tjh.dev
Clone of https://github.com/NixOS/nixpkgs.git (to stress-test knotserver)
1Fetched from https://blog.sonarsource.com/rainloop-emails-at-risk-due-to-code-flaw/
2
3--- a/rainloop/rainloop/v/1.16.0/app/libraries/MailSo/Base/HtmlUtils.php
4+++ b/rainloop/rainloop/v/1.16.0/app/libraries/MailSo/Base/HtmlUtils.php
5@@ -239,7 +239,8 @@ class HtmlUtils
6 $oWrapHtml->setAttribute($sKey, $sValue);
7 }
8
9- $oWrapDom = $oDom->createElement('div', '___xxx___');
10+ $rand_str = base64_encode(random_bytes(32));
11+ $oWrapDom = $oDom->createElement('div', $rand_str);
12 $oWrapDom->setAttribute('data-x-div-type', 'body');
13 foreach ($aBodylAttrs as $sKey => $sValue)
14 {
15@@ -250,7 +251,7 @@ class HtmlUtils
16
17 $sWrp = $oDom->saveHTML($oWrapHtml);
18
19- $sResult = \str_replace('___xxx___', $sResult, $sWrp);
20+ $sResult = \str_replace($rand_str, $sResult, $sWrp);
21 }
22
23 $sResult = \str_replace(\MailSo\Base\HtmlUtils::$KOS, ':', $sResult);