From 58fc995728352b466f166a67281b11f6db191f31 Mon Sep 17 00:00:00 2001
From: thomascube <thomas@roundcube.net>
Date: Fri, 12 Aug 2011 15:39:39 -0400
Subject: [PATCH] Backport XSS vulnerability fix to 0.5 branch

---
 program/include/rcube_json_output.php |   14 +++++++++-----
 1 files changed, 9 insertions(+), 5 deletions(-)

diff --git a/program/include/rcube_json_output.php b/program/include/rcube_json_output.php
index cd6b289..f9fe38d 100644
--- a/program/include/rcube_json_output.php
+++ b/program/include/rcube_json_output.php
@@ -169,12 +169,16 @@
     public function show_message($message, $type='notice', $vars=null, $override=true)
     {
         if ($override || !$this->message) {
+            if (rcube_label_exists($message)) {
+                if (!empty($vars))
+                    $vars = array_map('Q', $vars);
+                $msgtext = rcube_label(array('name' => $message, 'vars' => $vars));
+            }
+            else
+                $msgtext = $message;
+
             $this->message = $message;
-            $this->command(
-                'display_message',
-                rcube_label(array('name' => $message, 'vars' => $vars)),
-                $type
-            );
+            $this->command('display_message', $msgtext, $type, $timeout * 1000);
         }
     }
 

--
Gitblit v1.9.1