Changeset 93b0a30 in github


Ignore:
Timestamp:
08/01/13 08:49:55 (16 months ago)
Author:
Aleksander Machniak <alec@…>
Children:
f7ffdc90
Parents:
9f324e3
Message:

Fix XSS vulnerability when editing a message "as new" or draft (#1489251) - added HTML content "washing"

Files:
2 edited

Legend:

Unmodified
Added
Removed
  • CHANGELOG

    rae85336 r93b0a30  
    22=========================== 
    33 
     4- Fix XSS vulnerability when editing a message "as new" or draft (#1489251) 
    45- Fix downloading binary files with (wrong) text/* content-type (#1489267) 
    56- Fix rewrite rule in .htaccess (#1489240) 
  • program/steps/mail/compose.inc

    r469ede7 r93b0a30  
    10011001  { 
    10021002    $cid_map = rcmail_write_compose_attachments($MESSAGE, $bodyIsHtml); 
    1003  
    1004     // replace cid with href in inline images links 
    1005     if ($cid_map) 
    1006       $body = str_replace(array_keys($cid_map), array_values($cid_map), $body); 
     1003  } 
     1004 
     1005  // clean up html tags - XSS prevention (#1489251) 
     1006  $body = rcmail_wash_html($body, array('safe' => 1), $cid_map); 
     1007 
     1008  // replace cid with href in inline images links 
     1009  if ($cid_map) { 
     1010    $body = str_replace(array_keys($cid_map), array_values($cid_map), $body); 
    10071011  } 
    10081012 
Note: See TracChangeset for help on using the changeset viewer.