# This patch fixes OSA-2018-05: An attacker could send a malicious email to an
# OTRS system. If a logged in user opens it, the email could cause the browser
# to load external image or CSS resources.
# https://community.otrs.com/security-advisory-2018-05-security-update-for-otrs-framework/

diff -Naur otrs2-5.0.16.orig/Kernel/System/HTMLUtils.pm otrs2-5.0.16/Kernel/System/HTMLUtils.pm
--- otrs2-5.0.16.orig/Kernel/System/HTMLUtils.pm	2017-01-17 03:39:35.000000000 +0100
+++ otrs2-5.0.16/Kernel/System/HTMLUtils.pm	2018-10-12 13:36:45.570910547 +0200
@@ -1138,10 +1138,28 @@
                 }egsxim;
             }
 
+            # Remove malicious CSS content
+            $Tag =~ s{
+                (\s)style=("|') (.*?) \2
+            }
+            {
+                my ($Space, $Delimiter, $Content) = ($1, $2, $3);
+
+                if (
+                    ($Param{NoIntSrcLoad} && $Content =~ m{url\(})
+                    || ($Param{NoExtSrcLoad} && $Content =~ m/(http|ftp|https):\//i)) {
+                    $Replaced = 1;
+                    '';
+                }
+                else {
+                    "${Space}style=${Delimiter}${Content}${Delimiter}";
+                }
+            }egsxim;
+
             # remove load tags
             if ($Param{NoIntSrcLoad} || $Param{NoExtSrcLoad}) {
                 $Tag =~ s{
-                    ($TagStart (.+?) (?: \s | /) src=(.+?) (\s.+?|) $TagEnd)
+                    ($TagStart (.+?) (?: \s | /) (?:src|poster)=(.+?) (\s.+?|) $TagEnd)
                 }
                 {
                     my $URL = $3;