[jan] SECURITY: Fix XSS vulnerability in rule search (Andrey Zelenchu…

…k <azelenchuk@plesk.com>).
horde · May 3, 2017 · 6854284 · 6854284
1 parent dfec3d9
commit 6854284
Show file tree

Hide file tree

Showing 4 changed files with 35 additions and 3 deletions.
diff --git a/ingo/docs/CHANGES b/ingo/docs/CHANGES
@@ -11,6 +11,24 @@ v4.0.0-git
 [mms] Rearrange the default order of filter rules.
 
 
+-------
+v3.2.14
+-------
+
+[jan] Never send autoreplies again when setting zero vacation days in Procmail
+      or Maildrop backends (Bug #14549).
+[jan] Don't split sieve body tests on commas (Bug #14546).
+
+
+-------
+v3.2.13
+-------
+
+[jan] Convert vacation rules in preference backend from Ingo < 2.0.
+[jan] Fix some edge cases with Sieve vacation rules with date limits (Bug
+      #14486).
+
+
 -------
 v3.2.12
 -------

diff --git a/ingo/lib/Basic/Filters.php b/ingo/lib/Basic/Filters.php
@@ -174,6 +174,7 @@ protected function _init()
         $view->addHelper('Horde_Core_View_Helper_Label');
         $view->addHelper('FormTag');
         $view->addHelper('Tag');
+        $view->addHelper('Text');
 
         $view->canapply = $factory->canPerform();
         $view->deleteallowed = $delete_allowed;

diff --git a/ingo/package.xml b/ingo/package.xml
@@ -1746,13 +1746,26 @@
    <stability>
     <release>stable</release>
     <api>stable</api></stability>
-   <date>2016-12-16</date>
+   <date>2017-03-20</date>
    <license uri="http://www.horde.org/licenses/apache">ASL</license>
    <notes>
 * [jan] Never send autoreplies again when setting zero vacation days in Procmail or Maildrop backends (Bug #14549).
 * [jan] Don&apos;t split sieve body tests on commas (Bug #14546).
    </notes>
   </release>
+  <release>
+   <version>
+    <release>3.2.15</release>
+    <api>3.2.0</api></version>
+   <stability>
+    <release>stable</release>
+    <api>stable</api></stability>
+   <date>2017-03-20</date>
+   <license uri="http://www.horde.org/licenses/apache">ASL</license>
+   <notes>
+* [jan] SECURITY: Fix XSS vulnerability in rule search (Andrey Zelenchuk &lt;azelenchuk@plesk.com&gt;).
+   </notes>
+  </release>
   <release>
    <date>2016-11-09</date>
    <version>

diff --git a/ingo/templates/basic/filters/filters.html.php b/ingo/templates/basic/filters/filters.html.php
@@ -14,9 +14,9 @@
  <div class="header">
 <?php if ($this->mbox_search): ?>
 <?php if ($this->mbox_search['exact']): ?>
-  <?php printf(_("Rules Matching Mailbox \"%s\""), $this->mbox_search['query']) ?>
+  <?php printf(_("Rules Matching Mailbox \"%s\""), $this->h($this->mbox_search['query'])) ?>
 <?php else: ?>
-  <?php printf(_("Rules Containing Mailbox \"%s\""), $this->mbox_search['query']) ?>
+  <?php printf(_("Rules Containing Mailbox \"%s\""), $this->h($this->mbox_search['query'])) ?>
 <?php endif; ?>
 <?php else: ?>
   <?php echo _("Filter Rules") ?>