diff options
author | Aleksander Machniak <alec@alec.pl> | 2014-12-16 13:28:48 +0100 |
---|---|---|
committer | Aleksander Machniak <alec@alec.pl> | 2014-12-16 13:28:48 +0100 |
commit | 681ba6fc3c296cd6cd11050531b8f4e785141786 (patch) | |
tree | 77cd99edc9536c1e85e5ee057d231aa3aa5e0aba /program/steps/settings/func.inc | |
parent | 53b7421d4419ce12c62d47e5b1231240cefdc3d5 (diff) |
Improve system security by using optional special URL with security token
Allows to define separate server/path for image/js/css files
Fix bugs where CSRF attacks were still possible on some requests
Diffstat (limited to 'program/steps/settings/func.inc')
-rw-r--r-- | program/steps/settings/func.inc | 18 |
1 files changed, 12 insertions, 6 deletions
diff --git a/program/steps/settings/func.inc b/program/steps/settings/func.inc index f700e4f77..486e679c9 100644 --- a/program/steps/settings/func.inc +++ b/program/steps/settings/func.inc @@ -334,13 +334,10 @@ function rcmail_user_prefs($current = null) $input = new html_radiobutton(array('name'=>'_skin')); foreach ($skins as $skin) { - $thumbnail = "./skins/$skin/thumbnail.png"; - if (!is_file($thumbnail)) - $thumbnail = './program/resources/blank.gif'; - + $thumbnail = "skins/$skin/thumbnail.png"; $skinname = ucfirst($skin); $author_link = $license_link = ''; - $meta = @json_decode(@file_get_contents("./skins/$skin/meta.json"), true); + $meta = @json_decode(@file_get_contents(INSTALL_PATH . "skins/$skin/meta.json"), true); if (is_array($meta) && $meta['name']) { $skinname = $meta['name']; @@ -348,10 +345,19 @@ function rcmail_user_prefs($current = null) $license_link = $meta['license-url'] ? html::a(array('href' => $meta['license-url'], 'target' => '_blank', 'tabindex' => '-1'), rcube::Q($meta['license'])) : rcube::Q($meta['license']); } + $img = html::img(array( + 'src' => $thumbnail, + 'class' => 'skinthumbnail', + 'alt' => $skin, + 'width' => 64, + 'height' => 64, + 'onerror' => "this.src = rcmail.assets_path('program/resources/blank.gif')", + )); + $skinnames[] = mb_strtolower($skinname); $blocks['skin']['options'][$skin]['content'] = html::label(array('class' => 'skinselection'), html::span('skinitem', $input->show($config['skin'], array('value' => $skin, 'id' => $field_id.$skin))) . - html::span('skinitem', html::img(array('src' => $thumbnail, 'class' => 'skinthumbnail', 'alt' => $skin, 'width' => 64, 'height' => 64))) . + html::span('skinitem', $img) . html::span('skinitem', html::span('skinname', rcube::Q($skinname)) . html::br() . html::span('skinauthor', $author_link ? 'by ' . $author_link : '') . html::br() . html::span('skinlicense', $license_link ? $RCMAIL->gettext('license').': ' . $license_link : '')) |