Security: Fix potential XSS issue in HTML editor of the identity signature input (#7507)

author: Aleksander Machniak <alec@alec.pl> 2020-07-26 12:07:38 +0300
committer: Aleksander Machniak <alec@alec.pl> 2020-07-26 12:07:38 +0300
commit: dd65229b6ecfedf4124f86cb740bdcf629df55ab (patch)
tree: b29a04754346e9cbb7b40361e8ed9029bfb20d8c
parent: b9f41796c3df0c6d80bb8e6167e201f05144246e (diff)
2 files changed, 3 insertions, 1 deletions
diff --git a/CHANGELOG b/CHANGELOG
index 450da753f..e87d94a03 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -5,6 +5,7 @@ CHANGELOG Roundcube Webmail
 - Fix support for an error as a string in message_before_send hook (#7475)
 - Elastic: Fix redundant scrollbar in plain text editor on mail reply (#7500)
 - Fix format=flowed formatting on plain text part derived from the HTML content (#7504)
+- Security: Fix potential XSS issue in HTML editor of the identity signature input (#7507)
 
 RELEASE 1.4.7
 -------------
diff --git a/program/js/editor.js b/program/js/editor.js
index bc504c474..552de9a79 100644
--- a/program/js/editor.js
+++ b/program/js/editor.js
@@ -90,7 +90,8 @@ function rcube_text_editor(config, id)
         + ' | outdent indent charmap hr link unlink image code forecolor'
         + ' | fontselect fontsizeselect',
       file_browser_callback: function(name, url, type, win) { ref.file_browser_callback(name, url, type); },
-      file_browser_callback_types: 'image'
+      file_browser_callback_types: 'image',
+      invalid_elements: 'embed' // XSS fix (#7507)
     });
   }
   // full-featured editor
author	Aleksander Machniak <alec@alec.pl>	2020-07-26 12:07:38 +0300
committer	Aleksander Machniak <alec@alec.pl>	2020-07-26 12:07:38 +0300
commit	dd65229b6ecfedf4124f86cb740bdcf629df55ab (patch)
tree	b29a04754346e9cbb7b40361e8ed9029bfb20d8c
parent	b9f41796c3df0c6d80bb8e6167e201f05144246e (diff)