Hi, I've been working with Liam on the Apple Mail, multiple html tag issue.
Quoting Michael M Slusarz <slusarz <at> horde.org>: > > Actually, I'm pretty sure that our HTML filter (specifically the preg > > regex I just fixed a week or two ago) will prevent this message from > > ever showing fully because it will purge all text after the 1st > > closing html tag. > The xss filter (Text_Filter/Filter/xss.php) contains regular expressions which strip html and body tags and anything outside of them. I know it's not Horde's responsibility to write workarounds for every buggy mail client, but I think there is a small change that can be made to accommodate multiple html or body tags without affecting the level of xss protection. The xss filter could comment out the html and body tags, instead of stripping them and everything outside: <!--<html>-->Begin forwarded message:<!--</html>--> I'm unclear on the benefit of stripping everything outside of the html tags if you've already commented them out. Making this change shouldn't allow a malicious user to get anything into the message that they couldn't otherwise. Here's a small patch with my proposed changes: RCS file: /repository/framework/Text_Filter/Filter/xss.php,v retrieving revision 1.12 diff -r1.12 xss.php 75,76c75,76 < $patterns['/.*<(body|html)[^>]*>/si'] = ''; < $patterns['/<\/(body|html)>.*/si'] = ''; --- > $patterns['/(<body[^>]*>|<html[^>]*>)/si'] = '<!--\1--!>'; > $patterns['/(<\/(body|html)>)/si'] = '<!--\1--!>'; Thanks, Ziba -- IMP mailing list - Join the hunt: http://horde.org/bounties/#imp Frequently Asked Questions: http://horde.org/faq/ To unsubscribe, mail: [EMAIL PROTECTED]
