anti_XSS.patch   [plain text]


--- roundcubemail-0.5.3/program/steps/mail/func.inc	2011-06-02 05:36:32.000000000 -0700
+++ roundcubemail/program/steps/mail/func.inc	2011-06-08 16:20:41.000000000 -0700
@@ -684,7 +684,8 @@
   else if ($data['type'] == 'enriched') {
     $part->ctype_secondary = 'html';
     require_once('lib/enriched.inc');
-    $body = Q(enriched_to_html($data['body']), 'show');
+    $body_html = Q(enriched_to_html($data['body']), 'show');
+    $body = rcmail_wash_html($body_html, $data, $part->replaces);
   }
   else {
     // assert plaintext