diff --git a/content/base/src/mozSanitizingSerializer.cpp b/content/base/src/mozSanitizingSerializer.cpp index c10970f9544e..4aca16b3f359 100644 --- a/content/base/src/mozSanitizingSerializer.cpp +++ b/content/base/src/mozSanitizingSerializer.cpp @@ -62,6 +62,9 @@ #include "plstr.h" //#include "nsDependentString.h" #include "nsIProperties.h" +#include "nsUnicharUtils.h" +#include "nsIURI.h" +#include "nsNetUtil.h" //#define DEBUG_BenB @@ -633,6 +636,22 @@ mozSanitizingHTMLSerializer::SanitizeAttrValue(nsHTMLTag aTag, value.Find("base64") != kNotFound) return NS_ERROR_ILLEGAL_VALUE; + // Check img src scheme + if (aTag == eHTMLTag_img && + attr_name.Equals(NS_LITERAL_STRING("src"), nsCaseInsensitiveStringComparator())) + { + nsresult rv; + nsCOMPtr ioService; + ioService = do_GetIOService(&rv); + if (NS_FAILED(rv)) return rv; + nsCAutoString scheme; + rv = ioService->ExtractScheme(NS_LossyConvertUCS2toASCII(value), scheme); + if (NS_FAILED(rv)) return rv; + + if (!scheme.Equals("cid", nsCaseInsensitiveCStringComparator())) + return NS_ERROR_ILLEGAL_VALUE; + } + return NS_OK; } diff --git a/mailnews/mailnews.js b/mailnews/mailnews.js index 8ebd0d28a99e..a7a59ca0f3db 100644 --- a/mailnews/mailnews.js +++ b/mailnews/mailnews.js @@ -379,7 +379,7 @@ pref("mail.send_struct", false); // HTML->HTML *bold* etc. during Send; ditto // For the next 4 prefs, see pref("mailnews.display.prefer_plaintext", false); // Ignore HTML parts in multipart/alternative pref("mailnews.display.html_as", 0); // How to display HTML parts. 0 = Render the sender's HTML; 1 = HTML->TXT->HTML; 2 = Show HTML source; 3 = Sanitize HTML -pref("mailnews.display.html_sanitizer.allowed_tags", "html head title body p br div(lang,title) h1 h2 h3 h4 h5 h6 ul ol li(value,start,compact) dl dt dd blockquote(type,cite) pre noscript noframes strong em sub sup span(lang,title) acronym(title) abbr(title) del(title,cite,datetime) ins(title,cite,datetime) q(cite) a(href,name,title) img(alt,title,longdesc) base(href) area(alt) applet(alt) object(alt) var samp dfn address kbd code cite s strike tt b i table(align) caption tr(align,valign) td(rowspan,colspan,align,valign) th(rowspan,colspan,align,valign)"); +pref("mailnews.display.html_sanitizer.allowed_tags", "html head title body p br div(lang,title) h1 h2 h3 h4 h5 h6 ul ol li(value,start,compact) dl dt dd blockquote(type,cite) pre noscript noframes strong em sub sup span(lang,title) acronym(title) abbr(title) del(title,cite,datetime) ins(title,cite,datetime) q(cite) a(href,name,title) img(alt,title,longdesc,src) base(href) area(alt) applet(alt) object(alt) var samp dfn address kbd code cite s strike tt b i table(align) caption tr(align,valign) td(rowspan,colspan,align,valign) th(rowspan,colspan,align,valign)"); pref("mailnews.display.disallow_mime_handlers", 0); /* Let only a few classes process incoming data. This protects from bugs (e.g. buffer overflows) and from security loopholes (e.g. allowing unchecked HTML in some obscure classes, although the user has html_as > 0). This option is mainly for the UI of html_as. 0 = allow all available classes diff --git a/mailnews/mime/src/mimemrel.cpp b/mailnews/mime/src/mimemrel.cpp index a70ab8e02847..38bc54dd0cc4 100644 --- a/mailnews/mime/src/mimemrel.cpp +++ b/mailnews/mime/src/mimemrel.cpp @@ -842,8 +842,14 @@ flush_tag(MimeMultipartRelated* relobj) ptr2++; /* Compare the beginning of the word with "cid:". Yuck. */ if (((ptr2 - buf) > 4) && - (buf[0]=='c' && buf[1]=='i' && buf[2]=='d' && buf[3]==':')) + ((buf[0]=='c' || buf[0]=='C') && + (buf[1]=='i' || buf[1]=='I') && + (buf[2]=='d' || buf[2]=='D') && + buf[3]==':')) { + // Make sure it's lowercase, otherwise it won't be found in the hash table + buf[0] = 'c'; buf[1] = 'i'; buf[2] = 'd'; + /* Null terminate the word so we can... */ c = *ptr2; *ptr2 = '\0'; diff --git a/modules/libpref/src/init/mailnews.js b/modules/libpref/src/init/mailnews.js index 8ebd0d28a99e..a7a59ca0f3db 100644 --- a/modules/libpref/src/init/mailnews.js +++ b/modules/libpref/src/init/mailnews.js @@ -379,7 +379,7 @@ pref("mail.send_struct", false); // HTML->HTML *bold* etc. during Send; ditto // For the next 4 prefs, see pref("mailnews.display.prefer_plaintext", false); // Ignore HTML parts in multipart/alternative pref("mailnews.display.html_as", 0); // How to display HTML parts. 0 = Render the sender's HTML; 1 = HTML->TXT->HTML; 2 = Show HTML source; 3 = Sanitize HTML -pref("mailnews.display.html_sanitizer.allowed_tags", "html head title body p br div(lang,title) h1 h2 h3 h4 h5 h6 ul ol li(value,start,compact) dl dt dd blockquote(type,cite) pre noscript noframes strong em sub sup span(lang,title) acronym(title) abbr(title) del(title,cite,datetime) ins(title,cite,datetime) q(cite) a(href,name,title) img(alt,title,longdesc) base(href) area(alt) applet(alt) object(alt) var samp dfn address kbd code cite s strike tt b i table(align) caption tr(align,valign) td(rowspan,colspan,align,valign) th(rowspan,colspan,align,valign)"); +pref("mailnews.display.html_sanitizer.allowed_tags", "html head title body p br div(lang,title) h1 h2 h3 h4 h5 h6 ul ol li(value,start,compact) dl dt dd blockquote(type,cite) pre noscript noframes strong em sub sup span(lang,title) acronym(title) abbr(title) del(title,cite,datetime) ins(title,cite,datetime) q(cite) a(href,name,title) img(alt,title,longdesc,src) base(href) area(alt) applet(alt) object(alt) var samp dfn address kbd code cite s strike tt b i table(align) caption tr(align,valign) td(rowspan,colspan,align,valign) th(rowspan,colspan,align,valign)"); pref("mailnews.display.disallow_mime_handlers", 0); /* Let only a few classes process incoming data. This protects from bugs (e.g. buffer overflows) and from security loopholes (e.g. allowing unchecked HTML in some obscure classes, although the user has html_as > 0). This option is mainly for the UI of html_as. 0 = allow all available classes