function test_xss()
{
$mod = rcmail_mod_css_styles("body.main2cols { background-image: url('../images/leftcol.png'); }", 'rcmbody');
$this->assertEqual("/* evil! */", $mod, "No url() values allowed");
$mod = rcmail_mod_css_styles("@import url('http://localhost/somestuff/css/master.css');", 'rcmbody');
$this->assertEqual("/* evil! */", $mod, "No import statements");
$mod = rcmail_mod_css_styles("left:expression(document.body.offsetWidth-20)", 'rcmbody');
$this->assertEqual("/* evil! */", $mod, "No expression properties");
$mod = rcmail_mod_css_styles("left:exp/* */ression( alert('xss3') )", 'rcmbody');
$this->assertEqual("/* evil! */", $mod, "Don't allow encoding quirks");
$mod = rcmail_mod_css_styles("background:\\0075\\0072\\006c( javascript:alert('xss') )", 'rcmbody');
$this->assertEqual("/* evil! */", $mod, "Don't allow encoding quirks (2)");
}
$headers = array();
while (!feof($fp)) {
$line = trim(fgets($fp, 4048));
if ($header) {
if (preg_match('/^HTTP\\/1\\..\\s+(\\d+)/', $line, $regs) && intval($regs[1]) != 200) {
break;
} else {
if (empty($line)) {
$header = false;
} else {
list($key, $value) = explode(': ', $line);
$headers[strtolower($key)] = $value;
}
}
} else {
$source .= "{$line}\n";
}
}
fclose($fp);
// check content-type header and mod styles
$mimetype = strtolower($headers['content-type']);
if (!empty($source) && in_array($mimetype, array('text/css', 'text/plain'))) {
header('Content-Type: text/css');
echo rcmail_mod_css_styles($source, preg_replace('/[^a-z0-9]/i', '', $_GET['c']));
exit;
} else {
$error = "Invalid response returned by server";
}
header('HTTP/1.0 404 Not Found');
echo $error;
exit;
