diff options
author | Aleksander Machniak <alec@alec.pl> | 2012-08-15 11:20:40 +0200 |
---|---|---|
committer | Aleksander Machniak <alec@alec.pl> | 2012-08-15 11:21:49 +0200 |
commit | 14c4677eede6263f26b8830917ec6e74409b80c4 (patch) | |
tree | 3fd6ee4bb0b197a2fa75f956472394a8ad48dfc1 /program/js | |
parent | b3206b4b2822b8c9d18c4730aa1afdf72a758f8c (diff) |
Fix XSS issue where plain signatures wasn't secured in HTML mode (#1488613)
Diffstat (limited to 'program/js')
-rw-r--r-- | program/js/app.js | 31 |
1 files changed, 5 insertions, 26 deletions
diff --git a/program/js/app.js b/program/js/app.js index e6b040c68..0e6605dbe 100644 --- a/program/js/app.js +++ b/program/js/app.js @@ -3275,8 +3275,7 @@ function rcube_webmail() input_message = $("[name='_message']"), message = input_message.val(), is_html = ($("input[name='_is_html']").val() == '1'), - sig = this.env.identity, - sig_separator = this.env.sig_above && (this.env.compose_mode == 'reply' || this.env.compose_mode == 'forward') ? '---' : '-- '; + sig = this.env.identity; // enable manual signature insert if (this.env.signatures && this.env.signatures[id]) { @@ -3289,25 +3288,18 @@ function rcube_webmail() if (!is_html) { // remove the 'old' signature if (show_sig && sig && this.env.signatures && this.env.signatures[sig]) { - - sig = this.env.signatures[sig].is_html ? this.env.signatures[sig].plain_text : this.env.signatures[sig].text; + sig = this.env.signatures[sig].text; sig = sig.replace(/\r\n/g, '\n'); - if (!sig.match(/^--[ -]\n/m)) - sig = sig_separator + '\n' + sig; - p = this.env.sig_above ? message.indexOf(sig) : message.lastIndexOf(sig); if (p >= 0) message = message.substring(0, p) + message.substring(p+sig.length, message.length); } // add the new signature string if (show_sig && this.env.signatures && this.env.signatures[id]) { - sig = this.env.signatures[id]['is_html'] ? this.env.signatures[id]['plain_text'] : this.env.signatures[id]['text']; + sig = this.env.signatures[id].text; sig = sig.replace(/\r\n/g, '\n'); - if (!sig.match(/^--[ -]\n/m)) - sig = sig_separator + '\n' + sig; - if (this.env.sig_above) { if (p >= 0) { // in place of removed signature message = message.substring(0, p) + sig + message.substring(p, message.length); @@ -3371,21 +3363,8 @@ function rcube_webmail() } } - if (this.env.signatures[id]) { - if (this.env.signatures[id].is_html) { - sig = this.env.signatures[id].text; - if (!this.env.signatures[id].plain_text.match(/^--[ -]\r?\n/m)) - sig = sig_separator + '<br />' + sig; - } - else { - sig = this.env.signatures[id].text; - if (!sig.match(/^--[ -]\r?\n/m)) - sig = sig_separator + '\n' + sig; - sig = '<pre>' + sig + '</pre>'; - } - - sigElem.innerHTML = sig; - } + if (this.env.signatures[id]) + sigElem.innerHTML = this.env.signatures[id].html; } this.env.identity = id; |