Merge pull request #242 from modoboa/fix-xss-compose-mail

tonioo · web-flow · commit 599c93c0d535 · 2023-02-11T09:25:51.000+01:00
Fixed XSS issue in compose form
diff --git a/modoboa_webmail/static/modoboa_webmail/js/webmail.js b/modoboa_webmail/static/modoboa_webmail/js/webmail.js
@@ -1141,7 +1141,7 @@ Webmail.prototype = {
                     item.display_name,
                     escape('<{0}>'.format(item.address)));
             }
-            return '<div>{0}</div>'.format(item.address);
+            return '<div>{0}</div>'.format(htmlEncode(item.address));
         };
         var apiUrl = this.options.contactListUrl;
 
diff --git a/requirements.txt b/requirements.txt
@@ -1,3 +1,3 @@
-modoboa>=2.0.0
+modoboa>=2.0.4
 chardet
 lxml

Original file line number	Diff line number	Diff line change
`@@ -1141,7 +1141,7 @@ Webmail.prototype = {`
`1141`	`1141`	`item.display_name,`
`1142`	`1142`	`escape('<{0}>'.format(item.address)));`
`1143`	`1143`	`}`
`1144`		`- return '<div>{0}</div>'.format(item.address);`
	`1144`	`+ return '<div>{0}</div>'.format(htmlEncode(item.address));`
`1145`	`1145`	`};`
`1146`	`1146`	`var apiUrl = this.options.contactListUrl;`
`1147`	`1147`