Merge pull request #113 from modoboa/fix/xss_issues

Fixed several XSS issues.
modoboa · Oct 3, 2017 · 5989852 · 5989852
2 parents 52abb82 + 15f5f94
commit 5989852
Show file tree

Hide file tree

Showing 3 changed files with 15 additions and 3 deletions.
diff --git a/modoboa_webmail/lib/imapemail.py b/modoboa_webmail/lib/imapemail.py
@@ -77,12 +77,15 @@ def fetch_headers(self, raw_addresses=False):
             hdrvalue = self.get_header(msg, label, raw=raw_addresses)
             if not hdrvalue:
                 continue
+            safe = False
             if hdr[1]:
                 if label in headers_with_address:
                     if contacts_plugin_installed and not raw_addresses:
                         hdrvalue = self._insert_contact_links(hdrvalue)
                     hdrvalue = ", ".join(hdrvalue)
-                self.headers += [{"name": label, "value": hdrvalue}]
+                    safe = True
+                self.headers += [
+                    {"name": label, "value": hdrvalue, "safe": safe}]
             label = re.sub("-", "_", label)
             setattr(self, label, hdrvalue)
 
@@ -125,6 +128,11 @@ def headers_as_list(self):
     def headers_as_text(self):
         return " ".join(self.headers_as_list)
 
+    def viewmail_plain(self, content, **kwargs):
+        """Return the plain/text version of the email."""
+        content = escape(content)
+        return super(ImapEmail, self).viewmail_plain(content, **kwargs)
+
     @property
     def body(self):
         """Load email's body.

diff --git a/modoboa_webmail/templates/modoboa_webmail/headers.html b/modoboa_webmail/templates/modoboa_webmail/headers.html
@@ -3,7 +3,8 @@
 <table id="emailheaders" class="table table-condensed">
   {% for hdr in headers %}
     <tr>
-      <th>{{ hdr.name|localize_header_name }}</th><td>{{ hdr.value|safe }}</td>
+      <th>{{ hdr.name|localize_header_name }}</th>
+      <td>{% if hdr.safe %}{{ hdr.value|safe }}{% else %}{{ hdr.value }}{% endif %}</td>
     </tr>
   {% endfor %}
   {% if attachments %}

diff --git a/modoboa_webmail/templatetags/webmail_tags.py b/modoboa_webmail/templatetags/webmail_tags.py
@@ -259,10 +259,13 @@ def mboxes_menu():
 @register.filter
 def parse_imap_header(value, header):
     """Simple template tag to display a IMAP header."""
+    safe = True
     try:
         value = getattr(imapheader, "parse_%s" % header)(value)
     except AttributeError:
         pass
     if header == "from":
         value = value[0]
-    return mark_safe(value)
+    elif header == "subject":
+        safe = False
+    return value if not safe else mark_safe(value)