From 037af6890fe6fdb84a08d3c86083e847c90ec0ad Mon Sep 17 00:00:00 2001 From: Aleksander Machniak <alec@alec.pl> Date: Tue, 22 Oct 2013 08:17:26 -0400 Subject: [PATCH] Fix vulnerability in handling _session argument of utils/save-prefs (#1489382) --- skins/larry/templates/messagepreview.html | 20 ++++++++++++-------- 1 files changed, 12 insertions(+), 8 deletions(-) diff --git a/skins/larry/templates/messagepreview.html b/skins/larry/templates/messagepreview.html index 1a23a95..aef282a 100644 --- a/skins/larry/templates/messagepreview.html +++ b/skins/larry/templates/messagepreview.html @@ -6,33 +6,37 @@ </head> <body class="iframe fullheight"> -<div id="messagepreviewheader"> +<div id="messageheader" class="previewheader"> <h3 class="subject"><roundcube:object name="messageHeaders" valueOf="subject" /></h3> + +<a href="#details" id="previewheaderstoggle" class="moreheaderstoggle"><span class="iconlink" title="<roundcube:label name='togglemoreheaders' />"></span></a> +<div id="contactphoto"><roundcube:object name="contactphoto" /></div> <table class="headers-table" id="preview-shortheaders"><tbody><tr> <roundcube:if condition="env:mailbox == config:drafts_mbox || env:mailbox == config:sent_mbox"> <td class="header-title"><roundcube:label name="to" /></td> - <td class="header from"><roundcube:object name="messageHeaders" valueOf="to" addicon="/images/addcontact.png" /></td> + <td class="header from"><roundcube:object name="messageHeaders" valueOf="to" max="3" addicon="/images/addcontact.png" /></td> <roundcube:else /> <td class="header-title"><roundcube:label name="from" /></td> <td class="header from"><roundcube:object name="messageHeaders" valueOf="from" addicon="/images/addcontact.png" /></td> <roundcube:endif /> <td class="header-title"><roundcube:label name="date" /></td> - <td class="header from"><roundcube:object name="messageHeaders" valueOf="date" /></td> - <td class="header"><a href="#details" id="previewheaderstoggle" class="iconlink add">Details</a> + <td class="header date"><span><roundcube:object name="messageHeaders" valueOf="date" /></span></td> </tr></tbody></table> -<roundcube:object name="messageHeaders" id="preview-allheaders" class="headers-table" addicon="/images/addcontact.png" exclude="subject,replyto" /> +<roundcube:object name="messageHeaders" id="preview-allheaders" class="headers-table" addicon="/images/addcontact.png" max="10" exclude="subject,replyto" /> + +<roundcube:object name="messageFullHeaders" id="full-headers" /> <!-- record navigation --> <div id="countcontrols" class="pagenav"> <roundcube:if condition="env:mailbox != config:drafts_mbox"> <roundcube:button command="reply" type="link" class="button reply" classSel="button reply pressed" innerClass="inner" title="replytomessage" content="<-" /> - <roundcube:button command="replyall" type="link" class="button replyall" classSel="button replyall pressed" innerClass="inner" title="replytoallmessage" content="<<-" /> + <roundcube:button command="reply-all" type="link" class="button replyall" classSel="button replyall pressed" innerClass="inner" title="replytoallmessage" content="<<-" /> <roundcube:button command="forward" type="link" class="button forward" classSel="button forward pressed" innerClass="inner" title="forwardmessage" content="->" /> <roundcube:endif /> - <roundcube:button command="permaurl" type="link" class="button extwin" classSel="button extwin pressed" innerClass="inner" title="openinextwin" content="[]" target="_blank" /> + <roundcube:button command="extwin" type="link" class="button extwin" classSel="button extwin pressed" innerClass="inner" title="openinextwin" content="[]" /> </div> </div> @@ -43,7 +47,7 @@ </div> <div class="leftcol"> <roundcube:object name="messageObjects" id="message-objects" /> -<roundcube:object name="messageBody" id="messagebody" /> +<roundcube:object name="messageBody" id="messagebody" headertableclass="message-partheaders headers-table" /> </div> </div> -- Gitblit v1.9.1