9afeb0174e
Use PHPStan v2
4 months ago
efcdce84ba
Keep phpstan strict rules testing ( #9424 )
* Revert "Get rid of phpstan/phpstan-strict-rules"
This reverts commit ff59ade31a
8 months ago
7c8968f4fe
Use new HTML5 parser available on PHP >= 8.4
11 months ago
58721e3037
Fix regression where HTML messages were displayed unstyled ( #9586 )
12 months ago
c99dcacddb
- Fix information leak (access to remote content) via insufficient CSS filtering [CVE-2024-42010]
Credits to Oskar Zeino-Mahmalat (https://www.sonarsource.com )
12 months ago
40a4a71b67
Fix XSS vulnerability in post-processing of sanitized HTML content [CVE-2024-42009]
Credits to Oskar Zeino-Mahmalat (https://www.sonarsource.com )
12 months ago
ba252dc5e2
Fix cross-site scripting (XSS) vulnerability in handling SVG animate attributes
Reported by Valentin T. and Lutz Wolf of CrowdStrike.
1 year ago
a30e0ad438
Infer file/line location in rcube::raise_error() from backtrace ( #9422 )
* \n\s+'file' => __FILE__,
* \n\s+'line' => __LINE__,
* 'line' => __LINE__, 'file' => __FILE__,
* 'file' => __FILE__, 'line' => __LINE__,
* rest
* more
* improve cs
* more cs
* revert rcube_utils::preg_error changes
* impl file/line from backtrace
* Revert "revert rcube_utils::preg_error changes"
1 year ago
2f5f3bd0de
Code improvements
1 year ago
91816ca187
Fix phpstan errors
1 year ago
332c165d28
Fix some basic JS CS ( #9328 )
* fix "nonblock-statement-body-position" (fixed already)
* fix "comma-dangle"
* fix "no-regex-spaces"
* fix "new-parens"
* fix "object-curly-newline"
* fix "object-property-newline"
* fix "spaced-comment" semimanually
* fix "no-constant-condition" manually
* fix "unicorn/no-hex-escape"
* fix "unicorn/escape-case"
* fix "quote-props"
* fix "no-whitespace-before-property" - fix bug/typo
* fix "unicorn/empty-brace-spaces"
* fix "keyword-spacing"
* fix "dot-notation"
* fix "no-return-assign" manually
* fix "padding-line-between-statements"
* fix "key-spacing"
* fix "no-else-return" semimanually
* fix some "no-undef"
* fix case cs
* Revert "fix "padding-line-between-statements""
* improve switch/case format I.
* improve switch/case format II.
regex: (^ *(break|return).*)\n *(\n)
* fix safe "eqeqeq"
* fix "radix"
* fix v3.49.0 CS (static providers)
* fix "string_implicit_backslashes" in php files
* fix comments align
* fix test static providers
* fix stan
* disable "final_internal_class" rule
1 year ago
d18406a8bd
Fix binary operator spaces CS ( #9330 )
* align_single_space_minimal for assign
* assign operators grouping is not supported by PHP CS Fixer
* binary_operator_spaces = single_space
* fix anonymous function on single line
* align comments manually
2 years ago
34500a4fa4
Fix "missing return statement" phpstan errors
2 years ago
ff2d721680
Fix more CS whitespace ( #9318 )
* fix "no_useless_else" manually
* fix some "blank_line_before_statement"
* two manual changes
* Revert "fix some "blank_line_before_statement""
This reverts commit 2cc857c00e
2 years ago
4ee79b9e84
fix "explicit_string_variable" ( #9315 )
2 years ago
54f4aa33f9
Fix CS - imports ( #9316 )
* fix Tests\Browser\TestCase imports
* fix remaining imports
* fix PHPUnit\Framework\TestCase imports
* import GuzzleHttp\Client
* fix remaining
* "php_unit_method_casing" is not todo
* fix "single_line_comment_spacing"
* fix 2nd commit done using older fixer
2 years ago
b1a0067e5d
Fix more CS ( #9303 )
* fix "class_attributes_separation"
* fix "ternary_to_null_coalescing"
* fix "no_extra_blank_lines"
* fix "php_unit_data_provider_name" - use snake_case
* fix remaining "function data_" manually
* move "php_unit_test_case_static_method_calls" to a better place in cnf
* fix 3.47.1 CS
2 years ago
6a53a1d853
Fix CS (whitespace, visibility) ( #9297 )
* Fix "method_argument_space"
* Fix "control_structure_continuation_position"
* Fix "new_with_parentheses"
* Fix "blank_line_before_statement"
* Fix "visibility_required"
* Fix some "array_indentation"
* Fix some "array_indentation" - unify all "rcube::raise_error" calls
* rm useless eslint ignores and add rules counts
* sort eslint ignores
* fix eslint ignores grammar
* Revert "Fix "blank_line_before_statement""
* fix CS 3.46.0
2 years ago
2643be3eaa
Fix single quotes CS ( #9283 )
* Fix "single_quote"
* fix "escape_implicit_backslashes"
* fix typo from f363481c
2 years ago
3e458fa5fd
Refer native constants unambiguously ( #9275 )
* Fix "native_constant_invocation" CS
* "self_accessor" was fixed in 9269 PR
* "php_unit_strict" was fixed in 9268 PR
2 years ago
e7d7e62146
Modernize more basic CS II ( #9254 )
* fix "integer_literal_case"
* fix "phpdoc_separation"
* fix "phpdoc_var_without_name"
* fix "operator_linebreak"
* fix "no_alias_language_construct_call"
* fix "list_syntax"
* fix "concat_space"
* fix "array_syntax"
* fix "binary_operator_spaces"
* fix "binary_operator_spaces" relaxed
* fix "phpdoc_types_order"
* fix "phpdoc_trim"
* fix "native_type_declaration_casing"
* fix "method_chaining_indentation"
* fix "phpdoc_no_package"
* fix "elseif"
* fix PHP CS Fixer config itself too
* fix "native_type_declaration_casing"
2 years ago
ca8b17d191
Modernize more basic CS ( #9258 )
* fix "yoda_style"
* fix "is_null"
* rm useless rule ignores
* add full "PhpCsFixer:risky" ruleset
* fix "implode_call"
* fix "no_alias_functions"
* fix "array_push"
* fix "long_to_shorthand_operator"
* fix "ternary_to_elvis_operator"
* fix "logical_operators"
* fix "fopen_flags"
* rename "returns" phpdoc tags to "return"
* fix "php_unit_construct"
* fix "function_to_constant"
* fix "php_unit_data_provider_return_type"
* fix "php_unit_set_up_tear_down_visibility"
* some safe "string_length_to_empty"
* fix "phpdoc_align"
* fix "phpdoc_no_alias_tag"
* fix "trailing_comma_in_multiline"
---------
Co-authored-by: Aleksander Machniak <alec@alec.pl>
2 years ago
a8707ae220
Fix and assert basic CS using CI ( #9246 )
* Assert CS using CI
* fix "single_blank_line_at_eof"
* fix "statement_indentation"
* fix "switch_case_semicolon_to_colon"
* fix "control_structure_braces"
* fix "statement_indentation"
* fix "no_whitespace_in_blank_line"
* fix "no_trailing_whitespace_in_comment"
* fix "no_trailing_whitespace"
* fix "single_space_around_construct"
* fix "spaces_inside_parentheses"
* fix "ternary_operator_spaces"
* fix "trim_array_spaces"
* fix "whitespace_after_comma_in_array"
* fix "cast_spaces"
* fix "unary_operator_spaces"
* fix "no_trailing_comma_in_singleline"
* fix "ordered_imports"
* fix "no_unused_imports"
* Check composer.json format
* fix CI job name
* file header comments are not phpdoc
* fix "phpdoc_indent"
* fix "braces_position"
* fix "phpdoc_types"
* fix "no_blank_lines_after_class_opening"
* fix "no_multiple_statements_per_line"
* fix "multiline_comment_opening_closing"
* fix "single_line_empty_body"
* fix "non_printable_character"
* fix "phpdoc_trim_consecutive_blank_line_separation"
* fix "include"
* fix "no_mixed_echo_print"
---------
Co-authored-by: Aleksander Machniak <alec@alec.pl>
2 years ago
5425d1a84a
Fix invalid phpdocs ( #9252 )
* fix missing return type in phpdoc
* fix "phpdoc_scalar"
* Fix phpdoc variable names typos
* fix wrong phpdoc tags
2 years ago
6ee6e7ae30
Fix cross-site scripting (XSS) vulnerability in handling of SVG in HTML messages ( #9168 )
2 years ago
f211757286
Fix bug where a duplicate `<title>` tag in HTML email could cause some parts being cut off ( #9029 )
2 years ago
2847154cd0
Fix bug where multiline data:image URI's in emails were stripped from the message on display ( #8613 )
3 years ago
5c4e18820e
Fix anchor links in HTML mail ( #8632 )
3 years ago
282f0a2830
Fix bug where title tag content was displayed in the body if it contained HTML tags ( #8540 )
3 years ago
693b7f0ecb
Security: Fix cross-site scripting (XSS) via HTML messages with malicious CSS content
4 years ago
e00795b48b
Add workaround for the HTML5 parser performance issue, remove the size limit
4 years ago
f2688ba492
Use ?? operator where applicable
4 years ago
a832a6943e
Fix converting >1MB of HTML content into plain text ( #8137 )
4 years ago
551cfc713b
Fix bug where 'start' and 'reversed' on ol tag were ignored ( #8059 ) ( #8060 )
4 years ago
203f456620
Spelling ( #8001 )
4 years ago
2f42fa2eaf
Fix HTML5 parser issue with a messy HTML code from Outlook ( #7356 )
4 years ago
9f19b931e3
Fix cross-site scripting (XSS) via HTML messages with malicious CSS content
and improve css parsing code.
Thanks to Mateusz Szymaniec (CERT Polska) for reporting the issue.
5 years ago
66062846ec
Fix "unitialized string offset" warnings
5 years ago
f4ed1024dc
PHP8 fixes, CS fixes, short array syntax, tests
5 years ago
545a1569f1
Steps -> Actions refactoring ( #7688 )
* Move action handling code to rcmail class
* Add rcmail_action class
* Add action aliases
* Get rid of $OUTPUT global
* Move some methods from rcmail to rcmail_action
* PHP8 compat. fixes
* Add framework for testing actions
* Fix obvious code mistakes
5 years ago
bde383d051
PHP8: Fix various issues
for now only these I found by running our unit tests, there will be much more
5 years ago
d81b8447fb
Fix empty output from HTML5 parser when content contains XML tag ( #7624 )
5 years ago
a5c2b4360c
Fixes in context of undefined variables, and code style
5 years ago
ec4cc29c88
Fix cross-site scripting (XSS) via HTML messages with malicious svg or math content
5 years ago
8e0ee8b1c4
Fix: Keep children of object tag ( #6453 )
The HTML tag <object> optionally has embedded (child) tags that serve as an
alternative (fallback) HTML representation for the object. Of course, the
object and its parameters are considered harmful in HTML mail, but the
alternative representation is meant for exactly this kind of situation. They
should display the object contents without loading possibly insecure code.
- By ignoring <object> tags, roundcube also removes all their child nodes
- As <object> is not in the list of allowed $html_elements and <param> gets
cleaned through $void_elements, they get ignored anyway, without removing the
valuable child nodes.
Co-authored-by: root <root@coreboso-kolab.coreboso.de>
5 years ago
17deadfe56
Fix handling links without defined protocol ( #7454 )
5 years ago
0d9bffa878
Fix incorrect rewriting of internal links in HTML content ( #7512 )
5 years ago
32a7709ddf
Fix cross-site scripting (XSS) via HTML messages with malicious svg/namespace
Credits to SSD Secure Disclosure (https://ssd-disclosure.com/ )
5 years ago
87e4cd0cf2
Fix XSS issue in handling of CDATA in HTML messages
5 years ago
b35b5a1a26
Fix typo
5 years ago
Aleksander Machniak