Skip to content
Permalink
Browse files Browse the repository at this point in the history
Improved app security
  • Loading branch information
RainLoop committed Jul 1, 2019
1 parent b244462 commit 8eb4588
Show file tree
Hide file tree
Showing 4 changed files with 20 additions and 1 deletion.
7 changes: 7 additions & 0 deletions rainloop/v/0.0.0/app/libraries/MailSo/Base/HtmlUtils.php
Expand Up @@ -1100,6 +1100,13 @@ public static function ClearHtml($sHtml, &$bHasExternals = false, &$aFoundCIDs =
}
}

$sLinkHref = \trim($oElement->getAttribute('xlink:href'));
if ($sLinkHref && !\preg_match('/^(http[s]?):/i', $sLinkHref) && '//' !== \substr($sLinkHref, 0, 2))
{
$oElement->setAttribute('data-x-blocked-xlink-href', $sLinkHref);
$oElement->removeAttribute('xlink:href');
}

if (\in_array($sTagNameLower, array('a', 'form', 'area')))
{
$oElement->setAttribute('target', '_blank');
Expand Down
Expand Up @@ -198,7 +198,8 @@ protected function defaultValues()

'custom_server_signature' => array('RainLoop'),
'x_frame_options_header' => array(''),

'x_xss_protection_header' => array('1; mode=block'),

'openpgp' => array(false),

'admin_login' => array('admin', 'Login and password for web admin panel'),
Expand Down
10 changes: 10 additions & 0 deletions rainloop/v/0.0.0/app/libraries/RainLoop/Service.php
Expand Up @@ -47,6 +47,12 @@ private function __construct()
@\header('X-Frame-Options: '.$sXFrameOptionsHeader, true);
}

$sXssProtectionOptionsHeader = \trim($this->oActions->Config()->Get('security', 'x_xss_protection_header', ''));
if (0 < \strlen($sXssProtectionOptionsHeader))
{
@\header('X-XSS-Protection: '.$sXssProtectionOptionsHeader, true);
}

if ($this->oActions->Config()->Get('labs', 'force_https', false) && !$this->oHttp->IsSecure())
{
@\header('Location: https://'.$this->oHttp->GetHost(false, false).$this->oHttp->GetUrl(), true);
Expand Down Expand Up @@ -248,6 +254,10 @@ private function localHandle()

$sResult .= ']-->';
}
else
{
@\header('X-XSS-Protection: 1; mode=block');
}

// Output result
echo $sResult;
Expand Down
1 change: 1 addition & 0 deletions rainloop/v/0.0.0/app/libraries/RainLoop/ServiceActions.php
Expand Up @@ -498,6 +498,7 @@ public function ServiceRaw()
if (\method_exists($this->oActions, $sMethodName))
{
@\header('X-Raw-Action: '.$sMethodName, true);
@\header('Content-Security-Policy: default-src \'self\'; script-src \'none\'; style-src \'none\'; frame-src \'none\'; child-src \'none\'', true);

$sRawError = '';
$this->oActions->SetActionParams(array(
Expand Down

0 comments on commit 8eb4588

Please sign in to comment.