diff options
author | Aleksander Machniak <alec@alec.pl> | 2020-07-26 12:07:38 +0300 |
---|---|---|
committer | Aleksander Machniak <alec@alec.pl> | 2020-07-26 12:07:38 +0300 |
commit | dd65229b6ecfedf4124f86cb740bdcf629df55ab (patch) | |
tree | b29a04754346e9cbb7b40361e8ed9029bfb20d8c | |
parent | b9f41796c3df0c6d80bb8e6167e201f05144246e (diff) |
Security: Fix potential XSS issue in HTML editor of the identity signature input (#7507)
-rw-r--r-- | CHANGELOG | 1 | ||||
-rw-r--r-- | program/js/editor.js | 3 |
2 files changed, 3 insertions, 1 deletions
@@ -5,6 +5,7 @@ CHANGELOG Roundcube Webmail - Fix support for an error as a string in message_before_send hook (#7475) - Elastic: Fix redundant scrollbar in plain text editor on mail reply (#7500) - Fix format=flowed formatting on plain text part derived from the HTML content (#7504) +- Security: Fix potential XSS issue in HTML editor of the identity signature input (#7507) RELEASE 1.4.7 ------------- diff --git a/program/js/editor.js b/program/js/editor.js index bc504c474..552de9a79 100644 --- a/program/js/editor.js +++ b/program/js/editor.js @@ -90,7 +90,8 @@ function rcube_text_editor(config, id) + ' | outdent indent charmap hr link unlink image code forecolor' + ' | fontselect fontsizeselect', file_browser_callback: function(name, url, type, win) { ref.file_browser_callback(name, url, type); }, - file_browser_callback_types: 'image' + file_browser_callback_types: 'image', + invalid_elements: 'embed' // XSS fix (#7507) }); } // full-featured editor |