ExternalVendorCode/devilbox
1
0
Fork 0
mirror of https://github.com/cytopia/devilbox.git synced 2025-01-19 03:06:30 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Merge pull request #327 from cytopia/fix-email-xss

Browse Source 
Fix #326 XSS vulnerability in email display
This commit is contained in:
cytopia 2018-07-28 09:23:54 +02:00 committed by GitHub
commit fa238275ac
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 5 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
.devilbox/www/htdocs/mail.php
View File

@ -157,7 +157,7 @@ $messages = $MyMbox->get($sortOrderArr);
<tbody>
<?php foreach ($messages as $data): ?>
<?php
$message = $data['raw'];
$message = htmlentities($data['raw']);
$structure = $data['decoded'];
?>
<tr id="<?php echo $data['num'];?>" class="subject">
@ -167,17 +167,17 @@ $messages = $MyMbox->get($sortOrderArr);
<small><?php echo date('Y-m-d', strtotime($structure->headers['date']));?></small>
</td>
<td><?php echo htmlentities($structure->headers['from']);?></td>
<td><?php echo $structure->headers['x-original-to'];?></td>
<td><?php echo $structure->headers['subject'];?></td>
<td><?php echo htmlentities($structure->headers['x-original-to']);?></td>
<td><?php echo htmlentities($structure->headers['subject']);?></td>
</tr>
<tr></tr>
<tr id="mail-<?php echo $data['num'];?>" style="display:none">
<td></td>
<td colspan="4">
<?php if (isset($structure->body)): ?>
<?php echo $structure->body ?>
<?php echo htmlentities($structure->body) ?>
<?php elseif(isset($structure->parts[1]->body)): ?>
<?php echo $structure->parts[1]->body ?>
<?php echo htmlentities($structure->parts[1]->body) ?>
<?php elseif(isset($structure->parts[0]->body)): ?>
<?php echo htmlentities($structure->parts[0]->body) ?>
<?php else: ?>