summaryrefslogtreecommitdiff
path: root/program
diff options
context:
space:
mode:
authorThomas Bruederli <thomas@roundcube.net>2013-01-19 17:02:48 +0100
committerThomas Bruederli <thomas@roundcube.net>2013-01-19 17:03:18 +0100
commit24607ceb801e5b30f3338a4458ad6ea3ba8d204f (patch)
treebcb6794a60799a9c7d5f41087a640f8cac8e8f79 /program
parent8c293e2f280e9b4a61a8c6d83a52e0cf4c55f4eb (diff)
Also block remote images in HTML part view (#1488827)
Diffstat (limited to 'program')
-rw-r--r--program/js/app.js8
-rw-r--r--program/steps/mail/get.inc29
2 files changed, 30 insertions, 7 deletions
diff --git a/program/js/app.js b/program/js/app.js
index 632ee964c..474ece77f 100644
--- a/program/js/app.js
+++ b/program/js/app.js
@@ -821,11 +821,9 @@ function rcube_webmail()
// open attachment in frame if it's of a supported mimetype
if (this.env.uid && props.mimetype && this.env.mimetypes && $.inArray(props.mimetype, this.env.mimetypes) >= 0) {
- if (props.mimetype == 'text/html')
- qstring += '&_safe=1';
- this.attachment_win = window.open(this.env.comm_path+'&_action=get&'+qstring+'&_frame=1', 'rcubemailattachment');
- if (this.attachment_win) {
- setTimeout(function(){ ref.attachment_win.focus(); }, 10);
+ var attachment_win = window.open(this.env.comm_path+'&_action=get&'+qstring+'&_frame=1', 'rcubemailattachment'+this.env.uid+props.part);
+ if (attachment_win) {
+ setTimeout(function(){ attachment_win.focus(); }, 10);
break;
}
}
diff --git a/program/steps/mail/get.inc b/program/steps/mail/get.inc
index 9d9032b6a..6cda4e81d 100644
--- a/program/steps/mail/get.inc
+++ b/program/steps/mail/get.inc
@@ -35,6 +35,11 @@ if (!empty($_GET['_preload'])) {
ob_end_clean();
+
+// define global style for warning blocks inside the attachment part frame
+// TODO: get styles for this from skin (but we don't have a skin template here...)
+$warning_css_style = 'border:2px solid #ffdf0e; background:#fef893; padding:0.6em 1em';
+
// similar code as in program/steps/mail/show.inc
if (!empty($_GET['_uid'])) {
$RCMAIL->config->set('prefer_html', true);
@@ -154,12 +159,12 @@ else if (strlen($pid = get_input_value('_part', RCUBE_INPUT_GET))) {
if (!$valid) {
$OUTPUT = new rcmail_html_page();
$OUTPUT->write(html::tag('html', null, html::tag('body', array('style' => 'font-family:sans-serif; margin:1em'),
- html::div(array('class' => 'warning', 'style' => 'border:2px solid #ffdf0e; background:#fef893; padding:1em 1em 0 1em;'),
+ html::div(array('class' => 'warning', 'style' => $warning_css_style),
rcube_label(array(
'name' => 'attachmentvalidationerror',
'vars' => array('expected' => "$mimetype (.$file_extension)", 'detected' => "$real_mimetype (.$extensions[0])")
)) .
- html::p('buttons',
+ html::p(array('class' => 'buttons', 'style' => 'margin-bottom:0'),
html::tag('button',
array('onclick' => "location.href='" . $RCMAIL->url(array_merge($_GET, array('_nocheck' => 1))) . "'"),
rcube_label('showanyway')))
@@ -214,7 +219,27 @@ else if (strlen($pid = get_input_value('_part', RCUBE_INPUT_GET))) {
if (!$part->body)
$part->body = $MESSAGE->get_part_content($part->mime_id);
+ // show images?
+ rcmail_check_safe($MESSAGE);
+
+ // render HTML body
$out = rcmail_print_body($part, array('safe' => $MESSAGE->is_safe, 'inline_html' => false));
+
+ // insert remote objects warning into HTML body
+ if ($REMOTE_OBJECTS) {
+ $body_start = 0;
+ if ($body_pos = strpos($out, '<body')) {
+ $body_start = strpos($out, '>', $body_pos) + 1;
+ }
+ $out = substr($out, 0, $body_start) .
+ html::div(array('class' => 'warning', 'style' => $warning_css_style),
+ Q(rcube_label('blockedimages')) . '&nbsp;' .
+ html::tag('button',
+ array('onclick' => "location.href='" . $RCMAIL->url(array_merge($_GET, array('_safe' => 1))) . "'"),
+ Q(rcube_label('showimages')))
+ ) .
+ substr($out, $body_start);
+ }
}
// check connection status