From 504e55792175710c0992a3ae3a5a4b62f43f8356 Mon Sep 17 00:00:00 2001
From: Michael M Slusarz <slusarz@curecanti.org>
Date: Tue, 26 Jan 2010 15:39:19 -0700
Subject: [PATCH] Ticket #8836: Add 'noprefetch' option to XSS filter

---
 framework/Mime/lib/Horde/Mime/Viewer/Html.php       |  2 ++
 framework/Text_Filter/lib/Horde/Text/Filter/Xss.php | 20 ++++++++++++++++++++
 framework/Text_Filter/package.xml                   |  3 ++-
 3 files changed, 24 insertions(+), 1 deletion(-)

diff --git a/framework/Mime/lib/Horde/Mime/Viewer/Html.php b/framework/Mime/lib/Horde/Mime/Viewer/Html.php
index ac24eb74c..bb6a790bf 100644
--- a/framework/Mime/lib/Horde/Mime/Viewer/Html.php
+++ b/framework/Mime/lib/Horde/Mime/Viewer/Html.php
@@ -141,6 +141,8 @@ class Horde_Mime_Viewer_Html extends Horde_Mime_Viewer_Driver
             ),
             array(
                 'body_only' => !empty($options['inline']),
+                // See Ticket #8836
+                'noprefetch' => (!empty($options['inline']) && $browser->isBrowser('mozilla') && !$browser->usingSSLConnection()),
                 'strip_styles' => $strip_styles,
                 'strip_style_attributes' => $strip_style_attributes
             )
diff --git a/framework/Text_Filter/lib/Horde/Text/Filter/Xss.php b/framework/Text_Filter/lib/Horde/Text/Filter/Xss.php
index ff7d95780..7e9310864 100644
--- a/framework/Text_Filter/lib/Horde/Text/Filter/Xss.php
+++ b/framework/Text_Filter/lib/Horde/Text/Filter/Xss.php
@@ -11,6 +11,9 @@
  * <pre>
  * 'body_only' - (boolean) Only scan within the HTML body tags?
  *               DEFAULT: true
+ * 'noprefetch' - (boolean) Disable DNS pre-fetching? See:
+ *                https://developer.mozilla.org/En/Controlling_DNS_prefetching
+ *                DEFAULT: false
  * 'replace' - (string) The string to replace filtered tags with.
  *             DEFAULT: 'XSSCleaned'
  * 'strip_styles' - (boolean) Strip style tags?
@@ -37,6 +40,7 @@ class Horde_Text_Filter_Xss extends Horde_Text_Filter
      */
     protected $_params = array(
         'body_only' => true,
+        'noprefetch' => false,
         'replace' => 'XSSCleaned',
         'strip_styles' => true,
         'strip_style_attributes' => true
@@ -295,6 +299,22 @@ class Horde_Text_Filter_Xss extends Horde_Text_Filter
             $this->_cdatacount = 0;
         }
 
+        if ($this->_params['noprefetch']) {
+            if (preg_match('/<html[^>]*>/si', $text, $matches, PREG_OFFSET_CAPTURE)) {
+                preg_match('/<\/html>/si', $text, $matches2, PREG_OFFSET_CAPTURE);
+                $end = $matches[0][1] + strlen($matches[0][0]);
+                $text = substr($text, 0, $end) .
+                    '<meta http-equiv="x-dns-prefetch-control" value="off" />' .
+                    substr($text, $end, $matches2[0][1] - $end) .
+                    '<meta http-equiv="x-dns-prefetch-control" value="on" />' .
+                    substr($text, $matches2[0][1]);
+            } else {
+                $text = '<meta http-equiv="x-dns-prefetch-control" value="off" />' .
+                    $text .
+                    '<meta http-equiv="x-dns-prefetch-control" value="on" />';
+            }
+        }
+
         return $text;
     }
 
diff --git a/framework/Text_Filter/package.xml b/framework/Text_Filter/package.xml
index 47594442b..f656a09f7 100644
--- a/framework/Text_Filter/package.xml
+++ b/framework/Text_Filter/package.xml
@@ -37,7 +37,8 @@ http://pear.php.net/dtd/package-2.0.xsd">
   <api>beta</api>
  </stability>
  <license uri="http://www.gnu.org/copyleft/lesser.html">LGPL</license>
- <notes>* Add XSS filtering for data URLs in A HREF parameters (Bug #8715).
+ <notes>* Add 'noprefetch' parameter to XSS filter (Ticket #8836).
+ * Add XSS filtering for data URLs in A HREF parameters (Bug #8715).
  * Add support for Google Closure Compiler in javascript minfiy filter.
  * Fix dimming signatures when mixed with quoted text (Bug #4299).
  * Added javscript minify filter.
-- 
2.11.0