From 037af6890fe6fdb84a08d3c86083e847c90ec0ad Mon Sep 17 00:00:00 2001 From: Aleksander Machniak <alec@alec.pl> Date: Tue, 22 Oct 2013 08:17:26 -0400 Subject: [PATCH] Fix vulnerability in handling _session argument of utils/save-prefs (#1489382) --- skins/larry/templates/messagepreview.html | 29 +++++++++++++++++++++++------ 1 files changed, 23 insertions(+), 6 deletions(-) diff --git a/skins/larry/templates/messagepreview.html b/skins/larry/templates/messagepreview.html index 0302df4..aef282a 100644 --- a/skins/larry/templates/messagepreview.html +++ b/skins/larry/templates/messagepreview.html @@ -6,31 +6,48 @@ </head> <body class="iframe fullheight"> -<div id="messagepreviewheader"> +<div id="messageheader" class="previewheader"> <h3 class="subject"><roundcube:object name="messageHeaders" valueOf="subject" /></h3> -<roundcube:object name="messageHeaders" class="headers-table" addicon="/images/addcontact.png" exclude="subject,replyto" /> + +<a href="#details" id="previewheaderstoggle" class="moreheaderstoggle"><span class="iconlink" title="<roundcube:label name='togglemoreheaders' />"></span></a> +<div id="contactphoto"><roundcube:object name="contactphoto" /></div> + +<table class="headers-table" id="preview-shortheaders"><tbody><tr> +<roundcube:if condition="env:mailbox == config:drafts_mbox || env:mailbox == config:sent_mbox"> + <td class="header-title"><roundcube:label name="to" /></td> + <td class="header from"><roundcube:object name="messageHeaders" valueOf="to" max="3" addicon="/images/addcontact.png" /></td> +<roundcube:else /> + <td class="header-title"><roundcube:label name="from" /></td> + <td class="header from"><roundcube:object name="messageHeaders" valueOf="from" addicon="/images/addcontact.png" /></td> +<roundcube:endif /> + <td class="header-title"><roundcube:label name="date" /></td> + <td class="header date"><span><roundcube:object name="messageHeaders" valueOf="date" /></span></td> +</tr></tbody></table> + +<roundcube:object name="messageHeaders" id="preview-allheaders" class="headers-table" addicon="/images/addcontact.png" max="10" exclude="subject,replyto" /> + <roundcube:object name="messageFullHeaders" id="full-headers" /> <!-- record navigation --> <div id="countcontrols" class="pagenav"> <roundcube:if condition="env:mailbox != config:drafts_mbox"> <roundcube:button command="reply" type="link" class="button reply" classSel="button reply pressed" innerClass="inner" title="replytomessage" content="<-" /> - <roundcube:button command="replyall" type="link" class="button replyall" classSel="button replyall pressed" innerClass="inner" title="replytoallmessage" content="<<-" /> + <roundcube:button command="reply-all" type="link" class="button replyall" classSel="button replyall pressed" innerClass="inner" title="replytoallmessage" content="<<-" /> <roundcube:button command="forward" type="link" class="button forward" classSel="button forward pressed" innerClass="inner" title="forwardmessage" content="->" /> <roundcube:endif /> - <roundcube:button command="permaurl" type="link" class="button extwin" classSel="button extwin pressed" innerClass="inner" title="openinextwin" content="[]" target="_blank" /> + <roundcube:button command="extwin" type="link" class="button extwin" classSel="button extwin pressed" innerClass="inner" title="openinextwin" content="[]" /> </div> </div> <div id="messagepreview"> <div class="rightcol"> -<roundcube:object name="messageAttachments" id="attachment-list" /> +<roundcube:object name="messageAttachments" id="attachment-list" class="attachmentslist" /> </div> <div class="leftcol"> <roundcube:object name="messageObjects" id="message-objects" /> -<roundcube:object name="messageBody" id="messagebody" /> +<roundcube:object name="messageBody" id="messagebody" headertableclass="message-partheaders headers-table" /> </div> </div> -- Gitblit v1.9.1