fix MathML test on older PHP versions 2016-07-18 11:19:53 +02:00
Aleksander Machniak
edfd9da42a Support MathML in HTML message preview (#5182) 2016-07-17 11:15:37 +02:00
Aleksander Machniak
6737e293bb Wash position:fixed style in HTML mail for better security (#5264) 2016-05-29 17:09:41 +02:00
Aleksander Machniak
ca9ad75d96 Add some more tests for HREF attribute washing 2016-05-08 10:06:24 +02:00
Aleksander Machniak
6652367d65 Fix XSS issue in href attribute on area tag (#5240, #5241) 2016-05-06 08:28:15 +02:00
Aleksander Machniak
ed1d212ae2 Improved SVG cleanup code 2016-01-16 09:03:51 +01:00
Aleksander Machniak
9234903287 Fix HTML sanitizer to skip <!-- node type X --> in output (#1490583) 2015-11-05 08:46:43 +01:00
Aleksander Machniak
f4c512336d Fix "washing" of style elements wrapped into many lines 2015-08-10 10:17:05 +02:00
Aleksander Machniak
786aa0725e Fix XSS issue in style attribute handling (#1490227) 2015-01-13 09:41:41 +01:00
Aleksander Machniak
5bf83d551e Fix unintentional line-height style modification in HTML messages (#1489917) 2014-05-27 14:44:52 +02:00
Aleksander Machniak
82ed256f6e Fix incorrect handling of HTML comments in messages sanitization code (#1489904) 2014-05-20 19:25:45 +02:00
Aleksander Machniak
f96fec6b8c Fix "washing" of unicoded style attributes (#1489777) 2014-04-11 09:13:59 +02:00
Aleksander Machniak
5e3ee8418e Add test case for #1489777 2014-04-08 12:29:59 +02:00
Aleksander Machniak
68cf8f19d2 Add some tests 2014-03-18 11:12:08 +01:00
Aleksander Machniak
c7250749ab Fix issue where deprecated syntax for HTML lists was not handled properly (#1488768) 2013-12-28 19:14:51 +01:00
Aleksander Machniak
ffec857b69 Fix handling of invalid closing tags in HTML messages (#1489446) 2013-11-28 09:12:03 +01:00
Aleksander Machniak
cb3e2fe0c2 Fix displaying messages with invalid self-closing HTML tags (#1489137) 2013-05-31 15:42:22 +02:00
Aleksander Machniak
f773259412 Fix washtml test after "unsupported node type" fix 2013-05-25 20:38:04 +02:00
Aleksander Machniak
1e2468e4b9 Added two tests for HTML comments handling in rcube_washtml class 2013-03-22 10:24:32 +01:00
Aleksander Machniak
1f910cb50d Fix handling link href attribute value with (valid) newline characters (#1488940) 2013-02-01 20:04:00 +01:00
Aleksander Machniak
7ac94421bf Move washtml class into Roundcube Framework (rcube_washtml), add some improvements 2012-12-25 18:06:17 +01:00