Also location in search mailbox where a user-defined flag needs to be…

… escaped

imp/docs/CHANGES

@@ -2,9 +2,9 @@
 v6.1.5-git
 ----------
 
+[mms] SECURITY: Fix XSS in message and search screens resulting from a
+      user-defined flag label (João Machado <geral@jpaulo.eu>).
 [mms] Improved UI for dropping attachments on dynamic compose screen.
-[mms] SECURITY: Fix XSS when flagging a message in dynamic view with a
-      user-defined flag (João Machado <geral@jpaulo.eu>).
 [mms] Fix manually loading all addresses in a header.
 [mms] Fix regression where reloading dynamic view would not load the previously
       selected message.

imp/js/search.js

@@ -310,7 +310,7 @@ var ImpSearch = {
     {
         var tmp = [
             new Element('EM').insert(this.text.flag),
-            new Element('SPAN', { className: 'searchFlag' }).insert(this.getCriteriaLabel(id).slice(0, -2)),
+            new Element('SPAN', { className: 'searchFlag' }).insert(this.getCriteriaLabel(id).slice(0, -2).escapeHTML()),
             new Element('SPAN', { className: 'notMatch' }).insert(new Element('INPUT', { className: 'checkbox', type: 'checkbox' }).setValue(not)).insert(this.text.not_match)
         ];
         this.criteria[this.insertCriteria(tmp)] = { t: id };

imp/lib/Basic/Search.php

@@ -354,6 +354,7 @@ protected function _init()
         $view = new Horde_View(array(
             'templatePath' => IMP_TEMPLATES . '/search'
         ));
+        $view->addHelper('Text');
         $view->addHelper('Tag');
         $view->addHelper('FormTag');
 

imp/package.xml

@@ -33,8 +33,8 @@
  </stability>
  <license uri="http://www.horde.org/licenses/gpl">GPL-2.0</license>
  <notes>
+* [mms] SECURITY: Fix XSS in message and search screens resulting from a user-defined flag label (João Machado &lt;geral@jpaulo.eu&gt;).
 * [mms] Improved UI for dropping attachments on dynamic compose screen.
-* [mms] SECURITY: Fix XSS when flagging a message in dynamic view with a user-defined flag (João Machado &lt;geral@jpaulo.eu&gt;).
 * [mms] Fix manually loading all addresses in a header.
 * [mms] Fix regression where reloading dynamic view would not load the previously selected message.
 * [mms] Fixed regression in enforcing max_recipients and max_timelimit permissions (Bug #12674).
@@ -3294,8 +3294,8 @@
    <date>2013-09-04</date>
    <license uri="http://www.horde.org/licenses/gpl">GPL-2.0</license>
    <notes>
+* [mms] SECURITY: Fix XSS in message and search screens resulting from a user-defined flag label (João Machado &lt;geral@jpaulo.eu&gt;).
 * [mms] Improved UI for dropping attachments on dynamic compose screen.
-* [mms] SECURITY: Fix XSS when flagging a message in dynamic view with a user-defined flag (João Machado &lt;geral@jpaulo.eu&gt;).
 * [mms] Fix manually loading all addresses in a header.
 * [mms] Fix regression where reloading dynamic view would not load the previously selected message.
 * [mms] Fixed regression in enforcing max_recipients and max_timelimit permissions (Bug #12674).

imp/templates/search/search.html.php

@@ -40,15 +40,15 @@
     <option value="or" style="display:none"><?php echo _("Add OR clause") ?></option>
     <option value="" disabled="disabled" style="display:none">- - - - - - - - -</option>
 <?php foreach ($this->clist as $v): ?>
-    <?php echo $this->optionTag($v['v'], $v['l']) ?>
+    <?php echo $this->optionTag($v['v'], $this->h($v['l'])) ?>
 <?php endforeach; ?>
     <option value="" disabled="disabled">- - - - - - - - -</option>
 <?php foreach ($this->filterlist as $v): ?>
-    <?php echo $this->optionTag($v['v'], $v['l']) ?>
+    <?php echo $this->optionTag($v['v'], $this->h($v['l'])) ?>
 <?php endforeach; ?>
     <option value="" disabled="disabled">- - - - - - - - -</option>
 <?php foreach ($this->flist as $v): ?>
-    <?php echo $this->optionTag($v['v'], $v['l']) ?>
+    <?php echo $this->optionTag($v['v'], $this->h($v['l'])) ?>
 <?php endforeach; ?>
    </select>
   </div>