From edc49ebfc2b6d8ebedecfb72318c9bc72fba9211 Mon Sep 17 00:00:00 2001
From: Dennis1993 <marvin-wegener@outlook.com>
Date: Mon, 2 Sep 2013 12:55:55 +0200
Subject: Update editor.js

---
 program/js/editor.js | 3 +++
 1 file changed, 3 insertions(+)

(limited to 'program/js')

diff --git a/program/js/editor.js b/program/js/editor.js
index e403d1f63..e1ef36835 100644
--- a/program/js/editor.js
+++ b/program/js/editor.js
@@ -80,6 +80,9 @@ function rcmail_editor_callback()
   if (rcmail.env.default_font)
     $(tinyMCE.get(rcmail.env.composebody).getBody()).css('font-family', rcmail.env.default_font);
 
+  if (rcmail.env.default_font_size)
+    $(tinyMCE.get(rcmail.env.composebody).getBody()).css('font-size', rcmail.env.default_font_size);
+
   if (elem && elem.type == 'select-one') {
     rcmail.change_identity(elem);
     // Focus previously focused element
-- 
cgit v1.2.3


From 2e30b24dbf3aebf4d201bc922eb7b7bc8ab8f4fd Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Sat, 14 Sep 2013 09:44:58 +0200
Subject: Fix XSS issue in addressbook group name field [CVE-2013-5646]
 (#1489333)

---
 CHANGELOG         | 1 +
 program/js/app.js | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

(limited to 'program/js')

diff --git a/CHANGELOG b/CHANGELOG
index 85963d84f..6a93d40ce 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -1,6 +1,7 @@
 CHANGELOG Roundcube Webmail
 ===========================
 
+- Fix XSS issue in addressbook group name field [CVE-2013-5646] (#1489333)
 - Fix attachment icon issue when rare font/language is used (#1489326)
 - After message is sent refresh messages list of replied message folder (#1489249)
 - Add option force specified domain in user login - username_domain_forced (#1489264)
diff --git a/program/js/app.js b/program/js/app.js
index 42c661144..1d1c65172 100644
--- a/program/js/app.js
+++ b/program/js/app.js
@@ -4345,7 +4345,7 @@ function rcube_webmail()
         boxtitle.append('&nbsp;&raquo;&nbsp;');
       }
 
-      boxtitle.append($('<span>'+prop.name+'</span>'));
+      boxtitle.append($('<span>').text(prop.name));
     }
 
     this.triggerEvent('groupupdate', prop);
-- 
cgit v1.2.3


From 2efe332b495787dc5be77c3191ff319a62a56fca Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Sun, 15 Sep 2013 13:43:13 +0200
Subject: Display full attachment name using title attribute when name is too
 long to display (#1489320)

---
 CHANGELOG                                   |  1 +
 program/js/app.js                           | 13 +++++++++----
 program/steps/mail/attachments.inc          |  5 ++++-
 program/steps/mail/compose.inc              | 24 ++++++++++++++++++------
 program/steps/mail/show.inc                 |  5 +++--
 skins/classic/templates/message.html        |  2 +-
 skins/classic/templates/messagepreview.html |  2 +-
 7 files changed, 37 insertions(+), 15 deletions(-)

(limited to 'program/js')

diff --git a/CHANGELOG b/CHANGELOG
index a7c3f1540..f18d10d94 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -1,6 +1,7 @@
 CHANGELOG Roundcube Webmail
 ===========================
 
+- Display full attachment name using title attribute when name is too long to display (#1489320)
 - Fix XSS issue in addressbook group name field [CVE-2013-5646] (#1489333)
 - Fix attachment icon issue when rare font/language is used (#1489326)
 - After message is sent refresh messages list of replied message folder (#1489249)
diff --git a/program/js/app.js b/program/js/app.js
index 1d1c65172..24aaca055 100644
--- a/program/js/app.js
+++ b/program/js/app.js
@@ -1881,7 +1881,7 @@ function rcube_webmail()
         html = expando;
       else if (c == 'subject') {
         if (bw.ie) {
-          col.onmouseover = function() { rcube_webmail.long_subject_title_ie(this, message.depth+1); };
+          col.onmouseover = function() { rcube_webmail.long_subject_title_ex(this, message.depth+1); };
           if (bw.ie8)
             tree = '<span></span>' + tree; // #1487821
         }
@@ -3639,7 +3639,12 @@ function rcube_webmail()
       att.html = '<a title="'+this.get_label('cancel')+'" onclick="return rcmail.cancel_attachment_upload(\''+name+'\', \''+att.frame+'\');" href="#cancelupload" class="cancelupload">'
         + (this.env.cancelicon ? '<img src="'+this.env.cancelicon+'" alt="" />' : this.get_label('cancel')) + '</a>' + att.html;
 
-    var indicator, li = $('<li>').attr('id', name).addClass(att.classname).html(att.html);
+    var indicator, li = $('<li>');
+
+    li.attr('id', name)
+      .addClass(att.classname)
+      .html(att.html)
+      .on('mouseover', function() { rcube_webmail.long_subject_title_ex(this, 0); });
 
     // replace indicator's li
     if (upload_id && (indicator = document.getElementById(upload_id))) {
@@ -6986,11 +6991,11 @@ rcube_webmail.long_subject_title = function(elem, indent)
   if (!elem.title) {
     var $elem = $(elem);
     if ($elem.width() + indent * 15 > $elem.parent().width())
-      elem.title = $elem.html();
+      elem.title = $elem.text();
   }
 };
 
-rcube_webmail.long_subject_title_ie = function(elem, indent)
+rcube_webmail.long_subject_title_ex = function(elem, indent)
 {
   if (!elem.title) {
     var $elem = $(elem),
diff --git a/program/steps/mail/attachments.inc b/program/steps/mail/attachments.inc
index f83f6892e..85aa9542b 100644
--- a/program/steps/mail/attachments.inc
+++ b/program/steps/mail/attachments.inc
@@ -118,9 +118,12 @@ if (is_array($_FILES['_attachments']['tmp_name'])) {
           'alt' => rcube_label('delete')
         ));
       }
-      else {
+      else if ($COMPOSE['textbuttons']) {
         $button = Q(rcube_label('delete'));
       }
+      else {
+        $button = '';
+      }
 
       $content = html::a(array(
         'href' => "#delete",
diff --git a/program/steps/mail/compose.inc b/program/steps/mail/compose.inc
index e9f638cb1..39dca3b03 100644
--- a/program/steps/mail/compose.inc
+++ b/program/steps/mail/compose.inc
@@ -1370,8 +1370,9 @@ function rcmail_compose_attachment_list($attrib)
   if (!$attrib['id'])
     $attrib['id'] = 'rcmAttachmentList';
 
-  $out = "\n";
+  $out    = "\n";
   $jslist = array();
+  $button = '';
 
   if (is_array($COMPOSE['attachments'])) {
     if ($attrib['deleteicon']) {
@@ -1380,27 +1381,38 @@ function rcmail_compose_attachment_list($attrib)
         'alt' => rcube_label('delete')
       ));
     }
-    else
+    else if (rcube_utils::get_boolean($attrib['textbuttons'])) {
       $button = Q(rcube_label('delete'));
+    }
 
     foreach ($COMPOSE['attachments'] as $id => $a_prop) {
       if (empty($a_prop))
         continue;
 
-      $out .= html::tag('li', array('id' => 'rcmfile'.$id, 'class' => rcmail_filetype2classname($a_prop['mimetype'], $a_prop['name'])),
+      $out .= html::tag('li',
+        array(
+          'id'          => 'rcmfile'.$id,
+          'class'       => rcmail_filetype2classname($a_prop['mimetype'], $a_prop['name']),
+          'onmouseover' => "rcube_webmail.long_subject_title_ex(this, 0)",
+        ),
         html::a(array(
             'href' => "#delete",
             'title' => rcube_label('delete'),
             'onclick' => sprintf("return %s.command('remove-attachment','rcmfile%s', this)", JS_OBJECT_NAME, $id),
-            'class' => 'delete'),
-          $button) . Q($a_prop['name']));
+            'class' => 'delete'
+          ),
+          $button
+        ) . Q($a_prop['name'])
+      );
 
-        $jslist['rcmfile'.$id] = array('name' => $a_prop['name'], 'complete' => true, 'mimetype' => $a_prop['mimetype']);
+      $jslist['rcmfile'.$id] = array('name' => $a_prop['name'], 'complete' => true, 'mimetype' => $a_prop['mimetype']);
     }
   }
 
   if ($attrib['deleteicon'])
     $COMPOSE['deleteicon'] = $CONFIG['skin_path'] . $attrib['deleteicon'];
+  else if (rcube_utils::get_boolean($attrib['textbuttons']))
+    $COMPOSE['textbuttons'] = true;
   if ($attrib['cancelicon'])
     $OUTPUT->set_env('cancelicon', $CONFIG['skin_path'] . $attrib['cancelicon']);
   if ($attrib['loadingicon'])
diff --git a/program/steps/mail/show.inc b/program/steps/mail/show.inc
index 59f4d55e1..9d85f9c8f 100644
--- a/program/steps/mail/show.inc
+++ b/program/steps/mail/show.inc
@@ -175,9 +175,9 @@ function rcmail_message_attachments($attrib)
         $ol .= html::tag('li', null, Q(sprintf("%s (%s)", $filename, $size)));
       }
       else {
-        if (mb_strlen($filename) > 50) {
+        if ($attrib['maxlength'] && mb_strlen($filename) > $attrib['maxlength']) {
           $title    = $filename;
-          $filename = abbreviate_string($filename, 50);
+          $filename = abbreviate_string($filename, $attrib['maxlength']);
         }
         else {
           $title = '';
@@ -190,6 +190,7 @@ function rcmail_message_attachments($attrib)
             'href' => $MESSAGE->get_part_url($attach_prop->mime_id, false),
             'onclick' => sprintf('return %s.command(\'load-attachment\',\'%s\',this)',
               JS_OBJECT_NAME, $attach_prop->mime_id),
+            'onmouseover' => $title ? '' : 'rcube_webmail.long_subject_title_ex(this, 0)',
             'title' => Q($title),
             ), Q($filename));
         $ol .= html::tag('li', array('class' => $class, 'id' => $id), $link);
diff --git a/skins/classic/templates/message.html b/skins/classic/templates/message.html
index 757c0a635..bd4fbf277 100644
--- a/skins/classic/templates/message.html
+++ b/skins/classic/templates/message.html
@@ -49,7 +49,7 @@
   </div>
 <roundcube:object name="messageHeaders" class="headers-table" cellspacing="0" cellpadding="2" addicon="/images/icons/silhouette.png" summary="Message headers" />
 <roundcube:object name="messageFullHeaders" id="full-headers" />
-<roundcube:object name="messageAttachments" id="attachment-list" />
+<roundcube:object name="messageAttachments" id="attachment-list" maxlength="50" />
 <roundcube:object name="messageObjects" id="message-objects" />
 <roundcube:object name="messageBody" id="messagebody" />
 </div>
diff --git a/skins/classic/templates/messagepreview.html b/skins/classic/templates/messagepreview.html
index b42a06342..82414c420 100644
--- a/skins/classic/templates/messagepreview.html
+++ b/skins/classic/templates/messagepreview.html
@@ -20,7 +20,7 @@
   </div>
 <roundcube:object name="messageHeaders" class="headers-table" cellspacing="0" cellpadding="2" addicon="/images/icons/silhouette.png" summary="Message headers" />
 <roundcube:object name="messageFullHeaders" id="full-headers" />
-<roundcube:object name="messageAttachments" id="attachment-list" />
+<roundcube:object name="messageAttachments" id="attachment-list" maxlength="50" />
 </div>
 
 <roundcube:object name="messageObjects" id="message-objects" />
-- 
cgit v1.2.3


From 8deae975f0589fccb171b16d54c4b6d9eb569a1b Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Sun, 15 Sep 2013 16:48:44 +0200
Subject: Fixed issues in handling reply-to/bcc fields on identity change

---
 program/js/app.js | 21 ++++++++++++---------
 1 file changed, 12 insertions(+), 9 deletions(-)

(limited to 'program/js')

diff --git a/program/js/app.js b/program/js/app.js
index 24aaca055..337a12156 100644
--- a/program/js/app.js
+++ b/program/js/app.js
@@ -3427,7 +3427,8 @@ function rcube_webmail()
       message = input_message.val(),
       is_html = ($("input[name='_is_html']").val() == '1'),
       sig = this.env.identity,
-      delim = this.env.recipients_delimiter,
+      delim = this.env.recipients_separator,
+      rx_delim = RegExp.escape(delim),
       headers = ['replyto', 'bcc'];
 
     // update reply-to/bcc fields with addresses defined in identities
@@ -3444,16 +3445,18 @@ function rcube_webmail()
       }
 
       // cleanup
-      rx = new RegExp(RegExp.escape(delim) + '\\s*' + RegExp(delim), 'g');
-      input_val = input_val.replace(rx, delim)
-      rx = new RegExp('^\\s*' + RegExp.escape(delim) + '\\s*$');
-      input_val = input_val.replace(rx, '')
+      rx = new RegExp(rx_delim + '\\s*' + rx_delim, 'g');
+      input_val = input_val.replace(rx, delim);
+      rx = new RegExp('^[\\s' + rx_delim + ']+');
+      input_val = input_val.replace(rx, '');
 
       // add new address(es)
-      if (new_val) {
-        rx = new RegExp(RegExp.escape(delim) + '\\s*$');
-        if (input_val && !rx.test(input_val))
-          input_val += delim + ' ';
+      if (new_val && input_val.indexOf(new_val) == -1 && input_val.indexOf(new_val.replace(/"/g, '')) == -1) {
+        if (input_val) {
+          rx = new RegExp('[' + rx_delim + '\\s]+$')
+          input_val = input_val.replace(rx, '') + delim + ' ';
+        }
+
         input_val += new_val + delim + ' ';
       }
 
-- 
cgit v1.2.3