Fix XSS issue in drag-n-drop file uploads (#1490530)

pull/297/head
Aleksander Machniak 9 years ago
parent d3823fe0a0
commit dd7db21797

@ -63,6 +63,7 @@ CHANGELOG Roundcube Webmail
- Fix various issues with Turkish (and similar) locales (#1490519)
- Fix so In-Reply-To header is set also for MDN receipts (#1490523)
- Fix missing HTTP_X_FORWARDED_FOR address in generated Received header
- Fix XSS issue in drag-n-drop file uploads (#1490530)
RELEASE 1.1.2
-------------

@ -7916,7 +7916,8 @@ function rcube_webmail()
var submit_data = function() {
var multiple = files.length > 1,
ts = new Date().getTime(),
content = '<span>' + (multiple ? ref.get_label('uploadingmany') : files[0].name) + '</span>';
// jQuery way to escape filename (#1490530)
content = $('<span>').text(multiple ? ref.get_label('uploadingmany') : files[0].name).html();
// add to attachments list
if (!ref.add2attachment_list(ts, { name:'', html:content, classname:'uploading', complete:false }))

Loading…
Cancel
Save