← Back to branch summary

~siretart/+junk/bug.306536

« back to all changes in this revision

Viewing changes to functions/mime.php

  • Committer: Reinhard Tartler
  • Date: 2008-12-09 14:03:26 UTC
  • Revision ID: siretart@tauware.de-20081209140326-w7pe1v822f4ld0ct
https://launchpad.net/bugs/306536
Address cross site scripting issue in the HTML filter
(CVE-2008-2379). LP: #306536.
Patch taken from the debian package version 1.4.15-4.

Show diffs side-by-side

added added

removed removed

Lines of Context:
functions/mime.php
1724
1724
                                    $attvalue = $sQuote . SM_PATH . 'images/blank.png'. $sQuote;
1725
1725
                                }
1726
1726
                            }
 
1727
                        } else {
 
1728
                            $attvalue = $sQuote . $attvalue . $sQuote;
1727
1729
                        }
1728
1730
                        break;
1729
1731
                    case 'outbind':
1732
1734
                         * One day MS might actually make it match something useful, for now, falling
1733
1735
                         * back to using cid2http, so we can grab the blank.png.
1734
1736
                         */
1735
 
                        $attvalue = sq_cid2http($message, $id, $attvalue, $mailbox);
 
1737
                        $attvalue = $sQuote . sq_cid2http($message, $id, $attvalue, $mailbox) . $sQuote;
1736
1738
                        break;
1737
1739
                    case 'cid':
1738
1740
                        /**
1739
1741
                            * Turn cid: urls into http-friendly ones.
1740
1742
                            */
1741
 
                        $attvalue = sq_cid2http($message, $id, $attvalue, $mailbox);
 
1743
                        $attvalue = $sQuote . sq_cid2http($message, $id, $attvalue, $mailbox) . $sQuote;
1742
1744
                        break;
1743
1745
                    default:
1744
1746
                        $attvalue = $sQuote . SM_PATH . 'images/blank.png' . $sQuote;