[RCD] "Edit as new" creates strange (partially) HTML formatted messages

Michael Heydekamp listuser at freexp.de
Thu Aug 1 23:32:49 CEST 2013


Aha! It seems to be related to this commit, which I just saw:

Am 01.08.2013 14:50, schrieb GitHub:

> Branch: refs/heads/master
>   Home:   https://github.com/roundcube/roundcubemail
>   Commit: 93b0a30c1c8aa29d862b587b31e52bcc344b8d16
>      
> https://github.com/roundcube/roundcubemail/commit/93b0a30c1c8aa29d862b587b31e52bcc344b8d16
>   Author: Aleksander Machniak <alec at alec.pl>
>   Date:   2013-08-01 (Thu, 01 Aug 2013)
> 
>   Changed paths:
>     M CHANGELOG
>     M program/steps/mail/compose.inc
> 
>   Log Message:
>   -----------
>   Fix XSS vulnerability when editing a message "as new" or draft (#1489251) - added HTML content "washing"

But apparently it does not "wash" (= remove?) HTML, but does add it...?

Cheers,
-- 
Michael Heydekamp
Co-Admin freexp.de
Düsseldorf/Germany


Am 01.08.2013 23:20, schrieb Michael Heydekamp:

> 1.0-git: When using "Edit as new" on a text/plain message, Roundcube
> suddenly prefixes each message with...
> 
> --------------------------------------------------------------------------
>> <!-- html ignored --><!-- head ignored --><!-- meta ignored --><body><p>
> --------------------------------------------------------------------------
> 
> ... and closes it with...
> 
> -------------
>> </p></body>
> -------------
> 
> Plus that certain characters such as ">" and the double quote itself in the
> body are converted to ">" and """. Interestingly, other 8bit chars
> such as German Umlauts keep untouched, which is somewhat unlogical.
> 
> I have no idea why Roundcube does this (especially as it didn't do it
> before), but it doesn't look correct to me.
> 
> Cheers,
> -- 
> Michael Heydekamp
> Co-Admin freexp.de
> Düsseldorf/Germany
> _______________________________________________
> Roundcube Development discussion mailing list
> dev at lists.roundcube.net
> http://lists.roundcube.net/mailman/listinfo/dev


More information about the dev mailing list