Fix for bug #2721

2026-03-02 13:46:23 +00:00 · 2014-04-23 09:22:20 -04:00
parent 49363cfe36
commit 619cb2c0ec
3 changed files with 16 additions and 7 deletions
--- a/UI/MailPartViewers/UIxMailPartHTMLViewer.m
+++ b/UI/MailPartViewers/UIxMailPartHTMLViewer.m
@@ -559,6 +559,13 @@ static NSData* _sanitizeContent(NSData *theData)
                                   && ![value hasPrefix: @"mailto:"]
                                   && ![value hasPrefix: @"#"]);
                }
+              // Avoid: <div style="background:url('http://www.sogo.nu/fileadmin/sogo/logos/sogo.bts.png' ); width: 200px; height: 200px;" title="ssss">
+              else if ([name isEqualToString: @"style"])
+                {
+                  value = [_attributes valueAtIndex: count];
+                  if ([value rangeOfString: @"url" options: NSCaseInsensitiveSearch].location != NSNotFound)
+                    name = [NSString stringWithFormat: @"unsafe-%@", name];
+                }
 	      else if (
 		       // Mouse Events
 		       [name isEqualToString: @"onclick"] ||
@@ -594,12 +601,13 @@ static NSData* _sanitizeContent(NSData *theData)
 		}
              else
                value = [_attributes valueAtIndex: count];
+              
              if (!skipAttribute)
                [resultPart appendFormat: @" %@=\"%@\"",
                            name, [value stringByReplacingString: @"\""
                                                      withString: @"\\\""]];
            }
-
+          
          if ([VoidTags containsObject: lowerName])
            [resultPart appendString: @"/"];
          [resultPart appendString: @">"];
@@ -686,16 +694,16 @@ static NSData* _sanitizeContent(NSData *theData)
        [self _appendStyle: _chars length: _len];
      else if (inBody)
        {
-	  NSString *tmpString;
+	  NSString *s;
  
-          tmpString = [NSString stringWithCharacters: _chars length: _len];
+          s = [NSString stringWithCharacters: _chars length: _len];

 	  // HACK: This is to avoid appending the useless junk in the <html> tag
 	  //       that Outlook adds. It seems to confuse the XML parser for
 	  //       forwarded messages as we get this in the _body_ of the email
 	  //       while we really aren't in it!
-	  if (![tmpString hasPrefix: @" xmlns:v=\"urn:schemas-microsoft-com:vml\""])
-	    [result appendString: [tmpString stringByEscapingHTMLString]];
+	  if (![s hasPrefix: @" xmlns:v=\"urn:schemas-microsoft-com:vml\""])
+	    [result appendString: [s stringByEscapingHTMLString]];
        }
    }
 }