Fix XSS vulnerability in handling of text/enriched messages (#1488806)

Conflicts: CHANGELOG
roundcube · Nov 14, 2012 · 377793d · 377793d
1 parent a5c8786
commit 377793d
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 1 deletion.
diff --git a/CHANGELOG b/CHANGELOG
@@ -1,6 +1,7 @@
 CHANGELOG Roundcube Webmail
 ===========================
 
+- Fix XSS vulnerability in handling of text/enriched messages (#1488806)
 - Fix compatybility with MDB2 2.5.0b4 (#1488779)
 - Fix lower-casing email address on replies (#1488598)
 - Fix so subscribed non-existing/non-accessible shared folder can be unsubscribed

diff --git a/program/steps/mail/func.inc b/program/steps/mail/func.inc
@@ -743,7 +743,9 @@ function rcmail_print_body($part, $p = array())
   else if ($data['type'] == 'enriched') {
     $part->ctype_secondary = 'html';
     require_once(INSTALL_PATH . 'program/lib/enriched.inc');
-    $body = Q(enriched_to_html($data['body']), 'show');
+    $body = enriched_to_html($data['body']);
+    $body = rcmail_wash_html($body, $data, $part->replaces);
+    $part->ctype_secondary = 'html';
   }
   else {
     // assert plaintext