Fix for bug #2721

NEWS

@@ -20,6 +20,7 @@ Bug fixes
  - fixed wrong generation of weekly repetitive events with ActiveSync (#2654)
  - fixed incorrect XML data conversion with ActiveSync (#2695)
  - fixed display of events having a category with HTML entities (#2703)
+ - fixed display of images in CSS background (#2437)
 
 2.2.3 (2014-04-03)
 ------------------

UI/MailPartViewers/UIxMailPartHTMLViewer.m

@@ -559,6 +559,13 @@ static NSData* _sanitizeContent(NSData *theData)
                                    && ![value hasPrefix: @"mailto:"]
                                    && ![value hasPrefix: @"#"]);
                 }
+              // Avoid: <div style="background:url('http://www.sogo.nu/fileadmin/sogo/logos/sogo.bts.png' ); width: 200px; height: 200px;" title="ssss">
+              else if ([name isEqualToString: @"style"])
+                {
+                  value = [_attributes valueAtIndex: count];
+                  if ([value rangeOfString: @"url" options: NSCaseInsensitiveSearch].location != NSNotFound)
+                    name = [NSString stringWithFormat: @"unsafe-%@", name];
+                }
 	      else if (
 		       // Mouse Events
 		       [name isEqualToString: @"onclick"] ||
@@ -594,12 +601,13 @@ static NSData* _sanitizeContent(NSData *theData)
 		}
               else
                 value = [_attributes valueAtIndex: count];
+              
               if (!skipAttribute)
                 [resultPart appendFormat: @" %@=\"%@\"",
                             name, [value stringByReplacingString: @"\""
                                                       withString: @"\\\""]];
             }
-
+          
           if ([VoidTags containsObject: lowerName])
             [resultPart appendString: @"/"];
           [resultPart appendString: @">"];
@@ -686,16 +694,16 @@ static NSData* _sanitizeContent(NSData *theData)
         [self _appendStyle: _chars length: _len];
       else if (inBody)
         {
-	  NSString *tmpString;
+	  NSString *s;
   
-          tmpString = [NSString stringWithCharacters: _chars length: _len];
+          s = [NSString stringWithCharacters: _chars length: _len];
 
 	  // HACK: This is to avoid appending the useless junk in the <html> tag
 	  //       that Outlook adds. It seems to confuse the XML parser for
 	  //       forwarded messages as we get this in the _body_ of the email
 	  //       while we really aren't in it!
-	  if (![tmpString hasPrefix: @" xmlns:v=\"urn:schemas-microsoft-com:vml\""])
+	  if (![s hasPrefix: @" xmlns:v=\"urn:schemas-microsoft-com:vml\""])
-	    [result appendString: [tmpString stringByEscapingHTMLString]];
+	    [result appendString: [s stringByEscapingHTMLString]];
         }
     }
 }

UI/WebServerResources/MailerUI.js

@@ -1260,7 +1260,7 @@ function configureLoadImagesButton() {
         return;
     }
     var content = $("messageContent");
-    var unsafeElements = content.select('[unsafe-src], [unsafe-data], [unsafe-classid], [unsafe-background]');
+    var unsafeElements = content.select('[unsafe-src], [unsafe-data], [unsafe-classid], [unsafe-background], [unsafe-style]');
     if (unsafeElements.length == 0) {
         loadImagesButton.setStyle({ display: 'none' });
     }
@@ -1560,7 +1560,7 @@ function loadRemoteImages() {
     var content = $("messageContent");
     if (content.hiddenElements) {
         $(content.hiddenElements).each(function(element) {
-            ['src', 'data', 'classid', 'background'].each(function(attr) {
+            ['src', 'data', 'classid', 'background', 'style'].each(function(attr) {
                 var unsafeAttr = element.readAttribute('unsafe-' + attr);
                 if (unsafeAttr) {
                     log ('unsafe ' +  attr + ': ' + unsafeAttr);