##---------------------------------------------------------------------------##
## $Id: mhtxthtml.pl,v 2.22.2.1 2002/12/22 00:43:56 ehood Exp $
## Earl Hood mhonarc@mhonarc.org
## Library defines routine to filter text/html body parts
## Filter routine can be registered with the following:
## text/html:m2h_text_html'filter:mhtxthtml.pl
##---------------------------------------------------------------------------##
## MHonArc -- Internet mail-to-HTML converter
## Copyright (C) 1995-2000 Earl Hood, mhonarc@mhonarc.org
## This program is free software; you can redistribute it and/or modify
## it under the terms of the GNU General Public License as published by
## the Free Software Foundation; either version 2 of the License, or
## (at your option) any later version.
## This program is distributed in the hope that it will be useful,
## but WITHOUT ANY WARRANTY; without even the implied warranty of
## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
## GNU General Public License for more details.
## You should have received a copy of the GNU General Public License
## along with this program; if not, write to the Free Software
## Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
##---------------------------------------------------------------------------##
# Beginning of URL match expression
my $Url = '(\w+://|\w+:)';
# Script related attributes
my $SAttr = q
/\b(?:onload|onunload|onclick|ondblclick|/.
q
/onmouse(?:down|up|over|move|out)|/.
q
/onkey(?:press|down|up)|style)\b/;
# Script/questionable related elements
my $SElem = q
/\b(?:applet|base|embed|form|ilayer|input|layer|link|meta|/.
q
/object|option|param|select|textarea)\b/;
# Elements with auto-loaded URL attributes
my $AElem = q
/\b(?:img|body|iframe|frame|object|script|input)\b/;
my $UAttr = q
/\b(?:action|background|cite|classid|codebase|data|datasrc|/.
q
/dynsrc|for|href|longdesc|profile|src|url|usemap)\b/;
##---------------------------------------------------------------------------
## The filter must modify HTML content parts for merging into the
## final filtered HTML messages. Modification is needed so the
## resulting filtered message is valid HTML.
## allowcomments Preserve any comment declarations. Normally
## Comment declarations are munged to prevent
## SSI attacks or comments that can conflict
## with MHonArc processing. Use this option
## allownoncidurls Preserve URL-based attributes that are not
## cid: URLs. Normally, any URL-based attribute
## -- href, src, background, classid, data,
## longdesc -- will be stripped if it is not a
## cid: URL. This is to prevent malicious URLs
## that verify mail addresses for spam purposes,
## secretly set cookies, or gather some
## statistical data automatically with the use of
## elements that cause browsers to automatically
## fetch data: IMG, BODY, IFRAME, FRAME, OBJECT,
## allowscript Preserve any markup associated with scripting.
## This includes elements and attributes related
## to scripting. The default is to delete any
## scripting markup for security reasons.
## attachcheck Honor attachment disposition. By default,
## all text/html data is displayed inline on
## the message page. If attachcheck is specified
## and Content-Disposition specifies the data as
## an attachment, the data is saved to a file
## with a link to it from the message page.
## nofont Remove <FONT> tags.
## notitle Do not print title.
my($fields, $data, $isdecode, $args) = @_;
$args = '' unless defined $args;
## Check if content-disposition should be checked
if ($args =~ /\battachcheck\b/i) {
my($disp, $nameparm) = readmail
::MAILhead_get_disposition
($fields);
if ($disp =~ /\battachment\b/i) {
return (m2h_external
::filter
(
$fields, $data, $isdecode,
readmail
::get_filter_args
('m2h_external::filter')));
local(@files) = (); # XXX: Used by resolve_cid!!!
$noscript = 0 if $args =~ /\ballowscript\b/i;
my $nofont = $args =~ /\bnofont\b/i;
my $notitle = $args =~ /\bnotitle\b/i;
my $onlycid = $args !~ /\ballownoncidurls\b/i;
## Check comment declarations: may screw-up mhonarc processing
## and avoids someone sneaking in SSIs.
#$$data =~ s/<!(?:--(?:[^-]|-[^-])*--\s*)+>//go; # can crash perl
$$data =~ s/<!--[^-]+[#X%\$\[]*/<!--/g; # Just mung them (faster)
if ($$data =~ s
|<title\s
*>([^<]*)</title\s
*>||io
) {
$title = "<address>Title: <strong>$1</strong></address>\n"
$$data =~ s
|<title\s
*>[^<]*</title\s
*>||io
;
if ($$data =~ s
|(<base\s
[^>]*>)||i
) {
if ($tmp =~ m
|href\s
*=\s
*['"]([^'"]+)['"]|i
) {
} elsif ($tmp =~ m
|href\s
*=\s
*([^\s
>]+)|i
) {
last BASEURL
if ($base =~ /\S/);
if ((defined($tmp = $fields->{'content-base'}[0]) ||
defined($tmp = $fields->{'content-location'}[0])) &&
($base = $tmp) =~ s/['"\s]//g;
## Strip out certain elements/tags to support proper inclusion
$$data =~ s
|<head\s
*>[\s\S
]*</head\s
*>||io
;
1 while ($$data =~ s
|<!doctype\s
[^>]*>||io
);
1 while ($$data =~ s
|</?html
\b[^>]*>||gio
);
1 while ($$data =~ s
|</?x
-html
\b[^>]*>||gio
);
1 while ($$data =~ s
|</?meta
\b[^>]*>||gio
);
1 while ($$data =~ s
|</?
link\b[^>]*>||gio
);
## Strip out <font> tags if requested
$$data =~ s
|<style
[^>]*>.*?
</style\s
*>||gios
;
1 while ($$data =~ s
|</?font
\b[^>]*>||gio
);
1 while ($$data =~ s/\b(?:style|class)\s*=\s*"[^"]*"//gio);
1 while ($$data =~ s/\b(?:style|class)\s*=\s*'[^']*'//gio);
1 while ($$data =~ s/\b(?:style|class)\s*=\s*[^\s>]+//gio);
1 while ($$data =~ s
|</?style
\b[^>]*>||gi
);
## Strip out scripting markup if requested
# remove scripting elements and attributes
$$data =~ s
|<script
[^>]*>.*?
</script\s
*>||gios
;
unless ($nofont) { # avoid dup work if style already stripped
$$data =~ s
|<style
[^>]*>.*?
</style\s
*>||gios
;
1 while ($$data =~ s
|</?style
\b[^>]*>||gi
);
1 while ($$data =~ s
|$SAttr\s
*=\s
*"[^"]*"||gio); #"
1 while ($$data =~ s
|$SAttr\s
*=\s
*'[^']*'||gio); #'
1 while ($$data =~ s
|$SAttr\s
*=\s
*[^\s
>]+||gio
);
1 while ($$data =~ s
|</?
$SElem[^>]*>||gio
);
1 while ($$data =~ s
|</?script
\b||gi
);
# for netscape 4.x browsers
$$data =~ s/(=\s*["']?\s*)(?:\&\{)+/$1/g;
# Hopefully complete pattern to neutralize javascript:... URLs.
# The pattern is ugly because we have to handle any combination
# of regular chars and entity refs.
$$data =~ s
/\b(?
:j
|&\#
(?
:0*(?
:74|106)|x0
*(?
:4a
|6a
))(?
:;|(?
![0-9])))
(?
:a
|&\#
(?
:0*(?
:65|97)|x0
*(?
:41|61))(?
:;|(?
![0-9])))
(?
:v
|&\#
(?
:0*(?
:86|118)|x0
*(?
:56|76))(?
:;|(?
![0-9])))
(?
:a
|&\#
(?
:0*(?
:65|97)|x0
*(?
:41|61))(?
:;|(?
![0-9])))
(?
:s
|&\#
(?
:0*(?
:83|115)|x0
*(?
:53|73))(?
:;|(?
![0-9])))
(?
:c
|&\#
(?
:0*(?
:67|99)|x0
*(?
:43|63))(?
:;|(?
![0-9])))
(?
:r
|&\#
(?
:0*(?
:82|114)|x0
*(?
:52|72))(?
:;|(?
![0-9])))
(?
:i
|&\#
(?
:0*(?
:73|105)|x0
*(?
:49|69))(?
:;|(?
![0-9])))
(?
:p
|&\#
(?
:0*(?
:80|112)|x0
*(?
:50|70))(?
:;|(?
![0-9])))
(?
:t
|&\#
(?
:0*(?
:84|116)|x0
*(?
:54|74))(?
:;|(?
![0-9])))
## Modify relative urls to absolute using BASE
$$data =~ s
/($UAttr\s*=\s*['"])([^'"]+)(['"])/
join("", $1, &addbase
($base,$2), $3)/geoix
;
## Check for frames: Do not support, so just show source
if ($$data =~ m/<frameset\b/i) {
$$data = join('', '<pre>', mhonarc
::htmlize
($$data), '</pre>');
return ($title.$$data, @files);
## Check for body attributes
if ($$data =~ s
|<body
\b([^>]*)>||i
) {
my %attr = mhonarc
::parse_vardef_str
($a, 1);
## Use a table with a single cell to encapsulate data to
## set visual properties. We use a mixture of old attributes
## and CSS to set properties since browsers may not support
## all of the CSS settings via the STYLE attribute.
my $tpre = '<table width="100%"><tr><td ';
$tpre .= qq|background
="$attr{'background'}" |
$tpre .= qq|bgcolor
="$attr{'bgcolor'}" |
$tpre .= qq|background-color: $attr{'bgcolor'}; |
if ($attr{'background'}) {
if ($attr{'background'} =
&resolve_cid($onlycid, $attr{'background'})) {
$tpre .= qq|background-image: url($attr{'background'}) |;
$tpre .= qq|color: $attr{'text'}; |
$tpre .= qq|a:link { color: $attr{'link'} } |
$tpre .= qq|a:active { color: $attr{'alink'} } |
$tpre .= qq|a:visited { color: $attr{'vlink'} } |
$tpre .= qq|<font color="$attr{'text
'}">|;
$tsuf .= '</td></tr
></table
>';
$$data = $tpre . $$data . $tsuf;
1 while ($$data =~ s|</?body[^>]*>||ig);
## Check for CID URLs (multipart/related HTML)
$$data =~ s/($UAttr\s*=\s*['"])([^'"]+)(['"])/
join("", $1, &resolve_cid($onlycid, $2), $3)/geoix;
$$data =~ s/($UAttr\s*=\s*)([^'">][^\s>]+)/
join("", $1, '"', &resolve_cid($onlycid, $2), '"')/geoix;
##---------------------------------------------------------------------------
return $u if !defined($b) || $b !~ /\S/;
if ($u =~ m%^$Url%o || $u =~ m/^#/) {
## Absolute URL or scroll link; do nothing
## "./---" or "../---": Need to remove and adjust base
while ( $cnt <= scalar(@a) &&
$u =~ s|^(\.{1,2})/|| ) { ++$cnt if length($1) == 2; }
splice(@a, -$cnt) if $cnt > 0;
## "/---": Just use hostname:port of base.
$b =~ s%^(${Url}[^/]*)/.*%$1%o;
##---------------------------------------------------------------------------
my $href = $readmail::Cid{$cid};
if (!defined($href = $readmail::Cid{$basename})) {
return ($cid =~ /^cid:/i)? "": $cid;
# Part already converted; multiple references to part
require 'mhmimetypes.pl';
$href->{'fields'}{'content-transfer-encoding'}[0]);
if (defined($decodefunc) && defined(&$decodefunc)) {
my $data = &$decodefunc(${$href->{'body'}});
$filename = mhonarc::write_attachment(
$href->{'fields'}{'content-type'}[0], \$data);
$filename = mhonarc::write_attachment(
$href->{'fields'}{'content-type'}[0],
$href->{'filtered'} = 1; # mark part filtered for readmail.pl
$href->{'uri'} = $filename;
push(@files, $filename); # @files defined in filter!!
##---------------------------------------------------------------------------