diff options
author | thomascube <thomas@roundcube.net> | 2005-11-02 22:43:55 +0000 |
---|---|---|
committer | thomascube <thomas@roundcube.net> | 2005-11-02 22:43:55 +0000 |
commit | 6a35c82a3ca43546198361aefdea94b04ecb5457 (patch) | |
tree | 9a23bce5d1a7dc9fa0bfc1c93cbbe7b145b4fca0 | |
parent | fd660ac0e2af4fc3c2633cfd19bd31fd7a905951 (diff) |
Added more XSS protection (Bug #1308236) and some visual enhancements
-rw-r--r-- | program/js/app.js | 17 | ||||
-rw-r--r-- | program/steps/mail/func.inc | 51 | ||||
-rw-r--r-- | program/steps/mail/sendmail.inc | 11 | ||||
-rw-r--r-- | skins/default/mail.css | 31 | ||||
-rw-r--r-- | skins/default/templates/compose.html | 2 | ||||
-rw-r--r-- | skins/default/templates/message.html | 12 |
6 files changed, 76 insertions, 48 deletions
diff --git a/program/js/app.js b/program/js/app.js index a61cc1e73..3f86e9f11 100644 --- a/program/js/app.js +++ b/program/js/app.js @@ -2046,18 +2046,17 @@ function rcube_webmail() if (this.gui_objects.mailboxlist) { var item, reg, text_obj; + var s_current = this.env.mailbox.toLowerCase().replace(this.mbox_expression, ''); var s_mbox = String(mbox).toLowerCase().replace(this.mbox_expression, ''); var s_current = this.env.mailbox.toLowerCase().replace(this.mbox_expression, ''); - var nodes = this.gui_objects.mailboxlist.getElementsByTagName('LI'); - for (var n=0; n<nodes.length; n++) - { - item = nodes[n]; - if (item.className && item.className.indexOf('mailbox '+s_mbox+' ')>=0) - this.set_classname(item, 'selected', true); - else if (item.className && item.className.indexOf('mailbox '+s_current)>=0) - this.set_classname(item, 'selected', false); - } + var current_li = document.getElementById('rcmbx'+s_current); + var mbox_li = document.getElementById('rcmbx'+s_mbox); + + if (current_li) + this.set_classname(current_li, 'selected', false); + if (mbox_li) + this.set_classname(mbox_li, 'selected', true); } this.env.mailbox = mbox; diff --git a/program/steps/mail/func.inc b/program/steps/mail/func.inc index 7a6b6ffd3..04196541b 100644 --- a/program/steps/mail/func.inc +++ b/program/steps/mail/func.inc @@ -41,6 +41,13 @@ if (strlen($_GET['_page'])) } +// set default sort col/order to session +if (!isset($_SESSION['sort_col'])) + $_SESSION['sort_col'] = $CONFIG['message_sort_col']; +if (!isset($_SESSION['sort_order'])) + $_SESSION['sort_order'] = $CONFIG['message_sort_order']; + + // define url for getting message parts if (strlen($_GET['_uid'])) $GET_URL = sprintf('%s&_action=get&_mbox=%s&_uid=%d', $COMM_PATH, $IMAP->get_mailbox_name(), $_GET['_uid']); @@ -147,7 +154,7 @@ function rcmail_build_folder_tree(&$arrFolders, $folder, $delm='/', $path='') // return html for a structured list <ul> for the mailbox tree function rcmail_render_folder_tree_html(&$arrFolders, &$special, &$mbox, $maxlength, $nestLevel=0) { - global $JS_OBJECT_NAME, $IMAP; + global $JS_OBJECT_NAME, $IMAP, $CONFIG; $idx = 0; $out = ''; @@ -170,9 +177,23 @@ function rcmail_render_folder_tree_html(&$arrFolders, &$special, &$mbox, $maxlen // add unread message count display if ($unread_count = $IMAP->messagecount($folder['id'], 'UNSEEN', ($folder['id']==$mbox))) $foldername .= sprintf(' (%d)', $unread_count); - - $out .= sprintf('<li class="mailbox %s %s%s%s"><a href="#%s" onclick="return %s.command(\'list\',\'%s\')" onmouseup="return %s.mbox_mouse_up(\'%s\')">%s</a>'."\n", - preg_replace('/[^a-z0-9\-_]/', '', $folder_lc), + + // make folder name safe for ids and class names + $folder_css = $class_name = preg_replace('/[^a-z0-9\-_]/', '', $folder_lc); + + // set special class for Sent, Drafts, Trash and Junk + if ($folder['id']==$CONFIG['sent_mbox']) + $class_name = 'sent'; + else if ($folder['id']==$CONFIG['drafts_mbox']) + $class_name = 'drafts'; + else if ($folder['id']==$CONFIG['trash_mbox']) + $class_name = 'trash'; + else if ($folder['id']==$CONFIG['junk_mbox']) + $class_name = 'junk'; + + $out .= sprintf('<li id="rcmbx%s" class="mailbox %s %s%s%s"><a href="./#%s" onclick="return %s.command(\'list\',\'%s\')" onmouseup="return %s.mbox_mouse_up(\'%s\')">%s</a>', + $folder_css, + $class_name, $zebra_class, $unread_count ? ' unread' : '', $folder['id']==$mbox ? ' selected' : '', @@ -184,7 +205,7 @@ function rcmail_render_folder_tree_html(&$arrFolders, &$special, &$mbox, $maxlen rep_specialchars_output($foldername, 'html', 'all')); if (!empty($folder['folders'])) - $out .= '<ul>' . rcmail_render_folder_tree_html($folder['folders'], $special, $mbox, $maxlength, $nestLevel+1) . "</ul>\n"; + $out .= "\n<ul>\n" . rcmail_render_folder_tree_html($folder['folders'], $special, $mbox, $maxlength, $nestLevel+1) . "</ul>\n"; $out .= "</li>\n"; $idx++; @@ -239,8 +260,8 @@ function rcmail_message_list($attrib) $image_tag = '<img src="%s%s" alt="%s" border="0" />'; // check to see if we have some settings for sorting - $sort_col = isset($_SESSION['sort_col']) ? $_SESSION['sort_col'] : $CONFIG['message_sort_col']; - $sort_order = isset($_SESSION['sort_order']) ? $_SESSION['sort_order'] : $CONFIG['message_sort_order']; + $sort_col = $_SESSION['sort_col']; + $sort_order = $_SESSION['sort_order']; // get message headers $a_headers = $IMAP->list_headers('', '', $sort_col, $sort_order); @@ -982,13 +1003,18 @@ function rcmail_mod_html_body($body, $container_id) // remove SCRIPT tags - while (($pos = strpos($body_lc, '<script')) && ($pos2 = strpos($body_lc, '</script>', $pos))) + foreach (array('script', 'applet', 'object', 'embed', 'iframe') as $tag) { - $pos2 += 8; - $body = substr($body, 0, $pos) . substr($body, $pos2, strlen($body)-$pos2); - $body_lc = strtolower($body); + while (($pos = strpos($body_lc, '<'.$tag)) && ($pos2 = strpos($body_lc, '</'.$tag.'>', $pos))) + { + $pos2 += 8; + $body = substr($body, 0, $pos) . substr($body, $pos2, strlen($body)-$pos2); + $body_lc = strtolower($body); + } } - + + // replace event handlers on any object + $body = preg_replace('/\s(on[a-z]+)=/im', ' __removed=', $body); // resolve <base href> $base_reg = '/(<base.*href=["\']?)([hftps]{3,5}:\/{2}[^"\'\s]+)([^<]*>)/i'; @@ -1000,7 +1026,6 @@ function rcmail_mod_html_body($body, $container_id) $body = preg_replace($base_reg, '', $body); } - // add comments arround html and other tags $out = preg_replace(array('/(<\/?html[^>]*>)/i', '/(<\/?head[^>]*>)/i', diff --git a/program/steps/mail/sendmail.inc b/program/steps/mail/sendmail.inc index fbb31b3d8..48a5ccc6f 100644 --- a/program/steps/mail/sendmail.inc +++ b/program/steps/mail/sendmail.inc @@ -65,10 +65,11 @@ function rcmail_get_identity($id) /****** check submission and compose message ********/ -$mailto_regexp = '/,\s*$/'; +$mailto_regexp = array('/,\s*[\r\n]+/', '/[\r\n]+/', '/,\s*$/m'); +$mailto_replace = array(' ', ', ', ''); -// trip ending ', ' from -$mailto = preg_replace($mailto_regexp, '', $_POST['_to']); +// repalce new lines and strip ending ', ' +$mailto = preg_replace($mailto_regexp, $mailto_replace, stripslashes($_POST['_to'])); // decode address strings $to_address_arr = $IMAP->decode_address_list($mailto); @@ -90,10 +91,10 @@ $headers = array('Date' => date('D, j M Y G:i:s O'), // additional recipients if ($_POST['_cc']) - $headers['Cc'] = preg_replace($mailto_regexp, '', $_POST['_cc']); + $headers['Cc'] = preg_replace($mailto_regexp, $mailto_replace, stripslashes($_POST['_cc'])); if ($_POST['_bcc']) - $headers['Bcc'] = preg_replace($mailto_regexp, '', $_POST['_bcc']); + $headers['Bcc'] = preg_replace($mailto_regexp, $mailto_replace, stripslashes($_POST['_bcc'])); if (strlen($identity_arr['bcc'])) $headers['Bcc'] = ($headers['Bcc'] ? $headers['Bcc'].', ' : '') . $identity_arr['bcc']; diff --git a/skins/default/mail.css b/skins/default/mail.css index 72c1c6c2b..f5863863f 100644 --- a/skins/default/mail.css +++ b/skins/default/mail.css @@ -75,7 +75,7 @@ position: absolute; top: 60px; right: 40px; - width: 250px; + width: 200px; height: 20px; text-align: right; } @@ -412,9 +412,14 @@ body.messagelist top: 85px; left: 200px; right: 40px; + bottom: 40px; + border: 1px solid #cccccc; + background-color: #FFFFFF; + overflow: auto; /* css hack for IE */ - margin-bottom: 10px; - width: expression(document.body.clientWidth-240); + /* margin-bottom: 10px; */ + width: expression((parseInt(document.documentElement.clientWidth)-240)+'px'); + height: expression((parseInt(document.documentElement.clientHeight)-125)+'px'); } table.headers-table @@ -433,10 +438,11 @@ table.headers-table tr td table.headers-table td.header-title { - width: 70px; + width: 80px; color: #666666; font-weight: bold; text-align: right; + white-space: nowrap; padding-right: 4px; } @@ -481,18 +487,15 @@ table.headers-table tr td.subject #messagebody { min-height: 300px; - margin-top: 10px; - margin-bottom: 10px; + padding-top: 10px; + padding-bottom: 10px; background-color: #FFFFFF; - border: 1px solid #cccccc; - border-top: none; } div.message-part { padding: 8px; padding-top: 10px; - border-top: 1px solid #cccccc; overflow: hidden; } @@ -513,8 +516,8 @@ div.message-part pre display: none; height: 20px; min-height: 20px; + margin: 8px 8px 0px 8px; padding: 10px 10px 6px 46px; - margin-top: 8px; } #remote-objects-message a @@ -544,12 +547,12 @@ div.message-part pre top: 90px; left: 200px; right: 40px; - bottom: 20px; + bottom: 40px; padding: 0px; margin: 0px; /* css hack for IE */ width: expression(document.documentElement.clientWidth-240); - /* height: expression((parseInt(document.documentElement.clientHeight)-130)+'px'); */ + height: expression((parseInt(document.documentElement.clientHeight)-130)+'px'); } /* @@ -635,10 +638,10 @@ div.message-part pre #compose-body { margin-top: 10px; - width: 100% !important; + width: 99% !important; width: 95%; height: 95%; - min-height: 400px; + min-height: 300px; font-size: 9pt; font-family: "Courier New", Courier, monospace; } diff --git a/skins/default/templates/compose.html b/skins/default/templates/compose.html index 26c9de525..9dda5dad3 100644 --- a/skins/default/templates/compose.html +++ b/skins/default/templates/compose.html @@ -87,7 +87,7 @@ function rcmail_toggle_display(id) </tr><tr> -<td style="width:100%; height:100%;"> +<td style="width:100%; height:100%; vertical-align:top;"> <roundcube:object name="composeBody" id="compose-body" form="form" cols="80" rows="20" warp="virtual" /> </td> diff --git a/skins/default/templates/message.html b/skins/default/templates/message.html index a5c46effa..7d4ff5527 100644 --- a/skins/default/templates/message.html +++ b/skins/default/templates/message.html @@ -10,6 +10,12 @@ <roundcube:include file="/includes/taskbar.html" /> <roundcube:include file="/includes/header.html" /> +<div id="messagecountbar"> +<roundcube:button command="previousmessage" imageAct="/images/buttons/previous_act.png" imagePas="/images/buttons/previous_pas.png" width="11" height="11" title="previousmessages" /> + <roundcube:object name="messageCountDisplay" /> +<roundcube:button command="nextmessage" imageAct="/images/buttons/next_act.png" imagePas="/images/buttons/next_pas.png" width="11" height="11" title="nextmessages" /> +</div> + <div id="messagetoolbar"> <roundcube:button command="list" image="/images/buttons/back_act.png" width="32" height="32" title="backtolist" /> <roundcube:button command="reply" imageAct="/images/buttons/reply_act.png" imagePas="/images/buttons/reply_pas.png" width="32" height="32" title="replytomessage" /> @@ -20,12 +26,6 @@ <roundcube:object name="mailboxlist" type="select" noSelection="moveto" maxlength="25" onchange="rcmail.command('moveto', this.options[this.selectedIndex].value)" class="mboxlist" /> </div> -<div id="messagecountbar"> -<roundcube:button command="previousmessage" imageAct="/images/buttons/previous_act.png" imagePas="/images/buttons/previous_pas.png" width="11" height="11" title="previousmessages" /> - <roundcube:object name="messageCountDisplay" /> -<roundcube:button command="nextmessage" imageAct="/images/buttons/next_act.png" imagePas="/images/buttons/next_pas.png" width="11" height="11" title="nextmessages" /> -</div> - <div id="mailboxlist-header"><roundcube:label name="mailboxlist" /></div> <div id="mailboxlist-container"><roundcube:object name="mailboxlist" id="mailboxlist" maxlength="16" /></div> |