fixed mail preview was not sending CSP headers and clicking on mailto-urls redirected to home

This commit is contained in:
Ralf Becker 2014-03-03 14:56:12 +00:00
parent 876a14ff52
commit 39860b57f7
3 changed files with 22 additions and 48 deletions

View File

@ -4509,7 +4509,7 @@ class mail_bo
// CSS Security
// http://code.google.com/p/browsersec/wiki/Part1#Cascading_stylesheets
$css = preg_replace('/(javascript|expession|-moz-binding)/i','',$style);
$css = preg_replace('/(javascript|expression|-moz-binding)/i','',$style);
if (stripos($css,'script')!==false) translation::replaceTagsCompletley($css,'script'); // Strip out script that may be included
// we need this, as styledefinitions are enclosed with curly brackets; and template stuff tries to replace everything between curly brackets that is having no horizontal whitespace
// as the comments as <!-- styledefinition --> in stylesheet are outdated, and ck-editor does not understand it, we remove it

View File

@ -2696,7 +2696,7 @@ unset($query['actions']);
}
function get_load_email_data($uid, $partID, $mailbox,$htmlOptions=null,$fullHeader=true)
function get_load_email_data($uid, $partID, $mailbox,$htmlOptions=null)
{
// seems to be needed, as if we open a mail from notification popup that is
// located in a different folder, we experience: could not parse message
@ -2738,8 +2738,8 @@ $this->partID = $partID;
//_debug_array($bodyParts); die(__METHOD__.__LINE__);
// Compose the content of the frame
$frameHtml =
$this->get_email_header($this->mail_bo->getStyles($bodyParts),$fullHeader).
$this->showBody($this->getdisplayableBody($bodyParts), false,$fullHeader);
$this->get_email_header($this->mail_bo->getStyles($bodyParts)).
$this->showBody($this->getdisplayableBody($bodyParts), false);
//IE10 eats away linebreaks preceeded by a whitespace in PRE sections
$frameHtml = str_replace(" \r\n","\r\n",$frameHtml);
$this->mail_bo->htmlOptions = $bufferHtmlOptions;
@ -2747,30 +2747,19 @@ $this->partID = $partID;
return $frameHtml;
}
static function get_email_header($additionalStyle='',$fullHeader=true)
static function get_email_header($additionalStyle='')
{
//error_log(__METHOD__.__LINE__.$additionalStyle);
$header = ($fullHeader?'
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<meta http-equiv="Content-type" content="text/html;charset=UTF-8" />':'').'
<style>
body, td, textarea {
font-family: Verdana, Arial, Helvetica,sans-serif;
font-size: 11px;
}
</style>'.$additionalStyle.'
<script type="text/javascript">
function GoToAnchor(aname)
{
window.location.hash=aname;
}
</script>'.($fullHeader?'
</head>
<body>
':'');
return $header;
// egw_info[flags][css] already include <style> tags
$GLOBALS['egw_info']['flags']['css'] = preg_replace('|</?style[^>]*>|i', '', $additionalStyle);
// do NOT include any default CSS
egw_framework::includeCSS('mail', 'preview', true, true);
// load preview.js to activate mailto links
egw_framework::validate_file('/mail/js/preview.js');
// send CSP and content-type header
return $GLOBALS['egw']->framework->header();
}
function showBody(&$body, $print=true,$fullPageTags=true)
@ -2818,8 +2807,6 @@ blockquote[type=cite] {
{
$bodyParts = $_bodyParts;
$webserverURL = $GLOBALS['egw_info']['server']['webserver_url'];
$nonDisplayAbleCharacters = array('[\016]','[\017]',
'[\020]','[\021]','[\022]','[\023]','[\024]','[\025]','[\026]','[\027]',
'[\030]','[\031]','[\032]','[\033]','[\034]','[\035]','[\036]','[\037]');
@ -2902,7 +2889,6 @@ blockquote[type=cite] {
}
//error_log(__METHOD__.__LINE__.array2string($singleBodyPart));
#$CharSetUsed = mb_detect_encoding($singleBodyPart['body'] . 'a' , strtoupper($singleBodyPart['charSet']).','.strtoupper(mail_bo::$displayCharset).',UTF-8, ISO-8859-1');
if($singleBodyPart['mimeType'] == 'text/plain')
{
//$newBody = $singleBodyPart['body'];
@ -2986,18 +2972,7 @@ blockquote[type=cite] {
$newBody = preg_replace_callback("/url\(cid:(.*)\);/iU",array($this,'image_callback_url'),$newBody);
$newBody = preg_replace_callback("/background=(\"|\')cid:(.*)(\"|\')/iU",array($this,'image_callback_background'),$newBody);
}
$addAction = egw_link::get_registry('mail','add');
// create links for email addresses
if ($modifyURI)
{
$link = egw::link('/index.php',array('menuaction' => $addAction['menuaction']));
$newBody = preg_replace("/href=(\"|\')mailto:([\w,\-,\/,\?,\=,\.,&amp;,!\n,\%,@,\*,#,:,~,\+]+)(\"|\')/ie",
"'href=\"$link&send_to='.base64_encode('$2').'\"'.' target=\"compose\" onclick=\"window.open(this,this.target,\'dependent=yes,width=700,height=egw_getWindowOuterHeight(),location=no,menubar=no,toolbar=no,scrollbars=yes,status=yes\'); return false;\"'", $newBody);
//print "<pre>".htmlentities($newBody)."</pre><hr>";
}
// replace emails within the text with clickable links.
//TODO:$this->parseEmail($newBody);
// email addresses / mailto links get now activated on client-side
}
$body .= $newBody;
@ -3397,19 +3372,18 @@ blockquote[type=cite] {
*
* @return xajax response
*/
function loadEmailBody($_messageID=null,$_partID=null,$_htmloptions=null,$_fullHeader=true)
function loadEmailBody($_messageID=null,$_partID=null,$_htmloptions=null)
{
//error_log(__METHOD__.__LINE__.array2string($_GET));
if (!$_messageID && !empty($_GET['_messageID'])) $_messageID = $_GET['_messageID'];
if (!$_partID && !empty($_GET['_partID'])) $_partID = $_GET['_partID'];
if (!$_htmloptions && !empty($_GET['_htmloptions'])) $_htmloptions = $_GET['_htmloptions'];
if (!$_fullHeader && !empty($_GET['_fullHeader'])) $_fullHeader = $_GET['_fullHeader'];
if(mail_bo::$debug) error_log(__METHOD__."->".print_r($_messageID,true).",$_partID,$_htmloptions,$_fullHeade");
if (empty($_messageID)) return "";
$uidA = self::splitRowID($_messageID);
$folder = $uidA['folder']; // all messages in one set are supposed to be within the same folder
$messageID = $uidA['msgUID'];
$bodyResponse = $this->get_load_email_data($messageID,$_partID,$folder,$_htmloptions,$_fullHeader);
$bodyResponse = $this->get_load_email_data($messageID,$_partID,$folder,$_htmloptions);
egw_session::cache_control(true);
//error_log(array2string($bodyResponse));
echo $bodyResponse;

View File

@ -635,7 +635,7 @@ app.classes.mail = AppJS.extend(
//console.log("mail_preview",nextmatch, selected);
// Empty values, just in case selected is empty (user cleared selection)
//dataElem.data is populated, when available with fromaddress(string),toaddress(string),additionaltoaddress(array),ccaddress (array)
var dataElem = {data:{subject:"",fromaddress:"",toaddress:"",ccaddress:"",date:"",subject:"",attachmentsBlock:""}};
var dataElem = {data:{subject:"",fromaddress:"",toaddress:"",ccaddress:"",date:"",attachmentsBlock:""}};
if(typeof selected != 'undefined' && selected.length == 1)
{
var _id = this.mail_fetchCurrentlyFocussed(selected);