Added more XSS protection (Bug #1308236) and some visual enhancements

19 years ago · 6a35c82a3c
parent fd660ac0e2
commit 6a35c82a3c
6 changed files with 76 additions and 48 deletions
--- a/program/js/app.js
+++ b/program/js/app.js
@ -2046,18 +2046,17 @@ function rcube_webmail()
    if (this.gui_objects.mailboxlist)
      {
      var item, reg, text_obj;
+      var s_current = this.env.mailbox.toLowerCase().replace(this.mbox_expression, '');
      var s_mbox = String(mbox).toLowerCase().replace(this.mbox_expression, '');
      var s_current = this.env.mailbox.toLowerCase().replace(this.mbox_expression, '');
-      var nodes = this.gui_objects.mailboxlist.getElementsByTagName('LI');
      
-      for (var n=0; n<nodes.length; n++)
-        {
-        item = nodes[n];
-        if (item.className && item.className.indexOf('mailbox '+s_mbox+' ')>=0)
-          this.set_classname(item, 'selected', true);
-        else if (item.className && item.className.indexOf('mailbox '+s_current)>=0)
-          this.set_classname(item, 'selected', false);          
-        }
+      var current_li = document.getElementById('rcmbx'+s_current);
+      var mbox_li = document.getElementById('rcmbx'+s_mbox);
+      
+      if (current_li)
+        this.set_classname(current_li, 'selected', false);
+      if (mbox_li)
+        this.set_classname(mbox_li, 'selected', true);
      }
    
    this.env.mailbox = mbox;
--- a/program/steps/mail/func.inc
+++ b/program/steps/mail/func.inc
@ -41,6 +41,13 @@ if (strlen($_GET['_page']))
  }


+// set default sort col/order to session
+if (!isset($_SESSION['sort_col']))
+  $_SESSION['sort_col'] = $CONFIG['message_sort_col'];
+if (!isset($_SESSION['sort_order']))
+  $_SESSION['sort_order'] = $CONFIG['message_sort_order'];
+  
+
 // define url for getting message parts
 if (strlen($_GET['_uid']))
  $GET_URL = sprintf('%s&_action=get&_mbox=%s&_uid=%d', $COMM_PATH, $IMAP->get_mailbox_name(), $_GET['_uid']);
@ -147,7 +154,7 @@ function rcmail_build_folder_tree(&$arrFolders, $folder, $delm='/', $path='')
 // return html for a structured list <ul> for the mailbox tree
 function rcmail_render_folder_tree_html(&$arrFolders, &$special, &$mbox, $maxlength, $nestLevel=0)
  {
-  global $JS_OBJECT_NAME, $IMAP;
+  global $JS_OBJECT_NAME, $IMAP, $CONFIG;

  $idx = 0;
  $out = '';
@ -170,9 +177,23 @@ function rcmail_render_folder_tree_html(&$arrFolders, &$special, &$mbox, $maxlen
    // add unread message count display
    if ($unread_count = $IMAP->messagecount($folder['id'], 'UNSEEN', ($folder['id']==$mbox)))
      $foldername .= sprintf(' (%d)', $unread_count);
-
-    $out .= sprintf('<li class="mailbox %s %s%s%s"><a href="#%s" onclick="return %s.command(\'list\',\'%s\')" onmouseup="return %s.mbox_mouse_up(\'%s\')">%s</a>'."\n",
-                    preg_replace('/[^a-z0-9\-_]/', '', $folder_lc),
+      
+    // make folder name safe for ids and class names
+    $folder_css = $class_name = preg_replace('/[^a-z0-9\-_]/', '', $folder_lc);
+
+    // set special class for Sent, Drafts, Trash and Junk
+    if ($folder['id']==$CONFIG['sent_mbox'])
+      $class_name = 'sent';
+    else if ($folder['id']==$CONFIG['drafts_mbox'])
+      $class_name = 'drafts';
+    else if ($folder['id']==$CONFIG['trash_mbox'])
+      $class_name = 'trash';
+    else if ($folder['id']==$CONFIG['junk_mbox'])
+      $class_name = 'junk';
+
+    $out .= sprintf('<li id="rcmbx%s" class="mailbox %s %s%s%s"><a href="./#%s" onclick="return %s.command(\'list\',\'%s\')" onmouseup="return %s.mbox_mouse_up(\'%s\')">%s</a>',
+                    $folder_css,
+                    $class_name,
                    $zebra_class,
                    $unread_count ? ' unread' : '',
                    $folder['id']==$mbox ? ' selected' : '',
@ -184,7 +205,7 @@ function rcmail_render_folder_tree_html(&$arrFolders, &$special, &$mbox, $maxlen
                    rep_specialchars_output($foldername, 'html', 'all'));

    if (!empty($folder['folders']))
-      $out .= '<ul>' . rcmail_render_folder_tree_html($folder['folders'], $special, $mbox, $maxlength, $nestLevel+1) . "</ul>\n";
+      $out .= "\n<ul>\n" . rcmail_render_folder_tree_html($folder['folders'], $special, $mbox, $maxlength, $nestLevel+1) . "</ul>\n";

    $out .= "</li>\n";
    $idx++;
@ -239,8 +260,8 @@ function rcmail_message_list($attrib)
  $image_tag = '<img src="%s%s" alt="%s" border="0" />';

  // check to see if we have some settings for sorting
-  $sort_col   = isset($_SESSION['sort_col'])   ? $_SESSION['sort_col']   : $CONFIG['message_sort_col'];
-  $sort_order = isset($_SESSION['sort_order']) ? $_SESSION['sort_order'] : $CONFIG['message_sort_order'];
+  $sort_col   = $_SESSION['sort_col'];
+  $sort_order = $_SESSION['sort_order'];

  // get message headers
  $a_headers = $IMAP->list_headers('', '', $sort_col, $sort_order);
@ -982,13 +1003,18 @@ function rcmail_mod_html_body($body, $container_id)


  // remove SCRIPT tags
-  while (($pos = strpos($body_lc, '<script')) && ($pos2 = strpos($body_lc, '</script>', $pos)))
+  foreach (array('script', 'applet', 'object', 'embed', 'iframe') as $tag)
    {
-    $pos2 += 8;
-    $body = substr($body, 0, $pos) . substr($body, $pos2, strlen($body)-$pos2);
-    $body_lc = strtolower($body);
+    while (($pos = strpos($body_lc, '<'.$tag)) && ($pos2 = strpos($body_lc, '</'.$tag.'>', $pos)))
+      {
+      $pos2 += 8;
+      $body = substr($body, 0, $pos) . substr($body, $pos2, strlen($body)-$pos2);
+      $body_lc = strtolower($body);
+      }
    }
-  
+
+  // replace event handlers on any object
+  $body = preg_replace('/\s(on[a-z]+)=/im', ' __removed=', $body);  

  // resolve <base href>
  $base_reg = '/(<base.*href=["\']?)([hftps]{3,5}:\/{2}[^"\'\s]+)([^<]*>)/i';
@ -1000,7 +1026,6 @@ function rcmail_mod_html_body($body, $container_id)
    $body = preg_replace($base_reg, '', $body);
    }

-
  // add comments arround html and other tags
  $out = preg_replace(array('/(<\/?html[^>]*>)/i',
                            '/(<\/?head[^>]*>)/i',
--- a/program/steps/mail/sendmail.inc
+++ b/program/steps/mail/sendmail.inc
@ -65,10 +65,11 @@ function rcmail_get_identity($id)
 /****** check submission and compose message ********/


-$mailto_regexp = '/,\s*$/';
+$mailto_regexp = array('/,\s*[\r\n]+/', '/[\r\n]+/', '/,\s*$/m');
+$mailto_replace = array(' ', ', ', '');

-// trip ending ', ' from 
-$mailto = preg_replace($mailto_regexp, '', $_POST['_to']);
+// repalce new lines and strip ending ', '
+$mailto = preg_replace($mailto_regexp, $mailto_replace, stripslashes($_POST['_to']));

 // decode address strings
 $to_address_arr = $IMAP->decode_address_list($mailto);
@ -90,10 +91,10 @@ $headers = array('Date' => date('D, j M Y G:i:s O'),

 // additional recipients
 if ($_POST['_cc'])
-  $headers['Cc'] = preg_replace($mailto_regexp, '', $_POST['_cc']);
+  $headers['Cc'] = preg_replace($mailto_regexp, $mailto_replace, stripslashes($_POST['_cc']));

 if ($_POST['_bcc'])
-  $headers['Bcc'] = preg_replace($mailto_regexp, '', $_POST['_bcc']);
+  $headers['Bcc'] = preg_replace($mailto_regexp, $mailto_replace, stripslashes($_POST['_bcc']));
  
 if (strlen($identity_arr['bcc']))
  $headers['Bcc'] = ($headers['Bcc'] ? $headers['Bcc'].', ' : '') . $identity_arr['bcc'];
--- a/skins/default/mail.css
+++ b/skins/default/mail.css
@ -75,7 +75,7 @@
  position: absolute;
  top: 60px;
  right: 40px;
-  width: 250px;
+  width: 200px;
  height: 20px;
  text-align: right;
 }
@ -412,9 +412,14 @@ body.messagelist
  top: 85px;
  left: 200px;
  right: 40px;
+  bottom: 40px;
+  border: 1px solid #cccccc;
+  background-color: #FFFFFF;
+  overflow: auto;
  /* css hack for IE */
-  margin-bottom: 10px;
-  width: expression(document.body.clientWidth-240);
+  /* margin-bottom: 10px; */
+  width: expression((parseInt(document.documentElement.clientWidth)-240)+'px');
+  height: expression((parseInt(document.documentElement.clientHeight)-125)+'px');
 }

 table.headers-table
@ -433,10 +438,11 @@ table.headers-table tr td

 table.headers-table td.header-title
 {
-  width: 70px;  
+  width: 80px;
  color: #666666;
  font-weight: bold;
  text-align: right;
+  white-space: nowrap;
  padding-right: 4px;
 }

@ -481,18 +487,15 @@ table.headers-table tr td.subject
 #messagebody
 {
  min-height: 300px;
-  margin-top: 10px;
-  margin-bottom: 10px;
+  padding-top: 10px;
+  padding-bottom: 10px;
  background-color: #FFFFFF;
-  border: 1px solid #cccccc;
-  border-top: none;
 }

 div.message-part
 {
  padding: 8px;
  padding-top: 10px;
-  border-top: 1px solid #cccccc;
  overflow: hidden;
 }

@ -513,8 +516,8 @@ div.message-part pre
  display: none;
  height: 20px;
  min-height: 20px;
+  margin: 8px 8px 0px 8px;
  padding: 10px 10px 6px 46px;  
-  margin-top: 8px;
 }

 #remote-objects-message a
@ -544,12 +547,12 @@ div.message-part pre
  top: 90px;
  left: 200px;
  right: 40px;
-  bottom: 20px;
+  bottom: 40px;
  padding: 0px;
  margin: 0px;
  /* css hack for IE */
  width: expression(document.documentElement.clientWidth-240);
-  /* height: expression((parseInt(document.documentElement.clientHeight)-130)+'px'); */
+  height: expression((parseInt(document.documentElement.clientHeight)-130)+'px');
 }

 /*
@ -635,10 +638,10 @@ div.message-part pre
 #compose-body
 {
  margin-top: 10px;
-  width: 100% !important;
+  width: 99% !important;
  width: 95%;
  height: 95%;
-  min-height: 400px;
+  min-height: 300px;
  font-size: 9pt;
  font-family: "Courier New", Courier, monospace;
 }
--- a/skins/default/templates/compose.html
+++ b/skins/default/templates/compose.html
@ -87,7 +87,7 @@ function rcmail_toggle_display(id)

 </tr><tr>

-<td style="width:100%; height:100%;">
+<td style="width:100%; height:100%; vertical-align:top;">
 <roundcube:object name="composeBody" id="compose-body" form="form" cols="80" rows="20" warp="virtual" />
 </td>

--- a/skins/default/templates/message.html
+++ b/skins/default/templates/message.html
@ -10,6 +10,12 @@
 <roundcube:include file="/includes/taskbar.html" />
 <roundcube:include file="/includes/header.html" />

+<div id="messagecountbar">
+<roundcube:button command="previousmessage" imageAct="/images/buttons/previous_act.png" imagePas="/images/buttons/previous_pas.png" width="11" height="11" title="previousmessages" />
+&nbsp;<roundcube:object name="messageCountDisplay" />&nbsp;
+<roundcube:button command="nextmessage" imageAct="/images/buttons/next_act.png" imagePas="/images/buttons/next_pas.png" width="11" height="11" title="nextmessages" />
+</div>
+
 <div id="messagetoolbar">
 <roundcube:button command="list" image="/images/buttons/back_act.png" width="32" height="32" title="backtolist" />
 <roundcube:button command="reply" imageAct="/images/buttons/reply_act.png" imagePas="/images/buttons/reply_pas.png" width="32" height="32" title="replytomessage" />
@ -20,12 +26,6 @@
 <roundcube:object name="mailboxlist" type="select" noSelection="moveto" maxlength="25" onchange="rcmail.command('moveto', this.options[this.selectedIndex].value)" class="mboxlist" />
 </div>

-<div id="messagecountbar">
-<roundcube:button command="previousmessage" imageAct="/images/buttons/previous_act.png" imagePas="/images/buttons/previous_pas.png" width="11" height="11" title="previousmessages" />
-&nbsp;<roundcube:object name="messageCountDisplay" />&nbsp;
-<roundcube:button command="nextmessage" imageAct="/images/buttons/next_act.png" imagePas="/images/buttons/next_pas.png" width="11" height="11" title="nextmessages" />
-</div>
-
 <div id="mailboxlist-header"><roundcube:label name="mailboxlist" /></div>
 <div id="mailboxlist-container"><roundcube:object name="mailboxlist" id="mailboxlist" maxlength="16" /></div>