mirror of
https://github.com/EGroupware/egroupware.git
synced 2024-12-27 09:09:04 +01:00
Fix a XSS issue in mailto temporary form post method
This commit is contained in:
parent
2d9821ff01
commit
c14a917390
@ -141,7 +141,7 @@ var AppJS = Class.extend(
|
|||||||
}
|
}
|
||||||
this.et2 = et2.widgetContainer;
|
this.et2 = et2.widgetContainer;
|
||||||
this._fix_iFrameScrolling();
|
this._fix_iFrameScrolling();
|
||||||
if (this.egw.is_popup()) this._set_Window_title();
|
if (this.egw && this.egw.is_popup()) this._set_Window_title();
|
||||||
},
|
},
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
@ -71,9 +71,15 @@ egw.extend('open', egw.MODULE_WND_LOCAL, function(_egw, _wnd)
|
|||||||
if (uri.length > 2083)
|
if (uri.length > 2083)
|
||||||
{
|
{
|
||||||
popup = egw.open('','mail','add','','compose__','mail');
|
popup = egw.open('','mail','add','','compose__','mail');
|
||||||
// Build a temp Form and submit right away
|
var $tmpForm = jQuery(document.createElement('form')).appendTo('body');
|
||||||
var $tmpForm = jQuery('<form method="post" target="'+popup.name+'" action="index.php?menuaction=mail.mail_compose.compose">\n\
|
var $tmpInput = jQuery(document.createElement('input')).attr({name:"preset[mailto]", type:"text", value: uri});
|
||||||
<input name="preset[mailto]" type="text" value="'+uri+'"></input><input type="submit"></input></form>').appendTo('body').submit();
|
var $tmpSubmitInput = jQuery(document.createElement('input')).attr({type:"submit"});
|
||||||
|
// Set the temporary form's attributes
|
||||||
|
$tmpForm.attr({target:popup.name, action:"index.php?menuaction=mail.mail_compose.compose", method:"post"})
|
||||||
|
.append($tmpInput)
|
||||||
|
.append($tmpSubmitInput);
|
||||||
|
$tmpForm.submit();
|
||||||
|
// Remove the form after submit
|
||||||
$tmpForm.remove();
|
$tmpForm.remove();
|
||||||
}
|
}
|
||||||
else // simple GET request
|
else // simple GET request
|
||||||
|
Loading…
Reference in New Issue
Block a user