Fix XSS vulnerability when editing a message "as new" or draft (#1489251) - added HTML content "washing"
| | |
|---|
| | | CHANGELOG Roundcube Webmail |
|---|
| | | =========================== |
|---|
| | | |
|---|
| | | - Fix XSS vulnerability when editing a message "as new" or draft (#1489251) |
|---|
| | | - Fix downloading binary files with (wrong) text/* content-type (#1489267) |
|---|
| | | - Fix rewrite rule in .htaccess (#1489240) |
|---|
| | | - Fix detecting Turkish language in ISO-8859-9 encoding (#1489252) |
|---|
| | |
|---|
| | | && count($MESSAGE->mime_parts) > 0) |
|---|
| | | { |
|---|
| | | $cid_map = rcmail_write_compose_attachments($MESSAGE, $bodyIsHtml); |
|---|
| | | } |
|---|
| | | |
|---|
| | | // replace cid with href in inline images links |
|---|
| | | if ($cid_map) |
|---|
| | | $body = str_replace(array_keys($cid_map), array_values($cid_map), $body); |
|---|
| | | // clean up html tags - XSS prevention (#1489251) |
|---|
| | | $body = rcmail_wash_html($body, array('safe' => 1), $cid_map); |
|---|
| | | |
|---|
| | | // replace cid with href in inline images links |
|---|
| | | if ($cid_map) { |
|---|
| | | $body = str_replace(array_keys($cid_map), array_values($cid_map), $body); |
|---|
| | | } |
|---|
| | | |
|---|
| | | return $body; |
|---|
