holm/egroupware
1
1
Fork 0
forked from extern/egroupware
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fixed mail preview was not sending CSP headers and clicking on mailto-urls redirected to home

Browse Source
This commit is contained in:
Ralf Becker 2014-03-03 14:56:12 +00:00
parent 876a14ff52
commit 39860b57f7
3 changed files with 22 additions and 48 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
mail/inc/class.mail_bo.inc.php
View File

@ -4509,7 +4509,7 @@ class mail_bo
// CSS Security // CSS Security
// http://code.google.com/p/browsersec/wiki/Part1#Cascading_stylesheets // http://code.google.com/p/browsersec/wiki/Part1#Cascading_stylesheets
$css = preg_replace('/(javascript|expession|-moz-binding)/i','',$style); $css = preg_replace('/(javascript|expression|-moz-binding)/i','',$style);
if (stripos($css,'script')!==false) translation::replaceTagsCompletley($css,'script'); // Strip out script that may be included if (stripos($css,'script')!==false) translation::replaceTagsCompletley($css,'script'); // Strip out script that may be included
// we need this, as styledefinitions are enclosed with curly brackets; and template stuff tries to replace everything between curly brackets that is having no horizontal whitespace // we need this, as styledefinitions are enclosed with curly brackets; and template stuff tries to replace everything between curly brackets that is having no horizontal whitespace
// as the comments as <!-- styledefinition --> in stylesheet are outdated, and ck-editor does not understand it, we remove it // as the comments as <!-- styledefinition --> in stylesheet are outdated, and ck-editor does not understand it, we remove it

62
mail/inc/class.mail_ui.inc.php
View File

@ -2696,7 +2696,7 @@ unset($query['actions']);
} }
function get_load_email_data($uid, $partID, $mailbox,$htmlOptions=null,$fullHeader=true) function get_load_email_data($uid, $partID, $mailbox,$htmlOptions=null)
{ {
// seems to be needed, as if we open a mail from notification popup that is // seems to be needed, as if we open a mail from notification popup that is
// located in a different folder, we experience: could not parse message // located in a different folder, we experience: could not parse message
@ -2738,8 +2738,8 @@ $this->partID = $partID;
//_debug_array($bodyParts); die(__METHOD__.__LINE__); //_debug_array($bodyParts); die(__METHOD__.__LINE__);
// Compose the content of the frame // Compose the content of the frame
$frameHtml = $frameHtml =
$this->get_email_header($this->mail_bo->getStyles($bodyParts),$fullHeader). $this->get_email_header($this->mail_bo->getStyles($bodyParts)).
$this->showBody($this->getdisplayableBody($bodyParts), false,$fullHeader); $this->showBody($this->getdisplayableBody($bodyParts), false);
//IE10 eats away linebreaks preceeded by a whitespace in PRE sections //IE10 eats away linebreaks preceeded by a whitespace in PRE sections
$frameHtml = str_replace(" \r\n","\r\n",$frameHtml); $frameHtml = str_replace(" \r\n","\r\n",$frameHtml);
$this->mail_bo->htmlOptions = $bufferHtmlOptions; $this->mail_bo->htmlOptions = $bufferHtmlOptions;
@ -2747,30 +2747,19 @@ $this->partID = $partID;
return $frameHtml; return $frameHtml;
} }
static function get_email_header($additionalStyle='',$fullHeader=true) static function get_email_header($additionalStyle='')
{ {
//error_log(__METHOD__.__LINE__.$additionalStyle); // egw_info[flags][css] already include <style> tags
$header = ($fullHeader?' $GLOBALS['egw_info']['flags']['css'] = preg_replace('|</?style[^>]*>|i', '', $additionalStyle);
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html> // do NOT include any default CSS
<head> egw_framework::includeCSS('mail', 'preview', true, true);
<meta http-equiv="Content-type" content="text/html;charset=UTF-8" />':'').'
<style> // load preview.js to activate mailto links
body, td, textarea { egw_framework::validate_file('/mail/js/preview.js');
font-family: Verdana, Arial, Helvetica,sans-serif;
font-size: 11px; // send CSP and content-type header
} return $GLOBALS['egw']->framework->header();
</style>'.$additionalStyle.'
<script type="text/javascript">
function GoToAnchor(aname)
{
window.location.hash=aname;
}
</script>'.($fullHeader?'
</head>
<body>
':'');
return $header;
} }
function showBody(&$body, $print=true,$fullPageTags=true) function showBody(&$body, $print=true,$fullPageTags=true)
@ -2818,8 +2807,6 @@ blockquote[type=cite] {
{ {
$bodyParts = $_bodyParts; $bodyParts = $_bodyParts;
$webserverURL = $GLOBALS['egw_info']['server']['webserver_url'];
$nonDisplayAbleCharacters = array('[\016]','[\017]', $nonDisplayAbleCharacters = array('[\016]','[\017]',
'[\020]','[\021]','[\022]','[\023]','[\024]','[\025]','[\026]','[\027]', '[\020]','[\021]','[\022]','[\023]','[\024]','[\025]','[\026]','[\027]',
'[\030]','[\031]','[\032]','[\033]','[\034]','[\035]','[\036]','[\037]'); '[\030]','[\031]','[\032]','[\033]','[\034]','[\035]','[\036]','[\037]');
@ -2902,7 +2889,6 @@ blockquote[type=cite] {
} }
//error_log(__METHOD__.__LINE__.array2string($singleBodyPart)); //error_log(__METHOD__.__LINE__.array2string($singleBodyPart));
#$CharSetUsed = mb_detect_encoding($singleBodyPart['body'] . 'a' , strtoupper($singleBodyPart['charSet']).','.strtoupper(mail_bo::$displayCharset).',UTF-8, ISO-8859-1'); #$CharSetUsed = mb_detect_encoding($singleBodyPart['body'] . 'a' , strtoupper($singleBodyPart['charSet']).','.strtoupper(mail_bo::$displayCharset).',UTF-8, ISO-8859-1');
if($singleBodyPart['mimeType'] == 'text/plain') if($singleBodyPart['mimeType'] == 'text/plain')
{ {
//$newBody = $singleBodyPart['body']; //$newBody = $singleBodyPart['body'];
@ -2986,18 +2972,7 @@ blockquote[type=cite] {
$newBody = preg_replace_callback("/url\(cid:(.*)\);/iU",array($this,'image_callback_url'),$newBody); $newBody = preg_replace_callback("/url\(cid:(.*)\);/iU",array($this,'image_callback_url'),$newBody);
$newBody = preg_replace_callback("/background=(\"|\')cid:(.*)(\"|\')/iU",array($this,'image_callback_background'),$newBody); $newBody = preg_replace_callback("/background=(\"|\')cid:(.*)(\"|\')/iU",array($this,'image_callback_background'),$newBody);
} }
$addAction = egw_link::get_registry('mail','add'); // email addresses / mailto links get now activated on client-side
// create links for email addresses
if ($modifyURI)
{
$link = egw::link('/index.php',array('menuaction' => $addAction['menuaction']));
$newBody = preg_replace("/href=(\"|\')mailto:([\w,\-,\/,\?,\=,\.,&amp;,!\n,\%,@,\*,#,:,~,\+]+)(\"|\')/ie",
"'href=\"$link&send_to='.base64_encode('$2').'\"'.' target=\"compose\" onclick=\"window.open(this,this.target,\'dependent=yes,width=700,height=egw_getWindowOuterHeight(),location=no,menubar=no,toolbar=no,scrollbars=yes,status=yes\'); return false;\"'", $newBody);
//print "<pre>".htmlentities($newBody)."</pre><hr>";
}
// replace emails within the text with clickable links.
//TODO:$this->parseEmail($newBody);
} }
$body .= $newBody; $body .= $newBody;
@ -3397,19 +3372,18 @@ blockquote[type=cite] {
* *
* @return xajax response * @return xajax response
*/ */
function loadEmailBody($_messageID=null,$_partID=null,$_htmloptions=null,$_fullHeader=true) function loadEmailBody($_messageID=null,$_partID=null,$_htmloptions=null)
{ {
//error_log(__METHOD__.__LINE__.array2string($_GET)); //error_log(__METHOD__.__LINE__.array2string($_GET));
if (!$_messageID && !empty($_GET['_messageID'])) $_messageID = $_GET['_messageID']; if (!$_messageID && !empty($_GET['_messageID'])) $_messageID = $_GET['_messageID'];
if (!$_partID && !empty($_GET['_partID'])) $_partID = $_GET['_partID']; if (!$_partID && !empty($_GET['_partID'])) $_partID = $_GET['_partID'];
if (!$_htmloptions && !empty($_GET['_htmloptions'])) $_htmloptions = $_GET['_htmloptions']; if (!$_htmloptions && !empty($_GET['_htmloptions'])) $_htmloptions = $_GET['_htmloptions'];
if (!$_fullHeader && !empty($_GET['_fullHeader'])) $_fullHeader = $_GET['_fullHeader'];
if(mail_bo::$debug) error_log(__METHOD__."->".print_r($_messageID,true).",$_partID,$_htmloptions,$_fullHeade"); if(mail_bo::$debug) error_log(__METHOD__."->".print_r($_messageID,true).",$_partID,$_htmloptions,$_fullHeade");
if (empty($_messageID)) return ""; if (empty($_messageID)) return "";
$uidA = self::splitRowID($_messageID); $uidA = self::splitRowID($_messageID);
$folder = $uidA['folder']; // all messages in one set are supposed to be within the same folder $folder = $uidA['folder']; // all messages in one set are supposed to be within the same folder
$messageID = $uidA['msgUID']; $messageID = $uidA['msgUID'];
$bodyResponse = $this->get_load_email_data($messageID,$_partID,$folder,$_htmloptions,$_fullHeader); $bodyResponse = $this->get_load_email_data($messageID,$_partID,$folder,$_htmloptions);
egw_session::cache_control(true); egw_session::cache_control(true);
//error_log(array2string($bodyResponse)); //error_log(array2string($bodyResponse));
echo $bodyResponse; echo $bodyResponse;

2
mail/js/app.js
View File

@ -635,7 +635,7 @@ app.classes.mail = AppJS.extend(
//console.log("mail_preview",nextmatch, selected); //console.log("mail_preview",nextmatch, selected);
// Empty values, just in case selected is empty (user cleared selection) // Empty values, just in case selected is empty (user cleared selection)
//dataElem.data is populated, when available with fromaddress(string),toaddress(string),additionaltoaddress(array),ccaddress (array) //dataElem.data is populated, when available with fromaddress(string),toaddress(string),additionaltoaddress(array),ccaddress (array)
var dataElem = {data:{subject:"",fromaddress:"",toaddress:"",ccaddress:"",date:"",subject:"",attachmentsBlock:""}}; var dataElem = {data:{subject:"",fromaddress:"",toaddress:"",ccaddress:"",date:"",attachmentsBlock:""}};
if(typeof selected != 'undefined' && selected.length == 1) if(typeof selected != 'undefined' && selected.length == 1)
{ {
var _id = this.mail_fetchCurrentlyFocussed(selected); var _id = this.mail_fetchCurrentlyFocussed(selected);