Use lax CSP whereever the HTML editor might be used

A "lax" CSP (aka using the config option `content_security_policy_add_allow_remote`) is required to allow using remote ressources like image URLs in the HTML editor. We can't depend this on the intial content being HTML or not because the user might want to change the editor after loading the page, and then add remote ressources.
6 months ago · 1900aaec24
3 changed files with 7 additions and 0 deletions
--- a/program/actions/mail/compose.php
+++ b/program/actions/mail/compose.php
@ -680,6 +680,11 @@ class rcmail_action_mail_compose extends rcmail_action_mail_index

        self::$HTML_MODE = $isHtml;

+        // We can't depend the "safemode" on the message being HTML or not
+        // because the user might want to change the editor after loading the
+        // page, and then add remote ressources.
+        $rcmail->output->set_env('safemode', true);
+
        return $body;
    }

--- a/program/actions/settings/identity_edit.php
+++ b/program/actions/settings/identity_edit.php
@ -75,6 +75,7 @@ class rcmail_action_settings_identity_edit extends rcmail_action
            $rcmail->output->send('identityadd');
        }

+        $rcmail->output->set_env('safemode', true);
        $rcmail->output->send('identityedit');
    }

--- a/program/actions/settings/response_edit.php
+++ b/program/actions/settings/response_edit.php
@ -46,6 +46,7 @@ class rcmail_action_settings_response_edit extends rcmail_action_settings_respon

        $rcmail->output->set_pagetitle($title);
        $rcmail->output->set_env('readonly', !empty(self::$response['static']));
+        $rcmail->output->set_env('safemode', true);
        $rcmail->output->add_handler('responseform', [$this, 'response_form']);
        $rcmail->output->send('responseedit');
    }