Fix XSS issue where plain signatures wasn't secured in HTML mode (#1488613)

pull/19/head
Aleksander Machniak 12 years ago
parent 5ef8e4ad9d
commit c086978f6a

@ -1,7 +1,8 @@
CHANGELOG Roundcube Webmail
===========================
- Fix XSS issue with href="javascript:" not being removed (#1488613)
- Fix XSS issue where plain signatures wasn't secured in HTML mode (#1488613)
- Fix XSS issue where href="javascript:" wasn't secured (#1488613)
- Fix impossible to create message with empty plain text part (#1488610)
- Fix stripped apostrophes when replying in plain text to HTML message (#1488606)
- Fix inactive Save search option after advanced search (#1488607)

@ -3298,8 +3298,7 @@ function rcube_webmail()
input_message = $("[name='_message']"),
message = input_message.val(),
is_html = ($("input[name='_is_html']").val() == '1'),
sig = this.env.identity,
sig_separator = this.env.sig_above && (this.env.compose_mode == 'reply' || this.env.compose_mode == 'forward') ? '---' : '-- ';
sig = this.env.identity;
// enable manual signature insert
if (this.env.signatures && this.env.signatures[id]) {
@ -3312,25 +3311,18 @@ function rcube_webmail()
if (!is_html) {
// remove the 'old' signature
if (show_sig && sig && this.env.signatures && this.env.signatures[sig]) {
sig = this.env.signatures[sig].is_html ? this.env.signatures[sig].plain_text : this.env.signatures[sig].text;
sig = this.env.signatures[sig].text;
sig = sig.replace(/\r\n/g, '\n');
if (!sig.match(/^--[ -]\n/m))
sig = sig_separator + '\n' + sig;
p = this.env.sig_above ? message.indexOf(sig) : message.lastIndexOf(sig);
if (p >= 0)
message = message.substring(0, p) + message.substring(p+sig.length, message.length);
}
// add the new signature string
if (show_sig && this.env.signatures && this.env.signatures[id]) {
sig = this.env.signatures[id]['is_html'] ? this.env.signatures[id]['plain_text'] : this.env.signatures[id]['text'];
sig = this.env.signatures[id].text;
sig = sig.replace(/\r\n/g, '\n');
if (!sig.match(/^--[ -]\n/m))
sig = sig_separator + '\n' + sig;
if (this.env.sig_above) {
if (p >= 0) { // in place of removed signature
message = message.substring(0, p) + sig + message.substring(p, message.length);
@ -3394,21 +3386,8 @@ function rcube_webmail()
}
}
if (this.env.signatures[id]) {
if (this.env.signatures[id].is_html) {
sig = this.env.signatures[id].text;
if (!this.env.signatures[id].plain_text.match(/^--[ -]\r?\n/m))
sig = sig_separator + '<br />' + sig;
}
else {
sig = this.env.signatures[id].text;
if (!sig.match(/^--[ -]\r?\n/m))
sig = sig_separator + '\n' + sig;
sig = '<pre>' + sig + '</pre>';
}
sigElem.innerHTML = sig;
}
if (this.env.signatures[id])
sigElem.innerHTML = this.env.signatures[id].html;
}
this.env.identity = id;

@ -529,7 +529,7 @@ function rcmail_compose_headers($attrib)
function rcmail_compose_header_from($attrib)
{
global $MESSAGE, $OUTPUT;
global $MESSAGE, $OUTPUT, $RCMAIL, $compose_mode;
// pass the following attributes to the form class
$field_attrib = array('name' => '_from');
@ -540,6 +540,8 @@ function rcmail_compose_header_from($attrib)
if (count($MESSAGE->identities))
{
$a_signatures = array();
$separator = $RCMAIL->config->get('sig_above')
&& ($compose_mode == RCUBE_COMPOSE_REPLY || $compose_mode == RCUBE_COMPOSE_FORWARD) ? '---' : '-- ';
$field_attrib['onchange'] = JS_OBJECT_NAME.".change_identity(this)";
$select_from = new html_select($field_attrib);
@ -553,13 +555,27 @@ function rcmail_compose_header_from($attrib)
// add signature to array
if (!empty($sql_arr['signature']) && empty($COMPOSE['param']['nosig']))
{
$a_signatures[$identity_id]['text'] = $sql_arr['signature'];
$a_signatures[$identity_id]['is_html'] = ($sql_arr['html_signature'] == 1) ? true : false;
if ($a_signatures[$identity_id]['is_html'])
{
$h2t = new html2text($a_signatures[$identity_id]['text'], false, false);
$a_signatures[$identity_id]['plain_text'] = trim($h2t->get_text());
$text = $html = $sql_arr['signature'];
if ($sql_arr['html_signature']) {
$h2t = new html2text($sql_arr['signature'], false, false);
$text = trim($h2t->get_text());
}
else {
$html = htmlentities($html, ENT_NOQUOTES, RCMAIL_CHARSET);
}
if (!preg_match('/^--[ -]\r?\n/m', $text)) {
$text = $separator . "\n" . $text;
$html = $separator . "<br>" . $html;
}
if (!$sql_arr['html_signature']) {
$html = "<pre>" . $html . "</pre>";
}
$a_signatures[$identity_id]['text'] = $text;
$a_signatures[$identity_id]['html'] = $html;
}
}

Loading…
Cancel
Save