/**
* This is a wrapper function to call html sanitizing routines.
*
* @param $body the body of the message
* @param $id the id of the message
* @return a string with html safe to display in the browser.
*/
function magicHTML($body, $id, $message, $mailbox = 'INBOX')
{
global $attachment_common_show_images, $view_unsafe_images, $has_unsafe_images;
/**
* Don't display attached images in HTML mode.
*/
$attachment_common_show_images = false;
$tag_list = array(false, "object", "meta", "html", "head", "base", "link", "frame", "iframe", "plaintext", "marquee");
$rm_tags_with_content = array("script", "applet", "embed", "title", "frameset", "xmp", "xml");
$self_closing_tags = array("img", "br", "hr", "input", "outbind");
$force_tag_closing = true;
$rm_attnames = array("/.*/" => array("/target/i", "/^on.*/i", "/^dynsrc/i", "/^data.*/i", "/^lowsrc.*/i"));
$secremoveimg = "../images/" . _("sec_remove_eng.png");
$bad_attvals = array("/.*/" => array("/^src|background/i" => array(array("/^([\\'\"])\\s*\\S+script\\s*:.*([\\'\"])/si", "/^([\\'\"])\\s*mocha\\s*:*.*([\\'\"])/si", "/^([\\'\"])\\s*about\\s*:.*([\\'\"])/si"), array("\\1{$secremoveimg}\\2", "\\1{$secremoveimg}\\2", "\\1{$secremoveimg}\\2")), "/^href|action/i" => array(array("/^([\\'\"])\\s*\\S+script\\s*:.*([\\'\"])/si", "/^([\\'\"])\\s*mocha\\s*:*.*([\\'\"])/si", "/^([\\'\"])\\s*about\\s*:.*([\\'\"])/si"), array("\\1#\\1", "\\1#\\1", "\\1#\\1")), "/^style/i" => array(array("/\\/\\*.*\\*\\//", "/expression/i", "/binding/i", "/behaviou*r/i", "/include-source/i", "/position\\s*:\\s*absolute/i", "/(\\\\)?u(\\\\)?r(\\\\)?l(\\\\)?/i", "/url\\s*\\(\\s*([\\'\"])\\s*\\S+script\\s*:.*([\\'\"])\\s*\\)/si", "/url\\s*\\(\\s*([\\'\"])\\s*mocha\\s*:.*([\\'\"])\\s*\\)/si", "/url\\s*\\(\\s*([\\'\"])\\s*about\\s*:.*([\\'\"])\\s*\\)/si", "/(.*)\\s*:\\s*url\\s*\\(\\s*([\\'\"]*)\\s*\\S+script\\s*:.*([\\'\"]*)\\s*\\)/si"), array("", "idiocy", "idiocy", "idiocy", "idiocy", "idiocy", "url", "url(\\1#\\1)", "url(\\1#\\1)", "url(\\1#\\1)", "\\1:url(\\2#\\3)"))));
if (!sqgetGlobalVar('view_unsafe_images', $view_unsafe_images, SQ_GET)) {
$view_unsafe_images = false;
}
if (!$view_unsafe_images) {
/**
* Remove any references to http/https if view_unsafe_images set
* to false.
*/
array_push($bad_attvals['/.*/']['/^src|background/i'][0], '/^([\'\\"])\\s*https*:.*([\'\\"])/si');
array_push($bad_attvals['/.*/']['/^src|background/i'][1], "\\1{$secremoveimg}\\1");
array_push($bad_attvals['/.*/']['/^style/i'][0], '/url\\([\'\\"]?https?:[^\\)]*[\'\\"]?\\)/si');
array_push($bad_attvals['/.*/']['/^style/i'][1], "url(\\1{$secremoveimg}\\1)");
}
$add_attr_to_tag = array("/^a\$/i" => array('target' => '"_blank"', 'title' => '"' . _("This external link will open in a new window") . '"'));
$trusted = sq_sanitize($body, $tag_list, $rm_tags_with_content, $self_closing_tags, $force_tag_closing, $rm_attnames, $bad_attvals, $add_attr_to_tag, $message, $id, $mailbox);
if (strpos($trusted, $secremoveimg)) {
$has_unsafe_images = true;
}
return $trusted;
}
/**
* This is a wrapper function to call html sanitizing routines.
*
* @param $body the body of the message
* @param $id the id of the message
* @param $message
* @param $mailbox
* @param boolean $take_mailto_links When TRUE, converts mailto: links
* into internal SM compose links
* (optional; default = TRUE)
* @return a string with html safe to display in the browser.
*/
function magicHTML($body, $id, $message, $mailbox = 'INBOX', $take_mailto_links = true)
{
// require_once(SM_PATH . 'functions/url_parser.php'); // for $MailTo_PReg_Match
global $attachment_common_show_images, $view_unsafe_images, $has_unsafe_images;
/**
* Don't display attached images in HTML mode.
*
* SB: why?
*/
$attachment_common_show_images = false;
$tag_list = array(false, "object", "meta", "html", "head", "base", "link", "frame", "iframe", "plaintext", "marquee");
$rm_tags_with_content = array("script", "applet", "embed", "title", "frameset", "xmp", "xml");
$self_closing_tags = array("img", "br", "hr", "input", "outbind");
$force_tag_closing = true;
$rm_attnames = array("/.*/" => array("/target/i", "/^on.*/i", "/^dynsrc/i", "/^data.*/i", "/^lowsrc.*/i"));
global $use_transparent_security_image;
if ($use_transparent_security_image) {
$secremoveimg = '../images/spacer.png';
} else {
$secremoveimg = '../images/' . _("sec_remove_eng.png");
}
$bad_attvals = array("/.*/" => array("/^src|background/i" => array(array("/^([\\'\"])\\s*\\S+script\\s*:.*([\\'\"])/si", "/^([\\'\"])\\s*mocha\\s*:*.*([\\'\"])/si", "/^([\\'\"])\\s*about\\s*:.*([\\'\"])/si"), array("\\1{$secremoveimg}\\2", "\\1{$secremoveimg}\\2", "\\1{$secremoveimg}\\2")), "/^href|action/i" => array(array("/^([\\'\"])\\s*\\S+script\\s*:.*([\\'\"])/si", "/^([\\'\"])\\s*mocha\\s*:*.*([\\'\"])/si", "/^([\\'\"])\\s*about\\s*:.*([\\'\"])/si"), array("\\1#\\1", "\\1#\\1", "\\1#\\1")), "/^style/i" => array(array("/\\/\\*.*\\*\\//", "/expression/i", "/binding/i", "/behaviou*r/i", "/include-source/i", "/position\\s*:/i", "/(\\\\)?u(\\\\)?r(\\\\)?l(\\\\)?/i", "/url\\s*\\(\\s*([\\'\"])\\s*\\S+script\\s*:.*([\\'\"])\\s*\\)/si", "/url\\s*\\(\\s*([\\'\"])\\s*mocha\\s*:.*([\\'\"])\\s*\\)/si", "/url\\s*\\(\\s*([\\'\"])\\s*about\\s*:.*([\\'\"])\\s*\\)/si", "/(.*)\\s*:\\s*url\\s*\\(\\s*([\\'\"]*)\\s*\\S+script\\s*:.*([\\'\"]*)\\s*\\)/si"), array("", "idiocy", "idiocy", "idiocy", "idiocy", "idiocy", "url", "url(\\1#\\1)", "url(\\1#\\1)", "url(\\1#\\1)", "\\1:url(\\2#\\3)"))));
// If there's no "view_unsafe_images" variable in the URL, turn unsafe
// images off by default.
sqgetGlobalVar('view_unsafe_images', $view_unsafe_images, SQ_GET, FALSE);
if (!$view_unsafe_images) {
/**
* Remove any references to http/https if view_unsafe_images set
* to false.
*/
array_push($bad_attvals['/.*/']['/^src|background/i'][0], '/^([\'\\"])\\s*https*:.*([\'\\"])/si');
array_push($bad_attvals['/.*/']['/^src|background/i'][1], "\\1{$secremoveimg}\\1");
array_push($bad_attvals['/.*/']['/^style/i'][0], '/url\\([\'\\"]?https?:[^\\)]*[\'\\"]?\\)/si');
array_push($bad_attvals['/.*/']['/^style/i'][1], "url(\\1{$secremoveimg}\\1)");
}
$add_attr_to_tag = array("/^a\$/i" => array('target' => '"_blank"', 'title' => '"' . _("This external link will open in a new window") . '"'));
$trusted = sq_sanitize($body, $tag_list, $rm_tags_with_content, $self_closing_tags, $force_tag_closing, $rm_attnames, $bad_attvals, $add_attr_to_tag, $message, $id, $mailbox);
if (strpos($trusted, $secremoveimg)) {
$has_unsafe_images = true;
}
// we want to parse mailto's in HTML output, change to SM compose links
// this is a modified version of code from url_parser.php... but Marc is
// right: we need a better filtering implementation; adding this randomly
// here is not a great solution
//
if ($take_mailto_links) {
// parseUrl($trusted); // this even parses URLs inside of tags... too aggressive
global $MailTo_PReg_Match;
$MailTo_PReg_Match = '/mailto:' . substr($MailTo_PReg_Match, 1);
if (preg_match_all($MailTo_PReg_Match, $trusted, $regs) && $regs[0][0] != '') {
foreach ($regs[0] as $i => $mailto_before) {
$mailto_params = $regs[10][$i];
// get rid of any tailing quote since we have to add send_to to the end
//
if (substr($mailto_before, strlen($mailto_before) - 1) == '"') {
$mailto_before = substr($mailto_before, 0, strlen($mailto_before) - 1);
}
if (substr($mailto_params, strlen($mailto_params) - 1) == '"') {
$mailto_params = substr($mailto_params, 0, strlen($mailto_params) - 1);
}
if ($regs[1][$i]) {
//if there is an email addr before '?', we need to merge it with the params
$to = 'to=' . $regs[1][$i];
if (strpos($mailto_params, 'to=') > -1) {
//already a 'to='
$mailto_params = str_replace('to=', $to . '%2C%20', $mailto_params);
} else {
if ($mailto_params) {
//already some params, append to them
$mailto_params .= '&' . $to;
} else {
$mailto_params .= '?' . $to;
}
}
}
$url_str = preg_replace(array('/to=/i', '/(?<!b)cc=/i', '/bcc=/i'), array('send_to=', 'send_to_cc=', 'send_to_bcc='), $mailto_params);
// we'll already have target=_blank, no need to allow comp_in_new
// here (which would be a lot more work anyway)
//
global $compose_new_win;
$temp_comp_in_new = $compose_new_win;
$compose_new_win = 0;
$comp_uri = makeComposeLink('src/compose.php' . $url_str, $mailto_before);
$compose_new_win = $temp_comp_in_new;
// remove <a href=" and anything after the next quote (we only
// need the uri, not the link HTML) in compose uri
//
$comp_uri = substr($comp_uri, 9);
$comp_uri = substr($comp_uri, 0, strpos($comp_uri, '"', 1));
$trusted = str_replace($mailto_before, $comp_uri, $trusted);
}
}
}
return $trusted;
}
