From 93b0a30c1c8aa29d862b587b31e52bcc344b8d16 Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Thu, 01 Aug 2013 08:49:55 -0400
Subject: [PATCH] Fix XSS vulnerability when editing a message "as new" or draft (#1489251) - added HTML content "washing"

---
 program/steps/mail/compose.inc |   10 +++++++---
 1 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/program/steps/mail/compose.inc b/program/steps/mail/compose.inc
index 2330bc0..590d9c2 100644
--- a/program/steps/mail/compose.inc
+++ b/program/steps/mail/compose.inc
@@ -1000,10 +1000,14 @@
       && count($MESSAGE->mime_parts) > 0)
   {
     $cid_map = rcmail_write_compose_attachments($MESSAGE, $bodyIsHtml);
+  }
 
-    // replace cid with href in inline images links
-    if ($cid_map)
-      $body = str_replace(array_keys($cid_map), array_values($cid_map), $body);
+  // clean up html tags - XSS prevention (#1489251)
+  $body = rcmail_wash_html($body, array('safe' => 1), $cid_map);
+
+  // replace cid with href in inline images links
+  if ($cid_map) {
+    $body = str_replace(array_keys($cid_map), array_values($cid_map), $body);
   }
 
   return $body;

--
Gitblit v1.9.1