amorfo77/sogo
1
0
Fork 0
mirror of https://github.com/inverse-inc/sogo.git synced 2026-03-22 23:02:43 +00:00
Code Issues Projects Releases Wiki Activity

fix(mail(html)): ban "javascript:" prefix in href, action and formaction

Browse Source
This commit is contained in:
Francis Lachapelle
2021-12-01 11:34:37 -05:00
parent 426b28eda7
commit 8afc80d82e
1 changed files with 5 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
UI/MailPartViewers/UIxMailPartHTMLViewer.m
View File

@@ -520,10 +520,11 @@ _xmlCharsetForCharset (NSString *charset)
{
value = [_attributes valueAtIndex: count];
lowerValue = [value lowercaseString];
skipAttribute = ([lowerValue rangeOfString: @"://"].location == NSNotFound
&& ![lowerValue hasPrefix: @"mailto:"]
&& ![lowerValue hasPrefix: @"#"]) ||
[lowerValue hasPrefix: @"javascript:"];
skipAttribute =
([lowerValue rangeOfString: @"://"].location == NSNotFound
&& ![lowerValue hasPrefix: @"mailto:"]
&& ![lowerValue hasPrefix: @"#"])
|| [lowerValue rangeOfString: @"javascript:"].location != NSNotFound;
if (!skipAttribute)
[resultPart appendString: @" rel=\"noopener\""];
}