function test_xss() { $mod = rcmail_mod_css_styles("body.main2cols { background-image: url('../images/leftcol.png'); }", 'rcmbody'); $this->assertEqual("/* evil! */", $mod, "No url() values allowed"); $mod = rcmail_mod_css_styles("@import url('http://localhost/somestuff/css/master.css');", 'rcmbody'); $this->assertEqual("/* evil! */", $mod, "No import statements"); $mod = rcmail_mod_css_styles("left:expression(document.body.offsetWidth-20)", 'rcmbody'); $this->assertEqual("/* evil! */", $mod, "No expression properties"); $mod = rcmail_mod_css_styles("left:exp/* */ression( alert('xss3') )", 'rcmbody'); $this->assertEqual("/* evil! */", $mod, "Don't allow encoding quirks"); $mod = rcmail_mod_css_styles("background:\\0075\\0072\\006c( javascript:alert('xss') )", 'rcmbody'); $this->assertEqual("/* evil! */", $mod, "Don't allow encoding quirks (2)"); }
$headers = array(); while (!feof($fp)) { $line = trim(fgets($fp, 4048)); if ($header) { if (preg_match('/^HTTP\\/1\\..\\s+(\\d+)/', $line, $regs) && intval($regs[1]) != 200) { break; } else { if (empty($line)) { $header = false; } else { list($key, $value) = explode(': ', $line); $headers[strtolower($key)] = $value; } } } else { $source .= "{$line}\n"; } } fclose($fp); // check content-type header and mod styles $mimetype = strtolower($headers['content-type']); if (!empty($source) && in_array($mimetype, array('text/css', 'text/plain'))) { header('Content-Type: text/css'); echo rcmail_mod_css_styles($source, preg_replace('/[^a-z0-9]/i', '', $_GET['c'])); exit; } else { $error = "Invalid response returned by server"; } header('HTTP/1.0 404 Not Found'); echo $error; exit;