set security=restricted attribute on the iframe, preventing javascript

and other tricks to be used inside its contents on supporting browsers.

git-svn-id: https://svn.code.sf.net/p/squirrelmail/code/trunk/squirrelmail@10169 7612ce4b-ef26-0410-bec9-ea0150e637f0

diff --git a/functions/mime.php b/functions/mime.php
index 1427ab37b50efbc28f72942e8cb478f3459322c8..7a554c3a8dfb81773602cf8c2ae1da36cac83419 100644 (file)
--- a/functions/mime.php
+++ b/functions/mime.php
@@ -413,7 +413,7 @@ function formatBody($imap_stream, $message, $color, $wrap_at, $ent_num, $id, $ma
                  * need special handling for IE and IE6SP2.
                  */
                 $body.= "<div><iframe name=\"message_frame\" width=\"100%\" height=\"$iframe_height\" src=\"$iframeurl\""
-                    .' frameborder="1" marginwidth="0" marginheight="0" scrolling="auto">' . "\n";
+                    .' frameborder="1" marginwidth="0" marginheight="0" scrolling="auto" security="restricted">' . "\n";
 
                 // Message for browsers without iframe support
                 //$body.= _("Your browser does not support inline frames.
@@ -2370,4 +2370,4 @@ function SendDownloadHeaders($type0, $type1, $filename, $force, $filesize=0) {
 
 }  // end fn SendDownloadHeaders
 
-?>
\ No newline at end of file
+?>