From 5fc0e88b68f1beeadd8977befb8db13057f7a376 Mon Sep 17 00:00:00 2001 From: Klaus Leithoff Date: Thu, 17 Mar 2016 09:29:54 +0000 Subject: [PATCH] fix issues with new namespaces / translation class moved to new api/src location --- api/src/Html/HtmLawed.php | 32 +++++++++++++++++++------------- 1 file changed, 19 insertions(+), 13 deletions(-) diff --git a/api/src/Html/HtmLawed.php b/api/src/Html/HtmLawed.php index 58020891e7..e4d88d1783 100644 --- a/api/src/Html/HtmLawed.php +++ b/api/src/Html/HtmLawed.php @@ -11,6 +11,8 @@ */ namespace EGroupware\Api\Html; +use EGroupware\Api; +use translation; require_once(__DIR__.'/htmLawed/htmLawed.php'); @@ -136,7 +138,7 @@ class HtmLawed { //error_log(__METHOD__.__LINE__.array2string($newStyle[0])); $style2buffer = implode('',$newStyle[0]); - // only replace what we have found, we use it here, as we use the same routine in Translation::replaceTagsCompletley + // only replace what we have found, we use it here, as we use the same routine in translation::replaceTagsCompletley // no need to do the extra routine $html = str_ireplace($newStyle[0],'',$html); } @@ -149,7 +151,7 @@ class HtmLawed if ($test=="null" && strlen($style2buffer)>0) { // this should not be needed, unless something fails with charset detection/ wrong charset passed - error_log(__METHOD__.__LINE__.' Found Invalid sequence for utf-8 in CSS:'.$style2buffer.' Carset Detected:'.Translation::detect_encoding($style2buffer)); + error_log(__METHOD__.__LINE__.' Found Invalid sequence for utf-8 in CSS:'.$style2buffer.' Carset Detected:'.Api\Translation::detect_encoding($style2buffer)); $style2buffer = utf8_encode($style2buffer); } } @@ -165,15 +167,15 @@ class HtmLawed // CSS Security // http://code.google.com/p/browsersec/wiki/Part1#Cascading_stylesheets $css = preg_replace('/(javascript|expession|-moz-binding)/i','',$style); - if (stripos($css,'script')!==false) Translation::replaceTagsCompletley($css,'script'); // Strip out script that may be included + if (stripos($css,'script')!==false) translation::replaceTagsCompletley($css,'script'); // Strip out script that may be included // we need this, as styledefinitions are enclosed with curly brackets; and template stuff tries to replace everything between curly brackets that is having no horizontal whitespace // as the comments as in stylesheet are outdated, and ck-editor does not understand it, we remove it $css_no_comment = str_replace(array(':',''),array(': ','',''),$css); //error_log(__METHOD__.__LINE__.$css); - // we already removed what we have found, above, as we used pretty much the same routine as in Translation::replaceTagsCompletley + // we already removed what we have found, above, as we used pretty much the same routine as in translation::replaceTagsCompletley // no need to do the extra routine // TODO: we may have to strip urls and maybe comments and ifs - //if (stripos($html,'style')!==false) Translation::replaceTagsCompletley($html,'style'); // clean out empty or pagewide style definitions / left over tags + //if (stripos($html,'style')!==false) translation::replaceTagsCompletley($html,'style'); // clean out empty or pagewide style definitions / left over tags return $css_no_comment; } @@ -389,17 +391,21 @@ function hl_email_tag_transform($element, $attribute_array=0) if (!isset($attribute_array['title'])) $attribute_array['title']=$attribute_array['alt']; $attribute_array['src']=common::image('phpgwapi','dialog_error'); } - if (!$GLOBALS['egw_info']['user']['preferences']['mail']['allowExternalIMGs']) + if (!preg_match('/^cid:.*/',$attribute_array['src'])) { - if (!preg_match('/^cid:.*/',$attribute_array['src'])) + if (!$GLOBALS['egw_info']['user']['preferences']['mail']['allowExternalIMGs']) { - $attribute_array['alt']= $attribute_array['alt'].' [blocked external image:'.$attribute_array['src'].']'; - if (!isset($attribute_array['title'])) $attribute_array['title']=$attribute_array['alt']; - $attribute_array['src']=common::image('mail','no-image-shown'); - $attribute_array['border'] = 1; - if ($attribute_array['style']) + //the own webserver url is not external, so it should be allowed + if (empty($GLOBALS['egw_info']['server']['webserver_url'])||!preg_match("$^".$GLOBALS['egw_info']['server']['webserver_url'].".*$",$attribute_array['src'])) { - if (stripos($attribute_array['style'],'border')!==false) $attribute_array['style'] = preg_replace('~border(:|-left:|-right:|-bottom:|-top:)+ (0px)+ (none)+;~si','',$attribute_array['style']); + $attribute_array['alt']= $attribute_array['alt'].' [blocked external image:'.$attribute_array['src'].']'; + if (!isset($attribute_array['title'])) $attribute_array['title']=$attribute_array['alt']; + $attribute_array['src']=common::image('mail','no-image-shown'); + $attribute_array['border'] = 1; + if ($attribute_array['style']) + { + if (stripos($attribute_array['style'],'border')!==false) $attribute_array['style'] = preg_replace('~border(:|-left:|-right:|-bottom:|-top:)+ (0px)+ (none)+;~si','',$attribute_array['style']); + } } } }