Skip to content

Commit 37e2bc7

Browse files
alecplthomascube
authored andcommitted
Security: Fix XSS issue in template object 'username' (#7406)
1 parent 655cfa5 commit 37e2bc7

File tree

3 files changed

+15
-4
lines changed

3 files changed

+15
-4
lines changed

Diff for: CHANGELOG

+2-2
Original file line numberDiff line numberDiff line change
@@ -3,8 +3,8 @@ CHANGELOG Roundcube Webmail
33

44
RELEASE 1.3.12
55
--------------
6-
7-
- Security: Fix couple of XSS issues in Installer (#7406)
6+
- Security: Fix XSS issue in template object 'username' (#7406)
7+
- Security: Fix couple of XSS issues in Installer (#7406)
88

99
RELEASE 1.3.11
1010
--------------

Diff for: INSTALL

+10-1
Original file line numberDiff line numberDiff line change
@@ -60,7 +60,16 @@ INSTALLATION
6060
5. Point your browser to http://url-to-roundcube/installer/
6161
6. Follow the instructions of the install script (or see MANUAL CONFIGURATION)
6262
7. After creating and testing the configuration, remove the installer directory
63-
8. Check Known Issues section of this file
63+
------------------------------------------
64+
IMPORTANT: REMOVE THE INSTALLER DIRECTORY!
65+
------------------------------------------
66+
8. If you use git sources compile css files for the Elastic skin (required
67+
lessc >= 1.5.0):
68+
$ cd skins/elastic
69+
$ lessc -x styles/styles.less > styles/styles.css
70+
$ lessc -x styles/print.less > styles/print.css
71+
$ lessc -x styles/embed.less > styles/embed.css
72+
9. Check Known Issues section of this file
6473

6574

6675
CONFIGURATION HINTS

Diff for: program/include/rcmail_output_html.php

+3-1
Original file line numberDiff line numberDiff line change
@@ -1823,7 +1823,9 @@ public function current_username($attrib)
18231823
$username = $this->app->user->get_username();
18241824
}
18251825

1826-
return rcube_utils::idn_to_utf8($username);
1826+
$username = rcube_utils::idn_to_utf8($username);
1827+
1828+
return html::quote($username);
18271829
}
18281830

18291831
/**

0 commit comments

Comments
 (0)