Fix XSS vulnerability when editing a message "as new" or draft (#1489251) - added HTML content "washing"

11 years ago · 93b0a30c1c
parent 9f324e3a1b
commit 93b0a30c1c
2 changed files with 8 additions and 3 deletions
--- a/1
+++ b/1
@ -1,6 +1,7 @@
 CHANGELOG Roundcube Webmail
 ===========================

+- Fix XSS vulnerability when editing a message "as new" or draft (#1489251)
 - Fix downloading binary files with (wrong) text/* content-type (#1489267)
 - Fix rewrite rule in .htaccess (#1489240)
 - Fix detecting Turkish language in ISO-8859-9 encoding (#1489252)
--- a/program/steps/mail/compose.inc
+++ b/program/steps/mail/compose.inc
@ -1000,10 +1000,14 @@ function rcmail_create_draft_body($body, $bodyIsHtml)
      && count($MESSAGE->mime_parts) > 0)
  {
    $cid_map = rcmail_write_compose_attachments($MESSAGE, $bodyIsHtml);
+  }
+
+  // clean up html tags - XSS prevention (#1489251)
+  $body = rcmail_wash_html($body, array('safe' => 1), $cid_map);

-    // replace cid with href in inline images links
-    if ($cid_map)
-      $body = str_replace(array_keys($cid_map), array_values($cid_map), $body);
+  // replace cid with href in inline images links
+  if ($cid_map) {
+    $body = str_replace(array_keys($cid_map), array_values($cid_map), $body);
  }

  return $body;