From 57486f6e58d602413b58f780bf3a94ad6d2af8ce Mon Sep 17 00:00:00 2001
From: thomascube <thomas@roundcube.net>
Date: Tue, 29 Nov 2011 10:16:42 +0000
Subject: Content filter for embedded attachments to protect from XSS on IE<=8
 (#1487895)

---
 program/include/rcube_message.php | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

(limited to 'program/include/rcube_message.php')

diff --git a/program/include/rcube_message.php b/program/include/rcube_message.php
index 0ecd86c4c..633f59be2 100644
--- a/program/include/rcube_message.php
+++ b/program/include/rcube_message.php
@@ -142,10 +142,10 @@ class rcube_message
      * @param string $mime_id Part MIME-ID
      * @return string URL or false if part does not exist
      */
-    public function get_part_url($mime_id)
+    public function get_part_url($mime_id, $embed = false)
     {
         if ($this->mime_parts[$mime_id])
-            return $this->opt['get_url'] . '&_part=' . $mime_id;
+            return $this->opt['get_url'] . '&_part=' . $mime_id . ($embed ? '&_embed=1' : '');
         else
             return false;
     }
@@ -511,7 +511,7 @@ class rcube_message
                 $img_regexp = '/^image\/(gif|jpe?g|png|tiff|bmp|svg)/';
 
                 foreach ($this->inline_parts as $inline_object) {
-                    $part_url = $this->get_part_url($inline_object->mime_id);
+                    $part_url = $this->get_part_url($inline_object->mime_id, true);
                     if ($inline_object->content_id)
                         $a_replaces['cid:'.$inline_object->content_id] = $part_url;
                     if ($inline_object->content_location) {
-- 
cgit v1.2.3