summaryrefslogtreecommitdiff
path: root/program/steps
diff options
context:
space:
mode:
authorAleksander Machniak <alec@alec.pl>2012-08-15 11:20:40 +0200
committerAleksander Machniak <alec@alec.pl>2012-08-15 11:20:40 +0200
commitc086978f6a91eacb339fd2976202fca9dad2ef32 (patch)
tree080698891e4e4cfd1e42ae7fc2efff4f11dfc062 /program/steps
parent5ef8e4ad9d3ee8689d2b83750aa65395b7cd59ee (diff)
Fix XSS issue where plain signatures wasn't secured in HTML mode (#1488613)
Diffstat (limited to 'program/steps')
-rw-r--r--program/steps/mail/compose.inc30
1 files changed, 23 insertions, 7 deletions
diff --git a/program/steps/mail/compose.inc b/program/steps/mail/compose.inc
index 71a1c0f21..1a1d244e1 100644
--- a/program/steps/mail/compose.inc
+++ b/program/steps/mail/compose.inc
@@ -529,7 +529,7 @@ function rcmail_compose_headers($attrib)
function rcmail_compose_header_from($attrib)
{
- global $MESSAGE, $OUTPUT;
+ global $MESSAGE, $OUTPUT, $RCMAIL, $compose_mode;
// pass the following attributes to the form class
$field_attrib = array('name' => '_from');
@@ -540,6 +540,8 @@ function rcmail_compose_header_from($attrib)
if (count($MESSAGE->identities))
{
$a_signatures = array();
+ $separator = $RCMAIL->config->get('sig_above')
+ && ($compose_mode == RCUBE_COMPOSE_REPLY || $compose_mode == RCUBE_COMPOSE_FORWARD) ? '---' : '-- ';
$field_attrib['onchange'] = JS_OBJECT_NAME.".change_identity(this)";
$select_from = new html_select($field_attrib);
@@ -553,13 +555,27 @@ function rcmail_compose_header_from($attrib)
// add signature to array
if (!empty($sql_arr['signature']) && empty($COMPOSE['param']['nosig']))
{
- $a_signatures[$identity_id]['text'] = $sql_arr['signature'];
- $a_signatures[$identity_id]['is_html'] = ($sql_arr['html_signature'] == 1) ? true : false;
- if ($a_signatures[$identity_id]['is_html'])
- {
- $h2t = new html2text($a_signatures[$identity_id]['text'], false, false);
- $a_signatures[$identity_id]['plain_text'] = trim($h2t->get_text());
+ $text = $html = $sql_arr['signature'];
+
+ if ($sql_arr['html_signature']) {
+ $h2t = new html2text($sql_arr['signature'], false, false);
+ $text = trim($h2t->get_text());
+ }
+ else {
+ $html = htmlentities($html, ENT_NOQUOTES, RCMAIL_CHARSET);
+ }
+
+ if (!preg_match('/^--[ -]\r?\n/m', $text)) {
+ $text = $separator . "\n" . $text;
+ $html = $separator . "<br>" . $html;
+ }
+
+ if (!$sql_arr['html_signature']) {
+ $html = "<pre>" . $html . "</pre>";
}
+
+ $a_signatures[$identity_id]['text'] = $text;
+ $a_signatures[$identity_id]['html'] = $html;
}
}