From e13ad37d8984b8b7a1a0ab96e4f2a561ef459265 Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Wed, 14 Nov 2012 07:31:02 -0500
Subject: [PATCH] Fix XSS vulnerability in handling of text/enriched messages (#1488806)

---
 CHANGELOG                   |    1 +
 program/steps/mail/func.inc |    4 +++-
 2 files changed, 4 insertions(+), 1 deletions(-)

diff --git a/CHANGELOG b/CHANGELOG
index 5edf0d6..29a9adb 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -1,6 +1,7 @@
 CHANGELOG Roundcube Webmail
 ===========================
 
+- Fix XSS vulnerability in handling of text/enriched messages (#1488806)
 - Fix handling of 'media' attribute on linked css (#1488789)
 - Fix regression where unintentional page reload was done after request abort (#1488802)
 - Fix excessive LFs at the end of composed message with top_posting=true (#1488797)
diff --git a/program/steps/mail/func.inc b/program/steps/mail/func.inc
index 6712f25..9b5b4f9 100644
--- a/program/steps/mail/func.inc
+++ b/program/steps/mail/func.inc
@@ -740,7 +740,9 @@
   else if ($data['type'] == 'enriched') {
     $part->ctype_secondary = 'html';
     require_once(INSTALL_PATH . 'program/lib/enriched.inc');
-    $body = Q(enriched_to_html($data['body']), 'show');
+    $body = enriched_to_html($data['body']);
+    $body = rcmail_wash_html($body, $data, $part->replaces);
+    $part->ctype_secondary = 'html';
   }
   else {
     // assert plaintext

--
Gitblit v1.9.1