[mms] SECURITY: Fix XSS vulnerability when manually switching between…

… plaintext -> HTML compose mode. Reported by: João Machado <geral@jpaulo.eu>
horde · Mar 5, 2015 · ce0d8c6 · ce0d8c6
1 parent 266b370
commit ce0d8c6
Show file tree

Hide file tree

Showing 3 changed files with 11 additions and 2 deletions.
diff --git a/imp/docs/CHANGES b/imp/docs/CHANGES
@@ -2,6 +2,8 @@
 v6.2.8-git
 ----------
 
+[mms] SECURITY: Fix XSS vulnerability when manually switching between plaintext
+      -> HTML compose mode.
 [jan] Fix protocol name in POP3 example backend configuration.
 [mms] Don't honor linked attachment limit configuration options if linked
       attachments are disabled (Bug #13665).

diff --git a/imp/js/compose-dimp.js b/imp/js/compose-dimp.js
@@ -581,8 +581,13 @@ var DimpCompose = {
             this.rte = new IMP_Editor('composeMessage', config);
 
             this.rte.editor.on('getData', function(evt) {
-                var elt = new Element('SPAN').insert(evt.data.dataValue),
-                    elts = elt.select('IMG[dropatc_id]');
+                var elt = new Element('SPAN'), elts;
+
+                /* Don't use prototype's insert() since we don't want any
+                 * scripts that may exist in the text data to be eval'd. */
+                elt.innerHTML = evt.data.dataValue;
+                elts = elt.select('IMG[dropatc_id]');
+
                 if (elts.size()) {
                     elts.invoke('writeAttribute', 'dropatc_id', null);
                     elts.invoke('writeAttribute', 'src', null);

diff --git a/imp/package.xml b/imp/package.xml
@@ -33,6 +33,7 @@
  </stability>
  <license uri="http://www.horde.org/licenses/gpl">GPL-2.0</license>
  <notes>
+* [mms] SECURITY: Fix XSS vulnerability when manually switching between plaintext -&gt; HTML compose mode.
 * [jan] Fix protocol name in POP3 example backend configuration.
 * [mms] Don&apos;t honor linked attachment limit configuration options if linked attachments are disabled (Bug #13665).
  </notes>
@@ -3829,6 +3830,7 @@
    <date>2015-02-10</date>
    <license uri="http://www.horde.org/licenses/gpl">GPL-2.0</license>
    <notes>
+* [mms] SECURITY: Fix XSS vulnerability when manually switching between plaintext -&gt; HTML compose mode.
 * [jan] Fix protocol name in POP3 example backend configuration.
 * [mms] Don&apos;t honor linked attachment limit configuration options if linked attachments are disabled (Bug #13665).
    </notes>