banananetwork
/
roundcubemail
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Fix XSS issue in drag-n-drop file uploads (#1490530)

Browse Source 
Conflicts:

	CHANGELOG
release-1.0
Aleksander Machniak 9 years ago
parent 175ca6fd65
commit 4ec947715d
2 changed files with 3 additions and 1 deletions
Show Stats Download Patch File Download Diff File

1
CHANGELOG
Unescape Escape View File

@ -12,6 +12,7 @@ CHANGELOG Roundcube Webmail
- Fix support for Mozilla-based browsers, e.g. Pale Moon (#1490517)
- Fix various issues with Turkish (and similar) locales (#1490519)
- Fix so In-Reply-To header is set also for MDN receipts (#1490523)
- Fix XSS issue in drag-n-drop file uploads (#1490530)
RELEASE 1.0.6
-------------

3
program/js/app.js
Unescape Escape View File

@ -7281,7 +7281,8 @@ function rcube_webmail()
var submit_data = function() {
var multiple = files.length > 1,
ts = new Date().getTime(),
content = '<span>' + (multiple ? ref.get_label('uploadingmany') : files[0].name) + '</span>';
// jQuery way to escape filename (#1490530)
content = $('<span>').text(multiple ? ref.get_label('uploadingmany') : files[0].name).html();
// add to attachments list
if (!ref.add2attachment_list(ts, { name:'', html:content, classname:'uploading', complete:false }))

Write Preview
Loading…
Cancel
Save