Tickets :: Comment on [#7926] Message option "Show All Headers" causes error

* Your Email Address
* Spam protection	Enter the letters below: . ..__ . ..__ .__. \|\/\|[__)\|__\|[__)[__] \| \|\| \| \|[__)\| \|
Comment	>> The show-header-action urls are htmlencoded twice. I think this is > >> happening in the Util::removeParameter() call not correctly > >> determining whether the url is already encoded. > > > > No - that's not it. The problem is that the URL, when generated, is > htmlencoded and the & separator is also htmlencoded. Then, for some > reason, we are calling htmlspecialchars() again when injecting into > the template object. > > > > So I guess I don't understand what this commit is trying to protect against: > > > > ----- > > > > fix some unescaped output > > > > Revision Changes Path > > 1.699.2.375 +2 -0 imp/docs/CHANGES > > 2.560.4.58 +6 -6 imp/message.php > > 2.79.6.19 +3 -3 imp/pgp.php > > 2.48.4.14 +3 -3 imp/smime.php > > > > Chora Links: > > > http://cvs.horde.org/diff.php/imp/docs/CHANGES?rt=horde&r1=1.699.2.374&r2=1.699.2.375&ty=u > > > http://cvs.horde.org/diff.php/imp/message.php?rt=horde&r1=2.560.4.57&r2=2.560.4.58&ty=u > > > http://cvs.horde.org/diff.php/imp/pgp.php?rt=horde&r1=2.79.6.18&r2=2.79.6.19&ty=u > > > http://cvs.horde.org/diff.php/imp/smime.php?rt=horde&r1=2.48.4.13&r2=2.48.4.14&ty=u > > > > ----- > > > > Removing those htmlspecialchars() calls fixes things. This is not > the false positive security vulnerability that Gunnar reported > (QUERY_STRING data is irrelevant for purposes of Horde_Template > evaluation). > > > > Sorry if I didn't catch this previously - I've been up in the > mountains a bunch the past few weeks and haven't had a bunch of time > to peruse list traffic.
Attachment
Watch this ticket

Saved Queries