summaryrefslogtreecommitdiff
path: root/program
diff options
context:
space:
mode:
authorAleksander Machniak <alec@alec.pl>2012-11-14 13:29:58 +0100
committerAleksander Machniak <alec@alec.pl>2012-11-14 13:31:02 +0100
commite13ad37d8984b8b7a1a0ab96e4f2a561ef459265 (patch)
tree1c2d26fa6308aa9b3eaf988626316bf2f6732c56 /program
parent76cee1c4e18e518888ddac2c038ed49535ed846c (diff)
Fix XSS vulnerability in handling of text/enriched messages (#1488806)v0.8.4
Diffstat (limited to 'program')
-rw-r--r--program/steps/mail/func.inc4
1 files changed, 3 insertions, 1 deletions
diff --git a/program/steps/mail/func.inc b/program/steps/mail/func.inc
index 6712f2516..9b5b4f9d6 100644
--- a/program/steps/mail/func.inc
+++ b/program/steps/mail/func.inc
@@ -740,7 +740,9 @@ function rcmail_print_body($part, $p = array())
else if ($data['type'] == 'enriched') {
$part->ctype_secondary = 'html';
require_once(INSTALL_PATH . 'program/lib/enriched.inc');
- $body = Q(enriched_to_html($data['body']), 'show');
+ $body = enriched_to_html($data['body']);
+ $body = rcmail_wash_html($body, $data, $part->replaces);
+ $part->ctype_secondary = 'html';
}
else {
// assert plaintext