OoO En ce début de soirée du vendredi 28 décembre 2007, vers 21:45, je disais:
I found Squirrelmail's solution. They seem to use one function for every possible tag in the HTML source:
http://osdir.com/ml/mail.squirrelmail.cvs/2006-12/msg00031.html
I'll try to implement that, and/or search for more :)
Hi Robin !
I noticed that you have posted a patch. I have tried it but it seems that there is no effect. I have tried with ie6 from ie4linux and I still get the javascript popups. Did you try it succesfully on rc2?
I have used the test message from here: http://www.topolis.lt/bugtraq/expression.eml.gz
I have tried with an up-to-date IE7 and the patch provided here does not fix the issue. In fact, the source code shows there is still unsanitized strings. I have completed the patch with a function from Squirrelmail (sq_defang). I have attached the complete patch.
--- 8< --- detachments --- 8< --- The following attachments have been detached and are available for viewing. http://detached.gigo.com/rc/Kv/ygd6Dv7S/xss-fix.patch Only click these links if you trust the sender, as well as this message. --- 8< --- detachments --- 8< ---
There is still some unsanitized strings but IE does not trigger any alert any more. We will use this patch as a temporary fix for Roundcube Debian package unless you see a better way to handle this issue.