githubFork/roundcubemail.git

	CHANGELOG	4 ●●●●● patch \| view \| raw \| blame \| history
	program/js/list.js	35 ●●●●● patch \| view \| raw \| blame \| history
	program/lib/Roundcube/rcube_washtml.php	2 ●●●●● patch \| view \| raw \| blame \| history
	program/localization/de_CH/labels.inc	1 ●●●●● patch \| view \| raw \| blame \| history
	program/localization/de_DE/labels.inc	1 ●●●●● patch \| view \| raw \| blame \| history
	skins/larry/ui.js	4 ●●●●● patch \| view \| raw \| blame \| history
	tests/Framework/Washtml.php	17 ●●●●● patch \| view \| raw \| blame \| history

 CHANGELOG

@@ -1,7 +1,11 @@
CHANGELOG Roundcube Webmail
===========================


- Fix message list multi-select/deselect issue (#5219)
- Fix bug where contact search menu fields where always unchecked in Larry skin
- Fix XSS issue in href attribute on area tag (#5240)
- Fix bug where message list columns could be in wrong order after column drag-n-drop and list sorting

RELEASE 1.1.5
-------------

 program/js/list.js

@@ -1688,32 +1688,33 @@
    this.col_draglayer = null;
  }

  if (this.col_drag_active)
    this.focus();
  this.col_drag_active = false;

  rcube_event.remove_listener({event:'mousemove', object:this, method:'column_drag_mouse_move'});
  rcube_event.remove_listener({event:'mouseup', object:this, method:'column_drag_mouse_up'});

  // remove temp divs
  this.del_dragfix();

  if (this.selected_column !== null && this.cols && this.cols.length) {
    var i, cpos = 0, pos = rcube_event.get_mouse_pos(e);
  if (this.col_drag_active) {
    this.col_drag_active = false;
    this.focus();
    this.triggerEvent('column_dragend', e);

    // find destination position
    for (i=0; i<this.cols.length; i++) {
      if (pos.x >= this.cols[i]/2 + this.list_pos + cpos)
        cpos += this.cols[i];
      else
        break;
    }
    if (this.selected_column !== null && this.cols && this.cols.length) {
      var i, cpos = 0, pos = rcube_event.get_mouse_pos(e);

    if (i != this.selected_column && i != this.selected_column+1) {
      this.column_replace(this.selected_column, i);
      // find destination position
      for (i=0; i<this.cols.length; i++) {
        if (pos.x >= this.cols[i]/2 + this.list_pos + cpos)
          cpos += this.cols[i];
        else
          break;
      }

      if (i != this.selected_column && i != this.selected_column+1) {
        this.column_replace(this.selected_column, i);
      }
    }
  }

  this.triggerEvent('column_dragend', e);

  return rcube_event.cancel(e);
},

 program/lib/Roundcube/rcube_washtml.php

@@ -370,7 +370,7 @@
     */
    private function is_link_attribute($tag, $attr)
    {
        return $tag == 'a' && $attr == 'href';
        return ($tag == 'a' || $tag == 'area') && $attr == 'href';
    }

    /**

 program/localization/de_CH/labels.inc

@@ -579,4 +579,5 @@
Eingabe: Ausgewählte/fokussierte Nachricht öffnen.
Löschen: Ausgewählte Nachricht in den Papierkorb verschieben resp. löschen.";
$labels['helplistkeyboardnavcontacts'] = "Eingabe: Ausgewählten Kontakt öffnen.";
$labels['sigbelow'] = 'Signatur unter der zitierten Nachricht platzieren';
?>

 program/localization/de_DE/labels.inc

@@ -579,4 +579,5 @@
Enter: Öffne die ausgewählte/fokussierte Nachricht
Rücktaste: Verschiebe gewählte Nachricht in den Mülleimer";
$labels['helplistkeyboardnavcontacts'] = "Enter: Ausgewählten Kontakt öffnen.";
$labels['sigbelow'] = 'Unterschrift unter der zitierten Nachricht platzieren';
?>

 skins/larry/ui.js

@@ -298,7 +298,9 @@
    else if (rcmail.env.task == 'addressbook') {
      rcmail.addEventListener('afterupload-photo', show_uploadform)
        .addEventListener('beforepushgroup', push_contactgroup)
        .addEventListener('beforepopgroup', pop_contactgroup);
        .addEventListener('beforepopgroup', pop_contactgroup)
        .addEventListener('menu-open', menu_toggle)
        .addEventListener('menu-close', menu_toggle);

      if (rcmail.env.action == '') {
        new rcube_splitter({ id:'addressviewsplitterd', p1:'#addressview-left', p2:'#addressview-right',

 tests/Framework/Washtml.php

@@ -38,6 +38,23 @@
    }

    /**
     * Test XSS in area's href (#5240)
     */
    function test_href_area()
    {
        $html = '<p><area href="data:text/html,&lt;script&gt;alert(document.cookie)&lt;/script&gt;">'
            . '<area href="vbscript:alert(document.cookie)">Internet Explorer</p>'
            . '<area href="javascript:alert(document.domain)" shape=default>';

        $washer = new rcube_washtml;
        $washed = $washer->wash($html);

        $this->assertNotRegExp('/data:text/', $washed, "data:text/html in area href");
        $this->assertNotRegExp('/vbscript:/', $washed, "vbscript: in area href");
        $this->assertNotRegExp('/javascript:/', $washed, "javascript: in area href");
    }

    /**
     * Test handling HTML comments
     */
    function test_comments()

			@@ -1,7 +1,11 @@
			CHANGELOG Roundcube Webmail
			===========================


			- Fix message list multi-select/deselect issue (#5219)
			- Fix bug where contact search menu fields where always unchecked in Larry skin
			- Fix XSS issue in href attribute on area tag (#5240)
			- Fix bug where message list columns could be in wrong order after column drag-n-drop and list sorting

			RELEASE 1.1.5
			-------------

			@@ -1688,32 +1688,33 @@
			this.col_draglayer = null;
			}

			if (this.col_drag_active)
			this.focus();
			this.col_drag_active = false;

			rcube_event.remove_listener({event:'mousemove', object:this, method:'column_drag_mouse_move'});
			rcube_event.remove_listener({event:'mouseup', object:this, method:'column_drag_mouse_up'});

			// remove temp divs
			this.del_dragfix();

			if (this.selected_column !== null && this.cols && this.cols.length) {
			var i, cpos = 0, pos = rcube_event.get_mouse_pos(e);
			if (this.col_drag_active) {
			this.col_drag_active = false;
			this.focus();
			this.triggerEvent('column_dragend', e);

			// find destination position
			for (i=0; i<this.cols.length; i++) {
			if (pos.x >= this.cols[i]/2 + this.list_pos + cpos)
			cpos += this.cols[i];
			else
			break;
			}
			if (this.selected_column !== null && this.cols && this.cols.length) {
			var i, cpos = 0, pos = rcube_event.get_mouse_pos(e);

			if (i != this.selected_column && i != this.selected_column+1) {
			this.column_replace(this.selected_column, i);
			// find destination position
			for (i=0; i<this.cols.length; i++) {
			if (pos.x >= this.cols[i]/2 + this.list_pos + cpos)
			cpos += this.cols[i];
			else
			break;
			}

			if (i != this.selected_column && i != this.selected_column+1) {
			this.column_replace(this.selected_column, i);
			}
			}
			}

			this.triggerEvent('column_dragend', e);

			return rcube_event.cancel(e);
			},

			@@ -370,7 +370,7 @@
			*/
			private function is_link_attribute($tag, $attr)
			{
			return $tag == 'a' && $attr == 'href';
			return ($tag == 'a' \|\| $tag == 'area') && $attr == 'href';
			}

			/**

			@@ -579,4 +579,5 @@
			Eingabe: Ausgewählte/fokussierte Nachricht öffnen.
			Löschen: Ausgewählte Nachricht in den Papierkorb verschieben resp. löschen.";
			$labels['helplistkeyboardnavcontacts'] = "Eingabe: Ausgewählten Kontakt öffnen.";
			$labels['sigbelow'] = 'Signatur unter der zitierten Nachricht platzieren';
			?>

			@@ -579,4 +579,5 @@
			Enter: Öffne die ausgewählte/fokussierte Nachricht
			Rücktaste: Verschiebe gewählte Nachricht in den Mülleimer";
			$labels['helplistkeyboardnavcontacts'] = "Enter: Ausgewählten Kontakt öffnen.";
			$labels['sigbelow'] = 'Unterschrift unter der zitierten Nachricht platzieren';
			?>

			@@ -298,7 +298,9 @@
			else if (rcmail.env.task == 'addressbook') {
			rcmail.addEventListener('afterupload-photo', show_uploadform)
			.addEventListener('beforepushgroup', push_contactgroup)
			.addEventListener('beforepopgroup', pop_contactgroup);
			.addEventListener('beforepopgroup', pop_contactgroup)
			.addEventListener('menu-open', menu_toggle)
			.addEventListener('menu-close', menu_toggle);

			if (rcmail.env.action == '') {
			new rcube_splitter({ id:'addressviewsplitterd', p1:'#addressview-left', p2:'#addressview-right',

			@@ -38,6 +38,23 @@
			}

			/**
			* Test XSS in area's href (#5240)
			*/
			function test_href_area()
			{
			$html = '<p><area href="data:text/html,<script>alert(document.cookie)</script>">'
			. '<area href="vbscript:alert(document.cookie)">Internet Explorer</p>'
			. '<area href="javascript:alert(document.domain)" shape=default>';

			$washer = new rcube_washtml;
			$washed = $washer->wash($html);

			$this->assertNotRegExp('/data:text/', $washed, "data:text/html in area href");
			$this->assertNotRegExp('/vbscript:/', $washed, "vbscript: in area href");
			$this->assertNotRegExp('/javascript:/', $washed, "javascript: in area href");
			}

			/**
			* Test handling HTML comments
			*/
			function test_comments()