From 7e827dfcef090a19b467610b85cd898a4319a509 Mon Sep 17 00:00:00 2001
From: Klaus Leithoff <kl@stylite.de>
Date: Tue, 9 Oct 2012 09:27:13 +0000
Subject: [PATCH] filter/remove
 (on(before)?(abort|blur|change|click|dblclick|error|focus|keydown|keypress|keyup|load|mousedown|mousemove|mouseout|mouseover|mouseup|reset|select|submit|unload))
 attributes in/with htmLawed for default and email config

---
 phpgwapi/inc/class.egw_htmLawed.inc.php | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/phpgwapi/inc/class.egw_htmLawed.inc.php b/phpgwapi/inc/class.egw_htmLawed.inc.php
index 27f335a947..be3512422d 100644
--- a/phpgwapi/inc/class.egw_htmLawed.inc.php
+++ b/phpgwapi/inc/class.egw_htmLawed.inc.php
@@ -172,10 +172,13 @@ function hl_my_tag_transform($element, $attribute_array=0)
 	}
 	*/
 
+	// unwanted javascript
+	static $pregFindScript = '/\b(on(before)?(abort|blur|change|click|dblclick|error|focus|keydown|keypress|keyup|load|mousedown|mousemove|mouseout|mouseover|mouseup|reset|select|submit|unload))\b/i';
 	// Build the attributes string
 	$attributes = '';
 	foreach($attribute_array as $k=>$v){
-		$attributes .= " {$k}=\"{$v}\"";
+		//error_log(__METHOD__.__LINE__.' '.$k.'->'.preg_match($preg,$k));
+		if (!preg_match($pregFindScript,$k)) $attributes .= " {$k}=\"{$v}\"";
 	}
 
 	// Return the opening tag with attributes
@@ -259,6 +262,8 @@ function hl_email_tag_transform($element, $attribute_array=0)
 	}
 	if($element == 'a')
 	{
+		//error_log(array2string($attribute_array));
+		if (strpos($attribute_array['href'],'denied:javascript')===0) $attribute_array['href']='';
 		if (isset($attribute_array['name']) && isset($attribute_array['id'])) $attribute_array['id'] = $attribute_array['name'];
 		if (strpos($attribute_array['href'],'@')!==false) $attribute_array['href'] = str_replace('@','%40',$attribute_array['href']);
 		if (strpos($attribute_array['href'],'#')===0)
@@ -268,10 +273,13 @@ function hl_email_tag_transform($element, $attribute_array=0)
 
 	}
 
+	// unwanted javascript
+	static $pregFindScript = '/\b(on(before)?(abort|blur|change|click|dblclick|error|focus|keydown|keypress|keyup|load|mousedown|mousemove|mouseout|mouseover|mouseup|reset|select|submit|unload))\b/i';
 	// Build the attributes string
 	$attributes = '';
 	foreach($attribute_array as $k=>$v){
-		$attributes .= " {$k}=\"{$v}\"";
+		//error_log(__METHOD__.__LINE__.' '.$k.'->'.preg_match($preg,$k));
+		if (!preg_match($pregFindScript,$k)) $attributes .= " {$k}=\"{$v}\"";
 	}
 
 	// Return the opening tag with attributes