summaryrefslogtreecommitdiff
path: root/program/js
diff options
context:
space:
mode:
authorAleksander Machniak <alec@alec.pl>2012-08-15 11:20:40 +0200
committerAleksander Machniak <alec@alec.pl>2012-08-15 11:20:40 +0200
commitc086978f6a91eacb339fd2976202fca9dad2ef32 (patch)
tree080698891e4e4cfd1e42ae7fc2efff4f11dfc062 /program/js
parent5ef8e4ad9d3ee8689d2b83750aa65395b7cd59ee (diff)
Fix XSS issue where plain signatures wasn't secured in HTML mode (#1488613)
Diffstat (limited to 'program/js')
-rw-r--r--program/js/app.js31
1 files changed, 5 insertions, 26 deletions
diff --git a/program/js/app.js b/program/js/app.js
index de61b21f1..e8bb6c1a7 100644
--- a/program/js/app.js
+++ b/program/js/app.js
@@ -3298,8 +3298,7 @@ function rcube_webmail()
input_message = $("[name='_message']"),
message = input_message.val(),
is_html = ($("input[name='_is_html']").val() == '1'),
- sig = this.env.identity,
- sig_separator = this.env.sig_above && (this.env.compose_mode == 'reply' || this.env.compose_mode == 'forward') ? '---' : '-- ';
+ sig = this.env.identity;
// enable manual signature insert
if (this.env.signatures && this.env.signatures[id]) {
@@ -3312,25 +3311,18 @@ function rcube_webmail()
if (!is_html) {
// remove the 'old' signature
if (show_sig && sig && this.env.signatures && this.env.signatures[sig]) {
-
- sig = this.env.signatures[sig].is_html ? this.env.signatures[sig].plain_text : this.env.signatures[sig].text;
+ sig = this.env.signatures[sig].text;
sig = sig.replace(/\r\n/g, '\n');
- if (!sig.match(/^--[ -]\n/m))
- sig = sig_separator + '\n' + sig;
-
p = this.env.sig_above ? message.indexOf(sig) : message.lastIndexOf(sig);
if (p >= 0)
message = message.substring(0, p) + message.substring(p+sig.length, message.length);
}
// add the new signature string
if (show_sig && this.env.signatures && this.env.signatures[id]) {
- sig = this.env.signatures[id]['is_html'] ? this.env.signatures[id]['plain_text'] : this.env.signatures[id]['text'];
+ sig = this.env.signatures[id].text;
sig = sig.replace(/\r\n/g, '\n');
- if (!sig.match(/^--[ -]\n/m))
- sig = sig_separator + '\n' + sig;
-
if (this.env.sig_above) {
if (p >= 0) { // in place of removed signature
message = message.substring(0, p) + sig + message.substring(p, message.length);
@@ -3394,21 +3386,8 @@ function rcube_webmail()
}
}
- if (this.env.signatures[id]) {
- if (this.env.signatures[id].is_html) {
- sig = this.env.signatures[id].text;
- if (!this.env.signatures[id].plain_text.match(/^--[ -]\r?\n/m))
- sig = sig_separator + '<br />' + sig;
- }
- else {
- sig = this.env.signatures[id].text;
- if (!sig.match(/^--[ -]\r?\n/m))
- sig = sig_separator + '\n' + sig;
- sig = '<pre>' + sig + '</pre>';
- }
-
- sigElem.innerHTML = sig;
- }
+ if (this.env.signatures[id])
+ sigElem.innerHTML = this.env.signatures[id].html;
}
this.env.identity = id;