extern/egroupware
1
0
Fork 1
mirror of https://github.com/EGroupware/egroupware.git synced 2024-12-27 09:09:04 +01:00
Code Issues Packages Projects Releases Wiki Activity

filter/remove (on(before)?(abort|blur|change|click|dblclick|error|focus|keydown|keypress|keyup|load|mousedown|mousemove|mouseout|mouseover|mouseup|reset|select|submit|unload)) attributes in/with htmLawed for default and email config

Browse Source
This commit is contained in:
Klaus Leithoff 2012-10-09 09:27:13 +00:00
parent f5a1cd5ded
commit 7e827dfcef
1 changed files with 10 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
phpgwapi/inc/class.egw_htmLawed.inc.php
View File

@ -172,10 +172,13 @@ function hl_my_tag_transform($element, $attribute_array=0)
} }
*/ */
// unwanted javascript
static $pregFindScript = '/\b(on(before)?(abort|blur|change|click|dblclick|error|focus|keydown|keypress|keyup|load|mousedown|mousemove|mouseout|mouseover|mouseup|reset|select|submit|unload))\b/i';
// Build the attributes string // Build the attributes string
$attributes = ''; $attributes = '';
foreach($attribute_array as $k=>$v){ foreach($attribute_array as $k=>$v){
$attributes .= " {$k}=\"{$v}\""; //error_log(__METHOD__.__LINE__.' '.$k.'->'.preg_match($preg,$k));
if (!preg_match($pregFindScript,$k)) $attributes .= " {$k}=\"{$v}\"";
} }
// Return the opening tag with attributes // Return the opening tag with attributes
@ -259,6 +262,8 @@ function hl_email_tag_transform($element, $attribute_array=0)
} }
if($element == 'a') if($element == 'a')
{ {
//error_log(array2string($attribute_array));
if (strpos($attribute_array['href'],'denied:javascript')===0) $attribute_array['href']='';
if (isset($attribute_array['name']) && isset($attribute_array['id'])) $attribute_array['id'] = $attribute_array['name']; if (isset($attribute_array['name']) && isset($attribute_array['id'])) $attribute_array['id'] = $attribute_array['name'];
if (strpos($attribute_array['href'],'@')!==false) $attribute_array['href'] = str_replace('@','%40',$attribute_array['href']); if (strpos($attribute_array['href'],'@')!==false) $attribute_array['href'] = str_replace('@','%40',$attribute_array['href']);
if (strpos($attribute_array['href'],'#')===0) if (strpos($attribute_array['href'],'#')===0)
@ -268,10 +273,13 @@ function hl_email_tag_transform($element, $attribute_array=0)
} }
// unwanted javascript
static $pregFindScript = '/\b(on(before)?(abort|blur|change|click|dblclick|error|focus|keydown|keypress|keyup|load|mousedown|mousemove|mouseout|mouseover|mouseup|reset|select|submit|unload))\b/i';
// Build the attributes string // Build the attributes string
$attributes = ''; $attributes = '';
foreach($attribute_array as $k=>$v){ foreach($attribute_array as $k=>$v){
$attributes .= " {$k}=\"{$v}\""; //error_log(__METHOD__.__LINE__.' '.$k.'->'.preg_match($preg,$k));
if (!preg_match($pregFindScript,$k)) $attributes .= " {$k}=\"{$v}\"";
} }
// Return the opening tag with attributes // Return the opening tag with attributes