Better fix for XSS in style tags (fa2824f)

roundcube · Mar 10, 2017 · cbd3562 · cbd3562
1 parent fa2824f
commit cbd3562
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/program/lib/Roundcube/rcube_utils.php b/program/lib/Roundcube/rcube_utils.php
@@ -499,10 +499,10 @@ public static function file2class($mimetype, $filename)
     public static function xss_entity_decode($content)
     {
         $out = html_entity_decode(html_entity_decode($content));
-        $out = strip_tags($out);
         $out = preg_replace_callback('/\\\([0-9a-f]{4})/i',
             array(self, 'xss_entity_decode_callback'), $out);
         $out = preg_replace('#/\*.*\*/#Ums', '', $out);
+        $out = strip_tags($out);
 
         return $out;
     }