mirror of
https://github.com/EGroupware/egroupware.git
synced 2024-12-22 23:00:56 +01:00
Fix a XSS issue in mailto temporary form post method
This commit is contained in:
parent
2d9821ff01
commit
c14a917390
@ -141,7 +141,7 @@ var AppJS = Class.extend(
|
||||
}
|
||||
this.et2 = et2.widgetContainer;
|
||||
this._fix_iFrameScrolling();
|
||||
if (this.egw.is_popup()) this._set_Window_title();
|
||||
if (this.egw && this.egw.is_popup()) this._set_Window_title();
|
||||
},
|
||||
|
||||
/**
|
||||
|
@ -71,9 +71,15 @@ egw.extend('open', egw.MODULE_WND_LOCAL, function(_egw, _wnd)
|
||||
if (uri.length > 2083)
|
||||
{
|
||||
popup = egw.open('','mail','add','','compose__','mail');
|
||||
// Build a temp Form and submit right away
|
||||
var $tmpForm = jQuery('<form method="post" target="'+popup.name+'" action="index.php?menuaction=mail.mail_compose.compose">\n\
|
||||
<input name="preset[mailto]" type="text" value="'+uri+'"></input><input type="submit"></input></form>').appendTo('body').submit();
|
||||
var $tmpForm = jQuery(document.createElement('form')).appendTo('body');
|
||||
var $tmpInput = jQuery(document.createElement('input')).attr({name:"preset[mailto]", type:"text", value: uri});
|
||||
var $tmpSubmitInput = jQuery(document.createElement('input')).attr({type:"submit"});
|
||||
// Set the temporary form's attributes
|
||||
$tmpForm.attr({target:popup.name, action:"index.php?menuaction=mail.mail_compose.compose", method:"post"})
|
||||
.append($tmpInput)
|
||||
.append($tmpSubmitInput);
|
||||
$tmpForm.submit();
|
||||
// Remove the form after submit
|
||||
$tmpForm.remove();
|
||||
}
|
||||
else // simple GET request
|
||||
|
Loading…
Reference in New Issue
Block a user