From 15fd8f9dc7e3919de5747a7bd3087be101daee5a Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Sat, 30 May 2015 17:37:06 +0200
Subject: [PATCH] Fix XSS vulnerability in _mbox argument handling (#1490417)

---
 CHANGELOG                  | 1 +
 program/include/rcmail.php | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG b/CHANGELOG
index a451e7a5d..1f6b5914a 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -28,6 +28,7 @@ RELEASE 1.1.2
 - Fix potential info disclosure issue by protecting directory access (#1490378)
 - Fix blank image in html_signature when saving identity changes (#1490412)
 - Installer: Use openssl_random_pseudo_bytes() (if available) to generate des_key (#1490402)
+- Fix XSS vulnerability in _mbox argument handling (#1490417)
 
 RELEASE 1.1.1
 -------------
diff --git a/program/include/rcmail.php b/program/include/rcmail.php
index 0e01bda87..0bcedeb4a 100644
--- a/program/include/rcmail.php
+++ b/program/include/rcmail.php
@@ -1820,7 +1820,7 @@ class rcmail extends rcube
             }
             else {
                 $error = 'servererrormsg';
-                $args  = array('msg' => $err_str);
+                $args  = array('msg' => rcube::Q($err_str));
             }
         }
         else if ($err_code < 0) {