From 2f62149da31d4927ef988042645a7e1bea158830 Mon Sep 17 00:00:00 2001
From: Jared Hancock <jared@osticket.com>
Date: Wed, 20 Nov 2013 11:11:34 -0600
Subject: [PATCH] html: Reduce dependency on htmlchars

Previously, html-like content would have to be run through Format::htmlchars
before being passed to Format::sanitize, because things that looked like
invalid html content would be removed.
---
 include/class.format.php | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/include/class.format.php b/include/class.format.php
index 539bf5f51..522e58f8e 100644
--- a/include/class.format.php
+++ b/include/class.format.php
@@ -206,7 +206,7 @@ class Format {
     function safe_html($html) {
         // Remove HEAD and STYLE sections
         $html = preg_replace(
-            array(':<(head|style).+</\1>:is',   # <head> and <style> sections
+            array(':<(head|style|script).+</\1>:is',   # <head> and <style> sections
                   ':<!\[[^]<]+\]>:',            # <![if !mso]> and friends
                   ':<!DOCTYPE[^>]+>:',          # <!DOCTYPE ... >
             ),
@@ -217,6 +217,7 @@ class Format {
             'balance' => 1, //balance and close unclosed tags.
             'comment' => 1, //Remove html comments (OUTLOOK LOVE THEM)
             'tidy' => -1,
+            'keep_bad' => 1,
             'deny_attribute' => 'id',
             'schemes' => 'href: aim, feed, file, ftp, gopher, http, https, irc, mailto, news, nntp, sftp, ssh, telnet; *:file, http, https; src: cid, http, https, data',
             'hook_tag' => function($e, $a=0) { return Format::__html_cleanup($e, $a); },
-- 
GitLab