View HTML attach do not render anything

View HTML attach do not render anything Fri, 10 Apr 2026 07:55:28 +0000 https://bugs.horde.org/ticket/8581 View HTML attach do not render anything The "view.php?actionID=view_attach" link is not render anyth The "view.php?actionID=view_attach" link is not render anything when the attach is a HTML file. The problem might be on the regex that remove "attribute="javascript:foo()". When this is preg is commented all work fine. Wed, 16 Sep 2009 16:41:32 +0000 https://bugs.horde.org/ticket/8581#t55794 I don't see this. And I don't know what regex you are refer I don't see this. And I don't know what regex you are referring to. Wed, 16 Sep 2009 16:51:12 +0000 https://bugs.horde.org/ticket/8581#t55798 > I don't see this. And I don't know what regex you are ref > I don't see this. And I don't know what regex you are referring to. Sorry about that. Here it is:Horde/Text/Filter/Xss.php line:95 Wed, 16 Sep 2009 17:28:17 +0000 https://bugs.horde.org/ticket/8581#t55799 The regex in case is a complex version of this one: '/(=|url The regex in case is a complex version of this one: '/(=|url\()("?)[^>]*script:/' With this simplified version I tried 3 different tests and the results are quite inconsistent. 1- onclick='javascript:console.log("test");' - Works fine. 2- style="background: url('javascript:test()');" - Works fine. 3- Test 1 and 2 on the same element - Does not work. NOTE: this bug occurs on previous versions of IMP too. Tue, 22 Sep 2009 14:10:20 +0000 https://bugs.horde.org/ticket/8581#t55883 Please provide a reproducible test case, such as something t Please provide a reproducible test case, such as something that can easily be dropped into the tests/ directory of the Horde_Text_Filter package. I don't understand what your example is supposed to show. The preg in the previous comment is nowhere near the same as the preg contained in Xss.php. Wed, 23 Sep 2009 03:31:03 +0000 https://bugs.horde.org/ticket/8581#t55890 > Please provide a reproducible test case, such as something > Please provide a reproducible test case, such as something that can > easily be dropped into the tests/ directory of the Horde_Text_Filter > package. Here it is. Wed, 23 Sep 2009 09:51:33 +0000 https://bugs.horde.org/ticket/8581#t55899 The reason is that we match [^>] to find the end of the bad The reason is that we match [^>] to find the end of the bad string, because this is the only safe match (end of tag). We can't match [^'"] because the offending attribute might not be closed with a quote. Fri, 25 Sep 2009 16:24:31 +0000 https://bugs.horde.org/ticket/8581#t55959