Handle remote stylesheets the same as remote images, ask the user to allow them (#5994)

Fixes the issue where remote stylesheet could have been blocked
if the message contained no remote images and user have no way to
allow that content.

1 files changed, 27 insertions, 0 deletions

diff --git a/tests/Framework/Washtml.php b/tests/Framework/Washtml.php
index cddbf4bb6..7a6017644 100644
--- a/tests/Framework/Washtml.php
+++ b/tests/Framework/Washtml.php
@@ -359,6 +359,33 @@ class Framework_Washtml extends PHPUnit_Framework_TestCase
         $this->assertNotContains('TRACKING', $washed, "Src attribute of <video> tag (#5583)");
     }
 
+    /**
+     * Test external links
+     */
+    function test_extlinks()
+    {
+        $html = array(
+            array("<link href=\"http://TRACKING_URL/\">", true),
+            array("<link href=\"src:abc\">", false),
+            array("<img src=\"http://TRACKING_URL/\">", true),
+            array("<img src=\"data:image\">", false),
+        );
+
+        foreach ($html as $item) {
+            $washer = new rcube_washtml;
+            $washed = $washer->wash($item[0]);
+
+            $this->assertSame($item[1], $washer->extlinks);
+        }
+
+        foreach ($html as $item) {
+            $washer = new rcube_washtml(array('allow_remote' => true));
+            $washed = $washer->wash($item[0]);
+
+            $this->assertFalse($washer->extlinks);
+        }
+    }
+
     function test_textarea_content_escaping()
     {
         $html = '<textarea><p style="x:</textarea><img src=x onerror=alert(1)>">';