Aha! It seems to be related to this commit, which I just saw:

Am 01.08.2013 14:50, schrieb GitHub:

Branch: refs/heads/master Home: https://github.com/roundcube/roundcubemail Commit: 93b0a30c1c8aa29d862b587b31e52bcc344b8d16

https://github.com/roundcube/roundcubemail/commit/93b0a30c1c8aa29d862b587b31... Author: Aleksander Machniak alec@alec.pl Date: 2013-08-01 (Thu, 01 Aug 2013)

Changed paths: M CHANGELOG M program/steps/mail/compose.inc

Log Message:

Fix XSS vulnerability when editing a message "as new" or draft (#1489251) - added HTML content "washing"

But apparently it does not "wash" (= remove?) HTML, but does add it...?

Cheers,

Michael Heydekamp Co-Admin freexp.de Düsseldorf/Germany

Am 01.08.2013 23:20, schrieb Michael Heydekamp:

1.0-git: When using "Edit as new" on a text/plain message, Roundcube suddenly prefixes each message with...

---

...

<!-- html ignored --><!-- head ignored --><!-- meta ignored --><body><p>

---

... and closes it with...

---

...

</p></body>

---

Plus that certain characters such as ">" and the double quote itself in the body are converted to "&gt;" and "&quot;". Interestingly, other 8bit chars such as German Umlauts keep untouched, which is somewhat unlogical.

I have no idea why Roundcube does this (especially as it didn't do it before), but it doesn't look correct to me.

Cheers,

Michael Heydekamp Co-Admin freexp.de Düsseldorf/Germany _______________________________________________ Roundcube Development discussion mailing list dev@lists.roundcube.net http://lists.roundcube.net/mailman/listinfo/dev