Security: Fix couple of XSS issues in Installer (#7406)

roundcube · Jun 1, 2020 · 655cfa5 · 655cfa5
1 parent fe0d97e
commit 655cfa5
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 5 deletions.
diff --git a/CHANGELOG b/CHANGELOG
@@ -1,6 +1,11 @@
 CHANGELOG Roundcube Webmail
 ===========================
 
+RELEASE 1.3.12
+--------------
+
+- Security: Fix couple of XSS issues in Installer (#7406)
+
 RELEASE 1.3.11
 --------------
 - Enigma: Fix compatibility with Mail_Mime >= 1.10.5

diff --git a/installer/test.php b/installer/test.php
@@ -126,7 +126,7 @@
         else {
             $RCI->fail('DSN (write)', $db_error_msg);
             echo '<p class="hint">Make sure that the configured database exists and that the user has write privileges<br />';
-            echo 'DSN: ' . $RCI->config['db_dsnw'] . '</p>';
+            echo 'DSN: ' . rcube::Q($RCI->config['db_dsnw']) . '</p>';
         }
     }
     else {
@@ -261,19 +261,19 @@
 <tbody>
   <tr>
     <td><label for="smtp_server">Server</label></td>
-    <td><?php echo rcube_utils::parse_host($RCI->getprop('smtp_server', 'localhost')); ?></td>
+    <td><?php echo rcube::Q(rcube_utils::parse_host($RCI->getprop('smtp_server', 'localhost'))); ?></td>
   </tr>
   <tr>
     <td><label for="smtp_port">Port</label></td>
-    <td><?php echo $RCI->getprop('smtp_port'); ?></td>
+    <td><?php echo rcube::Q($RCI->getprop('smtp_port')); ?></td>
   </tr>
   <tr>
     <td><label for="smtp_user">Username</label></td>
-    <td><?php echo $user; ?></td>
+    <td><?php echo rcube::Q($user); ?></td>
   </tr>
   <tr>
     <td><label for="smtp_pass">Password</label></td>
-    <td><?php echo $pass; ?></td>
+    <td><?php echo rcube::Q($pass); ?></td>
   </tr>
 </tbody>
 </table>