Skip to content

Commit

Permalink
Security: Fix XSS issue in template object 'username' (#7406)
Browse files Browse the repository at this point in the history
  • Loading branch information
alecpl authored and thomascube committed Jun 1, 2020
1 parent 655cfa5 commit 37e2bc7
Show file tree
Hide file tree
Showing 3 changed files with 15 additions and 4 deletions.
4 changes: 2 additions & 2 deletions CHANGELOG
Original file line number Diff line number Diff line change
Expand Up @@ -3,8 +3,8 @@ CHANGELOG Roundcube Webmail

RELEASE 1.3.12
--------------

- Security: Fix couple of XSS issues in Installer (#7406)
- Security: Fix XSS issue in template object 'username' (#7406)
- Security: Fix couple of XSS issues in Installer (#7406)

RELEASE 1.3.11
--------------
Expand Down
11 changes: 10 additions & 1 deletion INSTALL
Original file line number Diff line number Diff line change
Expand Up @@ -60,7 +60,16 @@ INSTALLATION
5. Point your browser to http://url-to-roundcube/installer/
6. Follow the instructions of the install script (or see MANUAL CONFIGURATION)
7. After creating and testing the configuration, remove the installer directory
8. Check Known Issues section of this file
------------------------------------------
IMPORTANT: REMOVE THE INSTALLER DIRECTORY!
------------------------------------------
8. If you use git sources compile css files for the Elastic skin (required
lessc >= 1.5.0):
$ cd skins/elastic
$ lessc -x styles/styles.less > styles/styles.css
$ lessc -x styles/print.less > styles/print.css
$ lessc -x styles/embed.less > styles/embed.css
9. Check Known Issues section of this file


CONFIGURATION HINTS
Expand Down
4 changes: 3 additions & 1 deletion program/include/rcmail_output_html.php
Original file line number Diff line number Diff line change
Expand Up @@ -1823,7 +1823,9 @@ public function current_username($attrib)
$username = $this->app->user->get_username();
}

return rcube_utils::idn_to_utf8($username);
$username = rcube_utils::idn_to_utf8($username);

return html::quote($username);
}

/**
Expand Down

0 comments on commit 37e2bc7

Please sign in to comment.