Skip to content
Permalink
Browse files

ZCS-2645 Bug 108265 - Persistent XSS - message view as text [CWE-79]

Issue:
- When viewing html mail content in plain text mode, script was getting executed

Resolution:
- After converting html content to plain text we need to html ecnode it so the contents will not be executed when added in dom
  • Loading branch information...
silentsakky committed Sep 6, 2017
1 parent d8a38eb commit 92d2886277e7d8d4f4835a26355fa93dfebc5504
Showing with 1 addition and 1 deletion.
  1. +1 −1 WebRoot/js/zimbraMail/mail/view/ZmMailMsgView.js
@@ -1856,7 +1856,7 @@ ZmMailMsgView.prototype._renderMessageBody1 = function(params, part) {
}
else {
// this can happen if a message only has an HTML part and the user wants to view mail as text
content = "<div style='white-space:pre-wrap;'>" + AjxStringUtil.convertHtml2Text(content) + "</div>"
content = "<div style='white-space:pre-wrap;'>" + AjxStringUtil.htmlEncode(AjxStringUtil.convertHtml2Text(content)) + "</div>"
}
}

0 comments on commit 92d2886

Please sign in to comment.
You can’t perform that action at this time.