diff options
author | Thomas Bruederli <thomas@roundcube.net> | 2013-08-14 23:36:55 +0200 |
---|---|---|
committer | Thomas Bruederli <thomas@roundcube.net> | 2013-08-14 23:36:55 +0200 |
commit | 341fa8b9a6207000d057e00678d96ada6136f783 (patch) | |
tree | f8049ade80bf816e6b9d4d843b6e83a8b132e72a /program/steps/mail | |
parent | 96c4b9098bec7191c708d4e4f96b80b2768a7ef0 (diff) | |
parent | f4ba655a41bad1d2f833e36dd3fbe7cb2a5582ee (diff) |
Merge branch 'release-0.9' of github.com:roundcube/roundcubemail into release-0.9
Diffstat (limited to 'program/steps/mail')
-rw-r--r-- | program/steps/mail/compose.inc | 16 | ||||
-rw-r--r-- | program/steps/mail/func.inc | 8 |
2 files changed, 21 insertions, 3 deletions
diff --git a/program/steps/mail/compose.inc b/program/steps/mail/compose.inc index 73a7f34ac..fb76b9abb 100644 --- a/program/steps/mail/compose.inc +++ b/program/steps/mail/compose.inc @@ -198,7 +198,10 @@ if (!empty($msg_uid) && empty($COMPOSE['as_attachment'])) if (!empty($MESSAGE->headers->charset)) $RCMAIL->storage->set_charset($MESSAGE->headers->charset); - if ($compose_mode == RCUBE_COMPOSE_REPLY) { + if (!$MESSAGE->headers) { + // error + } + else if ($compose_mode == RCUBE_COMPOSE_REPLY) { $COMPOSE['reply_uid'] = $msg_uid; $COMPOSE['reply_msgid'] = $MESSAGE->headers->messageID; $COMPOSE['references'] = trim($MESSAGE->headers->references . " " . $MESSAGE->headers->messageID); @@ -980,10 +983,19 @@ function rcmail_create_draft_body($body, $bodyIsHtml) && count($MESSAGE->mime_parts) > 0) { $cid_map = rcmail_write_compose_attachments($MESSAGE, $bodyIsHtml); + } + + // clean up HTML tags - XSS prevention (#1489251) + if ($bodyIsHtml) { + $body = rcmail_wash_html($body, array('safe' => 1), $cid_map); + + // remove comments (produced by washtml) + $body = preg_replace('/<!--[^>]+-->/', '', $body); // replace cid with href in inline images links - if ($cid_map) + if (!empty($cid_map)) { $body = str_replace(array_keys($cid_map), array_values($cid_map), $body); + } } return $body; diff --git a/program/steps/mail/func.inc b/program/steps/mail/func.inc index 16a9f495d..28e6baadf 100644 --- a/program/steps/mail/func.inc +++ b/program/steps/mail/func.inc @@ -1803,8 +1803,14 @@ function rcmail_identity_select($MESSAGE, $identities = null, $compose_mode = 'r // Try Return-Path if ($from_idx === null && ($return_path = $MESSAGE->headers->others['return-path'])) { foreach ($identities as $idx => $ident) { + // Return-Path header contains an email address, but on some mailing list + // it can be e.g. <pear-dev-return-55250-local=domain.tld@lists.php.net> + // where local@domain.tld is the address we're looking for (#1489241) + $ident1 = $ident['email_ascii']; + $ident2 = str_replace('@', '=', $ident1); + foreach ((array)$return_path as $path) { - if (stripos($path, $ident['email_ascii']) !== false) { + if (stripos($path, $ident1) !== false || stripos($path, $ident2)) { $from_idx = $idx; break 2; } |