[pmg-devel] applied: [PATCH pmg-api v2] fix #3734: scrub 'url' from style tags/attributes

[Thomas Lamprecht]

On 25.11.21 15:14, Dominik Csapak wrote:
> if 'view images' for the quarantine is disabled, it is expected that
> *no* images will be loaded. but in addition to img (src/href/etc.)
> also css can load external images via the 'url' directive
> 
> since html scrubber does not parse/iterate over css, we simply remove
> the url+protocol part of those tags/attributes. this technically leaves behind
> invalid css, but the browsers should cope with that.
> (we cannot 'cleanly' remove without much more effort because of quoting)
> 
> also we have to scrub the style tags in 'dump_html' since HTML::Scrubber
> does not have a way to modify the *content* of a tag, only the
> attributes...
> 
> Signed-off-by: Dominik Csapak <d.csapak at proxmox.com>
> ---
> changes from v1:
> * replace url with ___ and protocol:// with _ instead of removing
> * move sub out and use the reference
> * always pass $cid_hash and only use it in the function when
>   $view_images is set
> * improve comment to show what 'dump_html' does
> 
> @thomas: a note to our off-list discussion regarding url-encoding the
> protocol: you *could* do it, but the browser does not recognize it as
> a protocol and interprets it as a relative url, so we're safe on
> this regard
> 
>  src/PMG/HTMLMail.pm | 31 +++++++++++++++++++++++++++----
>  1 file changed, 27 insertions(+), 4 deletions(-)
> 
>

ok, so I went down the wrong road due to the code-ref passing, ref(\foo) being
SCALAR vs \&foo being CODE tripped up the scrubber.

So after a pair debugging/understanding session with Dominik (thx!) I now:
* appreciate our perl code way more, as Scrubber shows that one can do it way
  more cryptic and harder to grasp

* got that the style stuff now works pretty great, I only fixed the undef value
  variant for the url remover and passing the code-ref

applied, thanks!