[SM-CVS] CVS: squirrelmail/functions mime.php,1.189.2.9,1.189.2.10

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Update of /cvsroot/squirrelmail/squirrelmail/functions
In directory usw-pr-cvs1:/tmp/cvs-serv11377

Modified Files:
      Tag: SM-1_2-STABLE
	mime.php 
Log Message:
Updating the ruleset slightly to allow for the fact that 
"java script:alert(1)" and "javascript:alert(1)" are the same thing for
the #$@# explorer.


Index: mime.php
===================================================================
RCS file: /cvsroot/squirrelmail/squirrelmail/functions/mime.php,v
retrieving revision 1.189.2.9
retrieving revision 1.189.2.10
diff -u -w -r1.189.2.9 -r1.189.2.10

--- mime.php	8 Sep 2002 06:23:56 -0000	1.189.2.9
+++ mime.php	23 Sep 2002 21:25:07 -0000	1.189.2.10
@@ -1556,13 +1556,13 @@
      */
     if (strpos($attvalue, "#") !== false){
         $omit = Array(34, 39);
-        for ($asc=1; $asc<256; $asc++){
+        for ($asc=256; $asc>=0; $asc--){
             if (!in_array($asc, $omit)){
                 $chr = chr($asc);
-                $attvalue = preg_replace("/\&#0*$asc;*(\D)/si", "$chr\\1", 
-                                         $attvalue);
-                $attvalue = preg_replace("/\&#x0*".dechex($asc).";*(\W)/si",
-                                         "$chr\\1", $attvalue);
+                $octrule = '/\&#0*' . $asc . ';*/si';
+                $hexrule = '/\&#x0*' . dechex($asc) . ';*/si';
+                $attvalue = preg_replace($octrule, $chr, $attvalue);
+                $attvalue = preg_replace($hexrule, $chr, $attvalue);
             }
         }
     }
@@ -2001,7 +2001,7 @@
                     Array(
                           Array(
                                 "|^([\'\"])\s*\.\./.*([\'\"])|si",
-                                "/^([\'\"])\s*\S+script\s*:.*([\'\"])/si",
+                                "/^([\'\"])\s*\S+\s*script\s*:.*([\'\"])/si",
 				"/^([\'\"])\s*mocha\s*:*.*([\'\"])/si",
 				"/^([\'\"])\s*about\s*:.*([\'\"])/si"
                                 ),
@@ -2016,7 +2016,7 @@
                     Array(
                           Array(
                                 "|^([\'\"])\s*\.\./.*([\'\"])|si",
-                                "/^([\'\"])\s*\S+script\s*:.*([\'\"])/si",
+                                "/^([\'\"])\s*\S+\s*script\s*:.*([\'\"])/si",
 				"/^([\'\"])\s*mocha\s*:*.*([\'\"])/si",
 				"/^([\'\"])\s*about\s*:.*([\'\"])/si"
                                 ),
@@ -2034,7 +2034,7 @@
 				"/binding/si",
 				"/behaviou*r/si",
                                 "|url\(([\'\"])\s*\.\./.*([\'\"])\)|si",
-                                "/url\(([\'\"])\s*\S+script\s*:.*([\'\"])\)/si",
+                                "/url\(([\'\"])\s*\S+\s*script\s*:.*([\'\"])\)/si",
 				"/url\(([\'\"])\s*mocha\s*:.*([\'\"])\)/si",
 				"/url\(([\'\"])\s*about\s*:.*([\'\"])\)/si"
                                ),



