From bb40a9c1d9766ba4212a3350fbd702af3e2d06ee Mon Sep 17 00:00:00 2001 From: pdontthink Date: Tue, 12 Jul 2011 04:59:12 +0000 Subject: [PATCH] Fix XSS problem with unsanitized style tags in messages [CVE-2011-2023] git-svn-id: https://svn.code.sf.net/p/squirrelmail/code/trunk/squirrelmail@14122 7612ce4b-ef26-0410-bec9-ea0150e637f0 --- doc/ChangeLog | 1 + functions/mime.php | 9 +++++++++ 2 files changed, 10 insertions(+) diff --git a/doc/ChangeLog b/doc/ChangeLog index 64fbb789..06cf9065 100644 --- a/doc/ChangeLog +++ b/doc/ChangeLog @@ -365,6 +365,7 @@ Version 1.5.2 - SVN - Fixed XSS holes in generic options inputs, XSS hole in the SquirrelSpell plugin, and added anti-CSRF protection to the empty trash feature (thanks to Nicholas Carlini for finding all these issues). [CVE-2010-4555] + - Fixed XSS problem with unsanitized style tags in messages. [CVE-2011-2023] Version 1.5.1 (branched on 2006-02-12) -------------------------------------- diff --git a/functions/mime.php b/functions/mime.php index 57bdf2f2..1e8fc880 100644 --- a/functions/mime.php +++ b/functions/mime.php @@ -2350,6 +2350,15 @@ function sq_sanitize($body, list($free_content, $curpos) = sq_fixstyle($body, $gt+1, $message, $id, $mailbox); if ($free_content != FALSE){ + $attary = sq_fixatts($tagname, + $attary, + $rm_attnames, + $bad_attvals, + $add_attr_to_tag, + $message, + $id, + $mailbox + ); $trusted .= sq_tagprint($tagname, $attary, $tagtype); $trusted .= $free_content; $trusted .= sq_tagprint($tagname, false, 2); -- 2.25.1