 pdontthink
|
d09583a7bf
Relax restriction on image tag src URIs. Others PLEASE TEST (HTML mails with unsafe images). Per the developers mailing list, no one could show that there was any exploit here. Some code has been inserted here but commented out in case there is in fact some exploit - the code will filter image URI file extensions as before but for URIs that fail that test, SM will check the actual served content for legitimate image files (so dynamically generated images from .asp, .php, and other systems can be correctly displayed).
|
17 anos atrás |
|
Thijs Kinkhorst
|
7c8a269029
drop code related to old printer friendly
|
17 anos atrás |
|
Fredrik Jervfors
|
2c88b013a0
Updating use of sqgetGlobalVar.
|
17 anos atrás |
|
Fredrik Jervfors
|
f5d40976f3
Updating my previous comments.
|
17 anos atrás |
|
Fredrik Jervfors
|
4038839abf
Viewing unsafe images is a core functionality, so I remove these comments.
|
17 anos atrás |
|
Fredrik Jervfors
|
0c2da19718
Adding comments.
|
17 anos atrás |
|
Thijs Kinkhorst
|
b57f700812
reset token when another < is detected, to ensure that HTML tags between
|
17 anos atrás |
|
Thijs Kinkhorst
|
086605a234
fix spelling of variable name which made its meaning confusing
|
17 anos atrás |
|
Fredrik Jervfors
|
99264da765
Reinserting support for the "iframe_height" option. This might be done in a better way - if so, please do it.
|
17 anos atrás |
|
pdontthink
|
d36dcbdbe6
Don't let more general attachment plugins override changes made by specific ones; also judge by changes to the defaultlink in addition to added links. Thanks to Thierry Godefroy.
|
17 anos atrás |
|
pdontthink
|
63f24bd506
avoid E_STRICT errors
|
17 anos atrás |
|
pdontthink
|
642f901396
A few output elements are used often, so just retrieve them once and make them globally available
|
17 anos atrás |
|
jangliss
|
44d36821b1
Some IMAP servers handle empty bodies different. NIL is a valid response for the body, but we always expect a literal with a size. See RFC2180 sec 4.1.3.
|
17 anos atrás |
|
pdontthink
|
2cb20957be
Make mailto: links work when viewing HTML messages. Security folks, can this be exploited?
|
17 anos atrás |
|
Thijs Kinkhorst
|
f3aa45aa92
drop unneeded global
|
18 anos atrás |
|
Thijs Kinkhorst
|
6462c7e3de
fix some bugs found by grepping for urlencode/urldecode
|
18 anos atrás |
|
Thijs Kinkhorst
|
baff951679
color has been dropped as a parameter from (plain_)error_message,
|
18 anos atrás |
|
pdontthink
|
2747b5f21e
Grammar fix and comment to Marc I think.
|
18 anos atrás |
|
Thijs Kinkhorst
|
71719fccb1
Security: fixes for the HTML filter to counter further XSS exploits:
|
18 anos atrás |
|
pdontthink
|
f3f3eb92df
Generate links using templates
|
18 anos atrás |
|
Thijs Kinkhorst
|
11b10ba5d1
increment year in copyright notices
|
18 anos atrás |
|
pdontthink
|
717be5c30c
Massive update to plugin system architecture. Please test! Not all core plugins are tested yet, please point out issues that need to be fixed. Please see http://marc.theaimsgroup.com/?t=116282394000001&r=1&w=2
|
18 anos atrás |
|
Thijs Kinkhorst
|
1c4fe25e5f
tweak comments
|
18 anos atrás |
|
stekkel
|
d22a11a4d4
More XSS fixes related to magicHtml
|
18 anos atrás |
|
Thijs Kinkhorst
|
4991adee3b
- Security: close cross site scripting vulnerability in draft, compose
|
18 anos atrás |
|
pdontthink
|
08bcbd6471
After looking into it, I slightly misunderstood the intention here. Code is just fine as is.
|
18 anos atrás |
|
pdontthink
|
b6ff5b5a46
Adding ability to hook into ANY attachment type. Also, please review my comments, Does anyone know if/when/how the wildcard attachment code was working??? It looks pretty broken to me, but has been here a long time, so...????
|
18 anos atrás |
|
stevetruckstuff
|
4a2a0b54a4
Template for viewing HTML messages in iframes
|
19 anos atrás |
|
stevetruckstuff
|
f427409c19
Create a separate function to build the attachments array so that the same array can be given to printer-freindly views.
|
19 anos atrás |
|
stevetruckstuff
|
20e71360d8
<span> tags end with </span>, not </style> stupid!
|
19 anos atrás |
