diff --git a/rainloop/v/0.0.0/app/libraries/MailSo/Base/HtmlUtils.php b/rainloop/v/0.0.0/app/libraries/MailSo/Base/HtmlUtils.php index 8e7169781..83c7bd6ef 100644 --- a/rainloop/v/0.0.0/app/libraries/MailSo/Base/HtmlUtils.php +++ b/rainloop/v/0.0.0/app/libraries/MailSo/Base/HtmlUtils.php @@ -437,6 +437,17 @@ class HtmlUtils \MailSo\Base\HtmlUtils::FindLinksInDOM($oDom); } + $aNodes = $oDom->getElementsByTagName('*'); + foreach ($aNodes as /* @var $oElement \DOMElement */ $oElement) + { + if (\in_array(\strtolower($oElement->tagName), array('svg', 'head', 'link', + 'base', 'meta', 'title', 'style', 'script', 'bgsound', 'keygen', 'source', + 'object', 'embed', 'applet', 'mocha', 'iframe', 'frame', 'frameset', 'video', 'audio')) && isset($oElement->parentNode)) + { + @$oElement->parentNode->removeChild($oElement); + } + } + $aNodes = $oDom->getElementsByTagName('*'); foreach ($aNodes as /* @var $oElement \DOMElement */ $oElement) { @@ -524,7 +535,8 @@ class HtmlUtils // } foreach (array( - 'id', 'class', 'contenteditable', 'designmode', 'formaction', 'data-bind', 'xmlns' + 'id', 'class', 'contenteditable', 'designmode', 'formaction', 'data-bind', 'xmlns', + 'srcset' ) as $sAttr) { @$oElement->removeAttribute($sAttr); @@ -552,6 +564,8 @@ class HtmlUtils if ($oElement->hasAttribute('src')) { +// file_put_contents('f:/fff', $oElement->getAttribute('src')."\r\n", FILE_APPEND); + $sSrc = \trim($oElement->getAttribute('src')); $oElement->removeAttribute('src'); diff --git a/rainloop/v/0.0.0/app/libraries/MailSo/Base/Utils.php b/rainloop/v/0.0.0/app/libraries/MailSo/Base/Utils.php index f096b63ee..d933f160b 100644 --- a/rainloop/v/0.0.0/app/libraries/MailSo/Base/Utils.php +++ b/rainloop/v/0.0.0/app/libraries/MailSo/Base/Utils.php @@ -1043,8 +1043,19 @@ class Utils */ public static function ClearFileName($sFileName) { - return \preg_replace('/[\s]+/', ' ', - \str_replace(array('"', '/', '\\', '*', '?', '<', '>', '|', ':'), ' ', $sFileName)); + return \MailSo\Base\Utils::ClearNullBite(\preg_replace('/[\s]+/', ' ', + \str_replace(array('"', '/', '\\', '*', '?', '<', '>', '|', ':'), ' ', $sFileName))); + } + + /** + * @param string $sValue + * + * @return string + */ + public static function ClearXss($sValue) + { + return \MailSo\Base\Utils::ClearNullBite( + \str_replace(array('"', '/', '\\', '*', '?', '<', '>', '|', ':'), ' ', $sValue)); } /** diff --git a/rainloop/v/0.0.0/app/libraries/RainLoop/Actions.php b/rainloop/v/0.0.0/app/libraries/RainLoop/Actions.php index 75567eab0..27bf771ea 100644 --- a/rainloop/v/0.0.0/app/libraries/RainLoop/Actions.php +++ b/rainloop/v/0.0.0/app/libraries/RainLoop/Actions.php @@ -6992,9 +6992,11 @@ class Actions 'Folder' => $mResult['Folder'], 'Uid' => $mResult['Uid'], 'MimeType' => 'message/rfc822', - 'FileName' => (0 === \strlen($sSubject) ? 'message-'.$mResult['Uid'] : $sSubject).'.eml' + 'FileName' => (0 === \strlen($sSubject) ? 'message-'.$mResult['Uid'] : \MailSo\Base\Utils::ClearXss($sSubject)).'.eml' )); + + // Flags $aFlags = $mResponse->FlagsLowerCase(); $mResult['IsSeen'] = \in_array('\\seen', $aFlags); @@ -7177,7 +7179,8 @@ class Actions 'Uid' => (string) $mResponse->Uid(), 'MimeIndex' => (string) $mResponse->MimeIndex(), 'MimeType' => $mResponse->MimeType(), - 'FileName' => $mResponse->FileName(true), + 'FileName' => \MailSo\Base\Utils::ClearFileName( + \MailSo\Base\Utils::ClearXss($mResponse->FileName(true))), 'EstimatedSize' => $mResponse->EstimatedSize(), 'CID' => $mResponse->Cid(), 'ContentLocation' => $mResponse->ContentLocation(),