Fix XSS vulnerability when editing a message "as new" or draft (#1489251) - added HTML content "washing"

Conflicts: CHANGELOG
author: Aleksander Machniak <alec@alec.pl> 2013-08-01 14:49:55 +0200
committer: Aleksander Machniak <alec@alec.pl> 2013-08-01 14:54:17 +0200
commit: 276ea5fcaec2e9fd79a5c1d90ab78104252b35b5 (patch)
tree: 7f00998fd55fd95c5ca93cd5359dd4badf903fee
parent: a67ad15d2f0b2f2e8aec9e5f0cff07f48447f287 (diff)
2 files changed, 8 insertions, 3 deletions
diff --git a/CHANGELOG b/CHANGELOG
index 8d163def1..1729d36f9 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -1,6 +1,7 @@
 CHANGELOG Roundcube Webmail
 ===========================
 
+- Fix XSS vulnerability when editing a message "as new" or draft (#1489251)
 - Fix rewrite rule in .htaccess (#1489240)
 - Fix detecting Turkish language in ISO-8859-9 encoding (#1489252)
 - Fix identity-selection using Return-Path headers (#1489241)
diff --git a/program/steps/mail/compose.inc b/program/steps/mail/compose.inc
index 73a7f34ac..5d588ab51 100644
--- a/program/steps/mail/compose.inc
+++ b/program/steps/mail/compose.inc
@@ -980,10 +980,14 @@ function rcmail_create_draft_body($body, $bodyIsHtml)
       && count($MESSAGE->mime_parts) > 0)
   {
     $cid_map = rcmail_write_compose_attachments($MESSAGE, $bodyIsHtml);
+  }
+
+  // clean up html tags - XSS prevention (#1489251)
+  $body = rcmail_wash_html($body, array('safe' => 1), $cid_map);
 
-    // replace cid with href in inline images links
-    if ($cid_map)
-      $body = str_replace(array_keys($cid_map), array_values($cid_map), $body);
+  // replace cid with href in inline images links
+  if ($cid_map) {
+    $body = str_replace(array_keys($cid_map), array_values($cid_map), $body);
   }
 
   return $body;
author	Aleksander Machniak <alec@alec.pl>	2013-08-01 14:49:55 +0200
committer	Aleksander Machniak <alec@alec.pl>	2013-08-01 14:54:17 +0200
commit	276ea5fcaec2e9fd79a5c1d90ab78104252b35b5 (patch)
tree	7f00998fd55fd95c5ca93cd5359dd4badf903fee
parent	a67ad15d2f0b2f2e8aec9e5f0cff07f48447f287 (diff)