Bug 193929: HTML sanitizer ("simple html") should allow attached images

r=ducarroz, sr=jst

content/base/src/mozSanitizingSerializer.cpp

@@ -62,6 +62,9 @@
 #include "plstr.h"
 //#include "nsDependentString.h"
 #include "nsIProperties.h"
+#include "nsUnicharUtils.h"
+#include "nsIURI.h"
+#include "nsNetUtil.h"
 
 //#define DEBUG_BenB
 
@@ -633,6 +636,22 @@ mozSanitizingHTMLSerializer::SanitizeAttrValue(nsHTMLTag aTag,
       value.Find("base64") != kNotFound)
     return NS_ERROR_ILLEGAL_VALUE;
 
+  // Check img src scheme
+  if (aTag == eHTMLTag_img && 
+      attr_name.Equals(NS_LITERAL_STRING("src"), nsCaseInsensitiveStringComparator()))
+  {
+    nsresult rv;
+    nsCOMPtr<nsIIOService> ioService;
+    ioService = do_GetIOService(&rv);
+    if (NS_FAILED(rv)) return rv;
+    nsCAutoString scheme;
+    rv = ioService->ExtractScheme(NS_LossyConvertUCS2toASCII(value), scheme);
+    if (NS_FAILED(rv)) return rv;
+
+    if (!scheme.Equals("cid", nsCaseInsensitiveCStringComparator()))
+      return NS_ERROR_ILLEGAL_VALUE;
+  }
+
   return NS_OK;
 }
 

mailnews/mailnews.js

@@ -379,7 +379,7 @@ pref("mail.send_struct", false);   // HTML->HTML *bold* etc. during Send; ditto
 // For the next 4 prefs, see <http://www.bucksch.org/1/projects/mozilla/108153>
 pref("mailnews.display.prefer_plaintext", false);  // Ignore HTML parts in multipart/alternative
 pref("mailnews.display.html_as", 0);  // How to display HTML parts. 0 = Render the sender's HTML; 1 = HTML->TXT->HTML; 2 = Show HTML source; 3 = Sanitize HTML
-pref("mailnews.display.html_sanitizer.allowed_tags", "html head title body p br div(lang,title) h1 h2 h3 h4 h5 h6 ul ol li(value,start,compact) dl dt dd blockquote(type,cite) pre noscript noframes strong em sub sup span(lang,title) acronym(title) abbr(title) del(title,cite,datetime) ins(title,cite,datetime) q(cite) a(href,name,title) img(alt,title,longdesc) base(href) area(alt) applet(alt) object(alt) var samp dfn address kbd code cite s strike tt b i table(align) caption tr(align,valign) td(rowspan,colspan,align,valign) th(rowspan,colspan,align,valign)");
+pref("mailnews.display.html_sanitizer.allowed_tags", "html head title body p br div(lang,title) h1 h2 h3 h4 h5 h6 ul ol li(value,start,compact) dl dt dd blockquote(type,cite) pre noscript noframes strong em sub sup span(lang,title) acronym(title) abbr(title) del(title,cite,datetime) ins(title,cite,datetime) q(cite) a(href,name,title) img(alt,title,longdesc,src) base(href) area(alt) applet(alt) object(alt) var samp dfn address kbd code cite s strike tt b i table(align) caption tr(align,valign) td(rowspan,colspan,align,valign) th(rowspan,colspan,align,valign)");
 pref("mailnews.display.disallow_mime_handlers", 0);  /* Let only a few classes process incoming data. This protects from bugs (e.g. buffer overflows) and from security loopholes (e.g. allowing unchecked HTML in some obscure classes, although the user has html_as > 0).
 This option is mainly for the UI of html_as.
 0 = allow all available classes

mailnews/mime/src/mimemrel.cpp

@@ -842,8 +842,14 @@ flush_tag(MimeMultipartRelated* relobj)
         ptr2++;
       /* Compare the beginning of the word with "cid:". Yuck. */
       if (((ptr2 - buf) > 4) && 
-        (buf[0]=='c' && buf[1]=='i' && buf[2]=='d' && buf[3]==':'))
+        ((buf[0]=='c' || buf[0]=='C') && 
+         (buf[1]=='i' || buf[1]=='I') && 
+         (buf[2]=='d' || buf[2]=='D') && 
+          buf[3]==':'))
       {
+        // Make sure it's lowercase, otherwise it won't be found in the hash table
+        buf[0] = 'c'; buf[1] = 'i'; buf[2] = 'd';
+
         /* Null terminate the word so we can... */
         c = *ptr2;
         *ptr2 = '\0';

modules/libpref/src/init/mailnews.js

@@ -379,7 +379,7 @@ pref("mail.send_struct", false);   // HTML->HTML *bold* etc. during Send; ditto
 // For the next 4 prefs, see <http://www.bucksch.org/1/projects/mozilla/108153>
 pref("mailnews.display.prefer_plaintext", false);  // Ignore HTML parts in multipart/alternative
 pref("mailnews.display.html_as", 0);  // How to display HTML parts. 0 = Render the sender's HTML; 1 = HTML->TXT->HTML; 2 = Show HTML source; 3 = Sanitize HTML
-pref("mailnews.display.html_sanitizer.allowed_tags", "html head title body p br div(lang,title) h1 h2 h3 h4 h5 h6 ul ol li(value,start,compact) dl dt dd blockquote(type,cite) pre noscript noframes strong em sub sup span(lang,title) acronym(title) abbr(title) del(title,cite,datetime) ins(title,cite,datetime) q(cite) a(href,name,title) img(alt,title,longdesc) base(href) area(alt) applet(alt) object(alt) var samp dfn address kbd code cite s strike tt b i table(align) caption tr(align,valign) td(rowspan,colspan,align,valign) th(rowspan,colspan,align,valign)");
+pref("mailnews.display.html_sanitizer.allowed_tags", "html head title body p br div(lang,title) h1 h2 h3 h4 h5 h6 ul ol li(value,start,compact) dl dt dd blockquote(type,cite) pre noscript noframes strong em sub sup span(lang,title) acronym(title) abbr(title) del(title,cite,datetime) ins(title,cite,datetime) q(cite) a(href,name,title) img(alt,title,longdesc,src) base(href) area(alt) applet(alt) object(alt) var samp dfn address kbd code cite s strike tt b i table(align) caption tr(align,valign) td(rowspan,colspan,align,valign) th(rowspan,colspan,align,valign)");
 pref("mailnews.display.disallow_mime_handlers", 0);  /* Let only a few classes process incoming data. This protects from bugs (e.g. buffer overflows) and from security loopholes (e.g. allowing unchecked HTML in some obscure classes, although the user has html_as > 0).
 This option is mainly for the UI of html_as.
 0 = allow all available classes