Fix XSS vulnerability in handling of text/enriched messages (#1488806)

12 years ago · e13ad37d89
parent 76cee1c4e1
commit e13ad37d89
2 changed files with 4 additions and 1 deletions
--- a/1
+++ b/1
@ -1,6 +1,7 @@
 CHANGELOG Roundcube Webmail
 ===========================

+- Fix XSS vulnerability in handling of text/enriched messages (#1488806)
 - Fix handling of 'media' attribute on linked css (#1488789)
 - Fix regression where unintentional page reload was done after request abort (#1488802)
 - Fix excessive LFs at the end of composed message with top_posting=true (#1488797)
--- a/program/steps/mail/func.inc
+++ b/program/steps/mail/func.inc
@ -740,7 +740,9 @@ function rcmail_print_body($part, $p = array())
  else if ($data['type'] == 'enriched') {
    $part->ctype_secondary = 'html';
    require_once(INSTALL_PATH . 'program/lib/enriched.inc');
-    $body = Q(enriched_to_html($data['body']), 'show');
+    $body = enriched_to_html($data['body']);
+    $body = rcmail_wash_html($body, $data, $part->replaces);
+    $part->ctype_secondary = 'html';
  }
  else {
    // assert plaintext