From 58fc995728352b466f166a67281b11f6db191f31 Mon Sep 17 00:00:00 2001
From: thomascube <thomas@roundcube.net>
Date: Fri, 12 Aug 2011 15:39:39 -0400
Subject: [PATCH] Backport XSS vulnerability fix to 0.5 branch

---
 program/include/rcube_template.php |   13 +++++++++----
 1 files changed, 9 insertions(+), 4 deletions(-)

diff --git a/program/include/rcube_template.php b/program/include/rcube_template.php
index 5e0f4c1..9bd9b7a 100755
--- a/program/include/rcube_template.php
+++ b/program/include/rcube_template.php
@@ -249,11 +249,16 @@
     public function show_message($message, $type='notice', $vars=null, $override=true)
     {
         if ($override || !$this->message) {
+            if (rcube_label_exists($message)) {
+                if (!empty($vars))
+                    $vars = array_map('Q', $vars);
+                $msgtext = rcube_label(array('name' => $message, 'vars' => $vars));
+            }
+            else
+                $msgtext = $message;
+
             $this->message = $message;
-            $this->command(
-                'display_message',
-                rcube_label(array('name' => $message, 'vars' => $vars)),
-                $type);
+            $this->command('display_message', $msgtext, $type, $timeout * 1000);
         }
     }
 

--
Gitblit v1.9.1