Tickets :: [#9240] XSS: Mailbox name not encoded properly

6.0.0-beta1

7/7/25

Summary	XSS: Mailbox name not encoded properly
Queue	DIMP
Queue Version	FRAMEWORK_3
Type	Bug
State	Resolved
Priority	3. High
Owners	slusarz (at) horde (dot) org
Requester	slusarz (at) horde (dot) org
Created	09/08/2010 (5416 days ago)
Due
Updated	09/08/2010 (5416 days ago)
Assigned
Resolved	09/08/2010 (5416 days ago)
Github Issue Link
Github Pull Request
Milestone	1.1.5
Patch	No

09/08/2010 09:12:34 PM	Michael Slusarz	State ⇒ Resolved

09/08/2010 04:53:58 PM	Git Commit	Comment #4	Reply to this comment
Changes have been made in Git for this ticket: ~~Bug #9240~~: properly escape elements in dimp. Escape mailbox label since it is directly inserted into page in the message list title bar. Escape growler message because it may include user submitted input. http://git.horde.org/diff.php/imp/docs/CHANGES?rt=horde-git&r1=7ce7ed91b17089d0468c00ae9f743b58516d9bef&r2=48913cf3af81875d6e5c6f32e030c5913f22f25d http://git.horde.org/diff.php/imp/js/dimpcore.js?rt=horde-git&r1=1d4ab4eae68e0b38ed57f251079ab5341547e2b4&r2=48913cf3af81875d6e5c6f32e030c5913f22f25d http://git.horde.org/diff.php/imp/lib/Views/ListMessages.php?rt=horde-git&r1=b496687e2e71f3ebaecdff5ee49561fbfc1c74cb&r2=48913cf3af81875d6e5c6f32e030c5913f22f25d

09/08/2010 04:51:31 PM	CVS Commit	Comment #3	Reply to this comment
Changes have been made in CVS for this ticket: ~~Bug: 9240~~ Fix XSS vulnerability http://cvs.horde.org/diff.php/dimp/docs/CHANGES?rt=horder1=1.69.2.85r2=1.69.2.86ty=u http://cvs.horde.org/diff.php/dimp/lib/Views/ListMessages.php?rt=horder1=1.53.2.24r2=1.53.2.25ty=u

09/08/2010 04:14:56 PM	Michael Slusarz	Comment #2 (Private)
[Hidden]

09/08/2010 04:14:01 PM	Michael Slusarz	Comment #1 Priority ⇒ 3. High Patch ⇒ No Milestone ⇒ 1.1.5 Assigned to Michael Slusarz Queue ⇒ DIMP Summary ⇒ XSS: Mailbox name not encoded properly Type ⇒ Bug State ⇒ Assigned	Reply to this comment
A URL specific to the Horde system can be used to perform an XSS attack.