Roundcube 1.2.5 - Comment notations within style tag issues

[stefanogironella]

Hi, I've noticed a strange behaviour after upgrading from RC 1.2.3 to 1.2.5.
HTML e-mails seems to be a little broken when dealing with "comment notations" in style tag.
Removing comments from the style tag, obviously, fix the issue.

This is how a test massage looks in RC 1.2.3:

And this is how same message looks in RC 1.2.5 and 1.2.4 too (note the missing formatting, colors, ...):

To reproduce this, I've used same configuration on both testing environments.

Attached below, the e-mail template used in this example.

email-template.html.zip

Anyone else is facing the same issue or have an idea on how to fix this?

Thanks

[thomascube]

Seems like the recently added strip_tags removes the entire style tag content... not quite what was intended.

[stefanogironella]

Do you refer to ./roundcubemail-1.2.5/program/lib/Roundcube/rcube_utils.php (line 505)?

$out = strip_tags($out);

Doing a quick test, commenting this line out, seems to fix my issue but I'm not aware of related drawbacks (if any).

[alecpl]

This was added to fix a security issue, so we can't just remove the command. We'd rather strip comments the way we do it in https://github.com/roundcube/roundcubemail/blob/master/program/lib/Roundcube/rcube_washtml.php#L635.

[alecpl]

Actually we have to strip only the comment marks not the content inside. While this is an old technique to put comments inside the <style> tag it's not needed at least since 10 years. Anyway, we could remove those markers if found on the content start and end.

[stefanogironella]

Ok, fixed while reading messages but issue still remains when trying to reply a message containing comments within style tag.
Any help?

[alecpl]

Did it work before 1.2.5?

[stefanogironella]

I really don't know... but i think it should.

note: I've opened a new issue for that, do I have to close it?