From a7d5e3e8580466639a18da35af13b97dc3765c16 Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Fri, 8 Jun 2012 09:22:49 +0200
Subject: Fix XSS vulnerability in message subject handling using Larry skin
 (#1488519)

---
 CHANGELOG                   | 1 +
 program/steps/mail/func.inc | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG b/CHANGELOG
index 0d4936316..7ecbc997d 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -1,6 +1,7 @@
 CHANGELOG Roundcube Webmail
 ===========================
 
+- Fix XSS vulnerability in message subject handling using Larry skin (#1488519)
 - Fix handling of links with various URI schemes e.g. "skype:" (#1488106)
 - Fix handling of links inside PRE elements on html to text conversion
 - Fix indexing of links on html to text conversion
diff --git a/program/steps/mail/func.inc b/program/steps/mail/func.inc
index 854298d8b..208b2b345 100644
--- a/program/steps/mail/func.inc
+++ b/program/steps/mail/func.inc
@@ -947,7 +947,7 @@ function rcmail_message_headers($attrib, $headers=NULL)
 
   // single header value is requested
   if (!empty($attrib['valueof']))
-    return Q($plugin['output'][$attrib['valueof']]['value'], ($hkey == 'subject' ? 'strict' : 'show'));
+    return Q($plugin['output'][$attrib['valueof']]['value'], ($attrib['valueof'] == 'subject' ? 'strict' : 'show'));
 
   // compose html table
   $table = new html_table(array('cols' => 2));
-- 
cgit v1.2.3