banananetwork
/
roundcubemail
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Fix handling encoding of HTML tags in "inline" JSON output (#6207)

Browse Source
pull/5742/merge
Aleksander Machniak 6 years ago
parent 981cd8726d
commit a451ad6599
3 changed files with 12 additions and 3 deletions
Show Stats Download Patch File Download Diff File

1
CHANGELOG
Unescape Escape View File

@ -79,6 +79,7 @@ CHANGELOG Roundcube Webmail
- Enigma: Fix key generation in Safari by upgrade to OpenPGP 2.6.2 (#6149) - Enigma: Fix key generation in Safari by upgrade to OpenPGP 2.6.2 (#6149)
- Fix security issue in remote content blocking on HTML image and style tags (#6178) - Fix security issue in remote content blocking on HTML image and style tags (#6178)
- Added 9pt and 11pt to the list of font sizes in HTML editor - Added 9pt and 11pt to the list of font sizes in HTML editor
- Fix handling encoding of HTML tags in "inline" JSON output (#6207)
RELEASE 1.3.4 RELEASE 1.3.4
------------- -------------

4
program/include/rcmail_output_json.php
Unescape Escape View File

@ -232,7 +232,7 @@ class rcmail_output_json extends rcmail_output
$response = $hook['response']; $response = $hook['response'];
unset($hook['response']); unset($hook['response']);
echo self::json_serialize($response, $this->devel_mode); echo self::json_serialize($response, $this->devel_mode, false);
} }
/** /**
@ -245,7 +245,7 @@ class rcmail_output_json extends rcmail_output
foreach ($this->commands as $i => $args) { foreach ($this->commands as $i => $args) {
$method = array_shift($args); $method = array_shift($args);
foreach ($args as $i => $arg) { foreach ($args as $i => $arg) {
$args[$i] = self::json_serialize($arg, $this->devel_mode); $args[$i] = self::json_serialize($arg, $this->devel_mode, false);
} }
$out .= sprintf( $out .= sprintf(

10
program/lib/Roundcube/rcube_output.php
Unescape Escape View File

@ -321,14 +321,22 @@ abstract class rcube_output
* *
* @param mixed $input Input value * @param mixed $input Input value
* @param boolean $pretty Enable JSON formatting * @param boolean $pretty Enable JSON formatting
* @param boolean $inline Enable inline mode (generates output safe for use inside HTML)
* *
* @return string Serialized JSON string * @return string Serialized JSON string
*/ */
public static function json_serialize($input, $pretty = false) public static function json_serialize($input, $pretty = false, $inline = true)
{ {
// The input need to be valid UTF-8 to use with json_encode()
$input = rcube_charset::clean($input); $input = rcube_charset::clean($input);
$options = JSON_UNESCAPED_SLASHES; $options = JSON_UNESCAPED_SLASHES;
// JSON_HEX_TAG is needed for inlining JSON inside of the <script> tag
// if input contains a html tag it will cause issues (#6207)
if ($inline) {
$options |= JSON_HEX_TAG;
}
// JSON_UNESCAPED_UNICODE in PHP < 7.1.0 does not escape U+2028 and U+2029 // JSON_UNESCAPED_UNICODE in PHP < 7.1.0 does not escape U+2028 and U+2029
// which causes issues (#6187) // which causes issues (#6187)
if (PHP_VERSION_ID >= 70100) { if (PHP_VERSION_ID >= 70100) {

Write Preview
Loading…
Cancel
Save