diff options
author | Pierre-Alain Bandinelli <pa@bandinelli.net> | 2022-04-23 16:06:11 +0300 |
---|---|---|
committer | Pierre-Alain Bandinelli <pa@bandinelli.net> | 2022-04-23 16:06:11 +0300 |
commit | ccb381827442e26d8b7ee484540c127d375dce00 (patch) | |
tree | 49294a9f90e1b69e42f7ca4ce4d7005d12e06523 /app | |
parent | 4d21df86233cedc8e41a1a2639e6eeb1fdf7928d (diff) |
Fixing XSS bug by using what is recommended here https://blog.sonarsource.com/rainloop-emails-at-risk-due-to-code-flaw
Diffstat (limited to 'app')
-rw-r--r-- | app/rainloop/v/1.16.0/app/libraries/MailSo/Base/HtmlUtils.php | 7 |
1 files changed, 5 insertions, 2 deletions
diff --git a/app/rainloop/v/1.16.0/app/libraries/MailSo/Base/HtmlUtils.php b/app/rainloop/v/1.16.0/app/libraries/MailSo/Base/HtmlUtils.php index 2177627..effcf17 100644 --- a/app/rainloop/v/1.16.0/app/libraries/MailSo/Base/HtmlUtils.php +++ b/app/rainloop/v/1.16.0/app/libraries/MailSo/Base/HtmlUtils.php @@ -239,7 +239,9 @@ class HtmlUtils $oWrapHtml->setAttribute($sKey, $sValue);
}
- $oWrapDom = $oDom->createElement('div', '___xxx___');
+ #$oWrapDom = $oDom->createElement('div', '___xxx___');
+ $rand_str = base64_encode(random_bytes(32));
++ $oWrapDom = $oDom->createElement('div', $rand_str);
$oWrapDom->setAttribute('data-x-div-type', 'body');
foreach ($aBodylAttrs as $sKey => $sValue)
{
@@ -250,7 +252,8 @@ class HtmlUtils $sWrp = $oDom->saveHTML($oWrapHtml);
- $sResult = \str_replace('___xxx___', $sResult, $sWrp);
+ #$sResult = \str_replace('___xxx___', $sResult, $sWrp);
+ $sResult = \str_replace($rand_str, $sResult, $sWrp);
}
$sResult = \str_replace(\MailSo\Base\HtmlUtils::$KOS, ':', $sResult);
|