 pdontthink
|
d09583a7bf
Relax restriction on image tag src URIs. Others PLEASE TEST (HTML mails with unsafe images). Per the developers mailing list, no one could show that there was any exploit here. Some code has been inserted here but commented out in case there is in fact some exploit - the code will filter image URI file extensions as before but for URIs that fail that test, SM will check the actual served content for legitimate image files (so dynamically generated images from .asp, .php, and other systems can be correctly displayed).
|
17 years ago |
|
Thijs Kinkhorst
|
7c8a269029
drop code related to old printer friendly
|
17 years ago |
|
Fredrik Jervfors
|
2c88b013a0
Updating use of sqgetGlobalVar.
|
17 years ago |
|
Fredrik Jervfors
|
f5d40976f3
Updating my previous comments.
|
17 years ago |
|
Fredrik Jervfors
|
4038839abf
Viewing unsafe images is a core functionality, so I remove these comments.
|
17 years ago |
|
Fredrik Jervfors
|
0c2da19718
Adding comments.
|
17 years ago |
|
Thijs Kinkhorst
|
b57f700812
reset token when another < is detected, to ensure that HTML tags between
|
17 years ago |
|
Thijs Kinkhorst
|
086605a234
fix spelling of variable name which made its meaning confusing
|
17 years ago |
|
Fredrik Jervfors
|
99264da765
Reinserting support for the "iframe_height" option. This might be done in a better way - if so, please do it.
|
17 years ago |
|
pdontthink
|
d36dcbdbe6
Don't let more general attachment plugins override changes made by specific ones; also judge by changes to the defaultlink in addition to added links. Thanks to Thierry Godefroy.
|
17 years ago |
|
pdontthink
|
63f24bd506
avoid E_STRICT errors
|
17 years ago |
|
pdontthink
|
642f901396
A few output elements are used often, so just retrieve them once and make them globally available
|
17 years ago |
|
jangliss
|
44d36821b1
Some IMAP servers handle empty bodies different. NIL is a valid response for the body, but we always expect a literal with a size. See RFC2180 sec 4.1.3.
|
17 years ago |
|
pdontthink
|
2cb20957be
Make mailto: links work when viewing HTML messages. Security folks, can this be exploited?
|
17 years ago |
|
Thijs Kinkhorst
|
f3aa45aa92
drop unneeded global
|
18 years ago |
|
Thijs Kinkhorst
|
6462c7e3de
fix some bugs found by grepping for urlencode/urldecode
|
18 years ago |
|
Thijs Kinkhorst
|
baff951679
color has been dropped as a parameter from (plain_)error_message,
|
18 years ago |
|
pdontthink
|
2747b5f21e
Grammar fix and comment to Marc I think.
|
18 years ago |
|
Thijs Kinkhorst
|
71719fccb1
Security: fixes for the HTML filter to counter further XSS exploits:
|
18 years ago |
|
pdontthink
|
f3f3eb92df
Generate links using templates
|
18 years ago |
|
Thijs Kinkhorst
|
11b10ba5d1
increment year in copyright notices
|
18 years ago |
|
pdontthink
|
717be5c30c
Massive update to plugin system architecture. Please test! Not all core plugins are tested yet, please point out issues that need to be fixed. Please see http://marc.theaimsgroup.com/?t=116282394000001&r=1&w=2
|
18 years ago |
|
Thijs Kinkhorst
|
1c4fe25e5f
tweak comments
|
18 years ago |
|
stekkel
|
d22a11a4d4
More XSS fixes related to magicHtml
|
18 years ago |
|
Thijs Kinkhorst
|
4991adee3b
- Security: close cross site scripting vulnerability in draft, compose
|
18 years ago |
|
pdontthink
|
08bcbd6471
After looking into it, I slightly misunderstood the intention here. Code is just fine as is.
|
19 years ago |
|
pdontthink
|
b6ff5b5a46
Adding ability to hook into ANY attachment type. Also, please review my comments, Does anyone know if/when/how the wildcard attachment code was working??? It looks pretty broken to me, but has been here a long time, so...????
|
19 years ago |
|
stevetruckstuff
|
4a2a0b54a4
Template for viewing HTML messages in iframes
|
19 years ago |
|
stevetruckstuff
|
f427409c19
Create a separate function to build the attachments array so that the same array can be given to printer-freindly views.
|
19 years ago |
|
stevetruckstuff
|
20e71360d8
<span> tags end with </span>, not </style> stupid!
|
19 years ago |
