feat(other): add HTML email sanitizer to remove external background images

Author: Baraka24

modules/core/message_functions.php

@@ -45,6 +45,19 @@ function format_msg_html($str, $images=false) {
     }
 }}
 
+/**
+ * Sanitize HTML for email
+ * @subpackage core/functions
+ * @param string $html content to sanitize
+ * @return string
+ */
+if (!hm_exists('sanitize_email_html')) {
+function sanitize_email_html($html) {
+    $html = preg_replace('/<([^>]+)style\s*=\s*["\'][^"\']*background-image\s*:\s*url\((["\']?)https?:\/\/.*?\2\)[^"\']*["\']/i', '<$1', $html);
+
+    return $html;
+}}
+
 /**
  * Convert HTML to plain text
  * @param string $html content to convert

modules/imap/output_modules.php

@@ -126,6 +126,7 @@ protected function output() {
                     }
                 }
 
+                $msgText = sanitize_email_html($msgText);
                 $txt .= format_msg_html($msgText, $allowed);
             }
             elseif (isset($struct['type']) && mb_strtolower($struct['type']) == 'image') {
@@ -1677,7 +1678,7 @@ protected function output() {
                 $ceo_rate_limit = $settings['ceo_rate_limit'];
             }
         }
-        
+
         $res = '<tr class="general_setting"><td><label for="ceo_use_detect_ceo_fraud">'.
             $this->trans('CEO fraud: Use Detect CEO Fraud').
             '</label></td><td><input class="form-check-input" type="checkbox" role="switch" id="ceo_use_detect_ceo_fraud" name="ceo_use_detect_ceo_fraud" '. $ceo_use_detect_ceo_fraud .' ></td></tr>';