Quoting Ziba Scott <[EMAIL PROTECTED]>: > Hi, > > I've been working with Liam on the Apple Mail, multiple html tag issue. > > Quoting Michael M Slusarz <slusarz <at> horde.org>: > > >> > Actually, I'm pretty sure that our HTML filter (specifically the preg >> > regex I just fixed a week or two ago) will prevent this message from >> > ever showing fully because it will purge all text after the 1st >> > closing html tag. >> > > > The xss filter (Text_Filter/Filter/xss.php) contains regular expressions > which strip html and body tags and anything outside of them. > > I know it's not Horde's responsibility to write workarounds for every > buggy mail client, but I think there is a small change that can be made > to accommodate multiple html or body tags without affecting the level of > xss protection. > > The xss filter could comment out the html and body tags, instead of > stripping them and everything outside: > <!--<html>-->Begin forwarded message:<!--</html>--> > > I'm unclear on the benefit of stripping everything outside of the html > tags if you've already commented them out. Making this change shouldn't > allow a malicious user to get anything into the message that they > couldn't otherwise. > > Here's a small patch with my proposed changes: > > RCS file: /repository/framework/Text_Filter/Filter/xss.php,v > retrieving revision 1.12 > diff -r1.12 xss.php > 75,76c75,76 > < $patterns['/.*<(body|html)[^>]*>/si'] = ''; > < $patterns['/<\/(body|html)>.*/si'] = ''; > --- >> $patterns['/(<body[^>]*>|<html[^>]*>)/si'] = '<!--\1--!>'; >> $patterns['/(<\/(body|html)>)/si'] = '<!--\1--!>'; > > > Thanks, > Ziba
Just so this doesn't get lost, could you put this information in a ticket (http://bugs.horde.org/)? Thanks. michael -- ___________________________________ Michael Slusarz [EMAIL PROTECTED] -- IMP mailing list - Join the hunt: http://horde.org/bounties/#imp Frequently Asked Questions: http://horde.org/faq/ To unsubscribe, mail: [EMAIL PROTECTED]
