Index: /trunk/roundcubemail/CHANGELOG =================================================================== --- /trunk/roundcubemail/CHANGELOG (revision 5036) +++ /trunk/roundcubemail/CHANGELOG (revision 5037) @@ -2,4 +2,5 @@ =========================== +- Fix XSS vulnerability in UI messages (#1488030) - Fix handling of email addresses with quoted local part (#1487939) - Fix EOL character in vCard exports (#1487873) Index: /trunk/roundcubemail/program/include/rcube_json_output.php =================================================================== --- /trunk/roundcubemail/program/include/rcube_json_output.php (revision 5036) +++ /trunk/roundcubemail/program/include/rcube_json_output.php (revision 5037) @@ -175,6 +175,13 @@ { if ($override || !$this->message) { + if (rcube_label_exists($message)) { + if (!empty($vars)) + $vars = array_map('Q', $vars); + $msgtext = rcube_label(array('name' => $message, 'vars' => $vars)); + } + else + $msgtext = $message; + $this->message = $message; - $msgtext = rcube_label_exists($message) ? rcube_label(array('name' => $message, 'vars' => $vars)) : $message; $this->command('display_message', $msgtext, $type, $timeout * 1000); } Index: /trunk/roundcubemail/program/include/rcube_template.php =================================================================== --- /trunk/roundcubemail/program/include/rcube_template.php (revision 5036) +++ /trunk/roundcubemail/program/include/rcube_template.php (revision 5037) @@ -249,6 +249,13 @@ { if ($override || !$this->message) { + if (rcube_label_exists($message)) { + if (!empty($vars)) + $vars = array_map('Q', $vars); + $msgtext = rcube_label(array('name' => $message, 'vars' => $vars)); + } + else + $msgtext = $message; + $this->message = $message; - $msgtext = rcube_label_exists($message) ? rcube_label(array('name' => $message, 'vars' => $vars)) : $message; $this->command('display_message', $msgtext, $type, $timeout * 1000); }