Security: Fix XSS issue in template object 'username' (#7406)

5 years ago · 37e2bc7457
3 changed files with 15 additions and 4 deletions
--- a/4
+++ b/4
@ -3,8 +3,8 @@ CHANGELOG Roundcube Webmail

 RELEASE 1.3.12
 --------------
-
- Security: Fix couple of XSS issues in Installer (#7406)
+ - Security: Fix XSS issue in template object 'username' (#7406) 
+ - Security: Fix couple of XSS issues in Installer (#7406)

 RELEASE 1.3.11
 --------------
--- a/11
+++ b/11
@ -60,7 +60,16 @@ INSTALLATION
 5. Point your browser to http://url-to-roundcube/installer/
 6. Follow the instructions of the install script (or see MANUAL CONFIGURATION)
 7. After creating and testing the configuration, remove the installer directory
-8. Check Known Issues section of this file
+   ------------------------------------------
+   IMPORTANT: REMOVE THE INSTALLER DIRECTORY!
+   ------------------------------------------
+8. If you use git sources compile css files for the Elastic skin (required
+   lessc >= 1.5.0):
+   $ cd skins/elastic
+   $ lessc -x styles/styles.less > styles/styles.css
+   $ lessc -x styles/print.less > styles/print.css
+   $ lessc -x styles/embed.less > styles/embed.css
+9. Check Known Issues section of this file


 CONFIGURATION HINTS
--- a/program/include/rcmail_output_html.php
+++ b/program/include/rcmail_output_html.php
@ -1823,7 +1823,9 @@ EOF;
            $username = $this->app->user->get_username();
        }

-        return rcube_utils::idn_to_utf8($username);
+        $username = rcube_utils::idn_to_utf8($username);
+
+        return html::quote($username);
    }

    /**