From b782815dacda55eee6793249b5da1789256206fc Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Sat, 30 May 2015 17:37:06 +0200
Subject: [PATCH] Fix XSS vulnerability in _mbox argument handling (#1490417)

---
 CHANGELOG                  | 1 +
 program/include/rcmail.php | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG b/CHANGELOG
index c85849354..6090318a0 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -39,6 +39,7 @@ RELEASE 1.1.2
 - Fix potential info disclosure issue by protecting directory access (#1490378)
 - Fix blank image in html_signature when saving identity changes (#1490412)
 - Installer: Use openssl_random_pseudo_bytes() (if available) to generate des_key (#1490402)
+- Fix XSS vulnerability in _mbox argument handling (#1490417)
 
 RELEASE 1.1.1
 -------------
diff --git a/program/include/rcmail.php b/program/include/rcmail.php
index e3e45e235..490e836d0 100644
--- a/program/include/rcmail.php
+++ b/program/include/rcmail.php
@@ -1822,7 +1822,7 @@ class rcmail extends rcube
             }
             else {
                 $error = 'servererrormsg';
-                $args  = array('msg' => $err_str);
+                $args  = array('msg' => rcube::Q($err_str));
             }
         }
         else if ($err_code < 0) {