diff options
author | Aleksander Machniak <alec@alec.pl> | 2012-08-15 11:20:40 +0200 |
---|---|---|
committer | Aleksander Machniak <alec@alec.pl> | 2012-08-15 11:20:40 +0200 |
commit | c086978f6a91eacb339fd2976202fca9dad2ef32 (patch) | |
tree | 080698891e4e4cfd1e42ae7fc2efff4f11dfc062 /program/js | |
parent | 5ef8e4ad9d3ee8689d2b83750aa65395b7cd59ee (diff) |
Fix XSS issue where plain signatures wasn't secured in HTML mode (#1488613)
Diffstat (limited to 'program/js')
-rw-r--r-- | program/js/app.js | 31 |
1 files changed, 5 insertions, 26 deletions
diff --git a/program/js/app.js b/program/js/app.js index de61b21f1..e8bb6c1a7 100644 --- a/program/js/app.js +++ b/program/js/app.js @@ -3298,8 +3298,7 @@ function rcube_webmail() input_message = $("[name='_message']"), message = input_message.val(), is_html = ($("input[name='_is_html']").val() == '1'), - sig = this.env.identity, - sig_separator = this.env.sig_above && (this.env.compose_mode == 'reply' || this.env.compose_mode == 'forward') ? '---' : '-- '; + sig = this.env.identity; // enable manual signature insert if (this.env.signatures && this.env.signatures[id]) { @@ -3312,25 +3311,18 @@ function rcube_webmail() if (!is_html) { // remove the 'old' signature if (show_sig && sig && this.env.signatures && this.env.signatures[sig]) { - - sig = this.env.signatures[sig].is_html ? this.env.signatures[sig].plain_text : this.env.signatures[sig].text; + sig = this.env.signatures[sig].text; sig = sig.replace(/\r\n/g, '\n'); - if (!sig.match(/^--[ -]\n/m)) - sig = sig_separator + '\n' + sig; - p = this.env.sig_above ? message.indexOf(sig) : message.lastIndexOf(sig); if (p >= 0) message = message.substring(0, p) + message.substring(p+sig.length, message.length); } // add the new signature string if (show_sig && this.env.signatures && this.env.signatures[id]) { - sig = this.env.signatures[id]['is_html'] ? this.env.signatures[id]['plain_text'] : this.env.signatures[id]['text']; + sig = this.env.signatures[id].text; sig = sig.replace(/\r\n/g, '\n'); - if (!sig.match(/^--[ -]\n/m)) - sig = sig_separator + '\n' + sig; - if (this.env.sig_above) { if (p >= 0) { // in place of removed signature message = message.substring(0, p) + sig + message.substring(p, message.length); @@ -3394,21 +3386,8 @@ function rcube_webmail() } } - if (this.env.signatures[id]) { - if (this.env.signatures[id].is_html) { - sig = this.env.signatures[id].text; - if (!this.env.signatures[id].plain_text.match(/^--[ -]\r?\n/m)) - sig = sig_separator + '<br />' + sig; - } - else { - sig = this.env.signatures[id].text; - if (!sig.match(/^--[ -]\r?\n/m)) - sig = sig_separator + '\n' + sig; - sig = '<pre>' + sig + '</pre>'; - } - - sigElem.innerHTML = sig; - } + if (this.env.signatures[id]) + sigElem.innerHTML = this.env.signatures[id].html; } this.env.identity = id; |