From 1ef4033b8d6aa2ec8559f6aea5f35c9044e033e4 Mon Sep 17 00:00:00 2001
From: Thomas Bruederli <thomas@roundcube.net>
Date: Sat, 19 Jan 2013 11:02:48 -0500
Subject: [PATCH] Also block remote images in HTML part view (#1488827)
---
program/steps/mail/get.inc | 29 +++++++++++++++++++++++++++--
program/js/app.js | 8 +++-----
2 files changed, 30 insertions(+), 7 deletions(-)
diff --git a/program/js/app.js b/program/js/app.js
index 7197609..6d48222 100644
--- a/program/js/app.js
+++ b/program/js/app.js
@@ -821,11 +821,9 @@
// open attachment in frame if it's of a supported mimetype
if (this.env.uid && props.mimetype && this.env.mimetypes && $.inArray(props.mimetype, this.env.mimetypes) >= 0) {
- if (props.mimetype == 'text/html')
- qstring += '&_safe=1';
- this.attachment_win = window.open(this.env.comm_path+'&_action=get&'+qstring+'&_frame=1', 'rcubemailattachment');
- if (this.attachment_win) {
- setTimeout(function(){ ref.attachment_win.focus(); }, 10);
+ var attachment_win = window.open(this.env.comm_path+'&_action=get&'+qstring+'&_frame=1', 'rcubemailattachment'+this.env.uid+props.part);
+ if (attachment_win) {
+ setTimeout(function(){ attachment_win.focus(); }, 10);
break;
}
}
diff --git a/program/steps/mail/get.inc b/program/steps/mail/get.inc
index 9d9032b..6cda4e8 100644
--- a/program/steps/mail/get.inc
+++ b/program/steps/mail/get.inc
@@ -35,6 +35,11 @@
ob_end_clean();
+
+// define global style for warning blocks inside the attachment part frame
+// TODO: get styles for this from skin (but we don't have a skin template here...)
+$warning_css_style = 'border:2px solid #ffdf0e; background:#fef893; padding:0.6em 1em';
+
// similar code as in program/steps/mail/show.inc
if (!empty($_GET['_uid'])) {
$RCMAIL->config->set('prefer_html', true);
@@ -154,12 +159,12 @@
if (!$valid) {
$OUTPUT = new rcmail_html_page();
$OUTPUT->write(html::tag('html', null, html::tag('body', array('style' => 'font-family:sans-serif; margin:1em'),
- html::div(array('class' => 'warning', 'style' => 'border:2px solid #ffdf0e; background:#fef893; padding:1em 1em 0 1em;'),
+ html::div(array('class' => 'warning', 'style' => $warning_css_style),
rcube_label(array(
'name' => 'attachmentvalidationerror',
'vars' => array('expected' => "$mimetype (.$file_extension)", 'detected' => "$real_mimetype (.$extensions[0])")
)) .
- html::p('buttons',
+ html::p(array('class' => 'buttons', 'style' => 'margin-bottom:0'),
html::tag('button',
array('onclick' => "location.href='" . $RCMAIL->url(array_merge($_GET, array('_nocheck' => 1))) . "'"),
rcube_label('showanyway')))
@@ -214,7 +219,27 @@
if (!$part->body)
$part->body = $MESSAGE->get_part_content($part->mime_id);
+ // show images?
+ rcmail_check_safe($MESSAGE);
+
+ // render HTML body
$out = rcmail_print_body($part, array('safe' => $MESSAGE->is_safe, 'inline_html' => false));
+
+ // insert remote objects warning into HTML body
+ if ($REMOTE_OBJECTS) {
+ $body_start = 0;
+ if ($body_pos = strpos($out, '<body')) {
+ $body_start = strpos($out, '>', $body_pos) + 1;
+ }
+ $out = substr($out, 0, $body_start) .
+ html::div(array('class' => 'warning', 'style' => $warning_css_style),
+ Q(rcube_label('blockedimages')) . ' ' .
+ html::tag('button',
+ array('onclick' => "location.href='" . $RCMAIL->url(array_merge($_GET, array('_safe' => 1))) . "'"),
+ Q(rcube_label('showimages')))
+ ) .
+ substr($out, $body_start);
+ }
}
// check connection status
--
Gitblit v1.9.1