Mirrors/roundcubemail
2
0
Fork 0
mirror of https://github.com/roundcube/roundcubemail.git synced 2026-03-20 06:46:58 +01:00
Code Issues Packages Projects Releases Wiki Activity

Fix XSS issue in a HTML attachment preview

Browse Source 
Reported by aikido_security
This commit is contained in:
Aleksander Machniak
2026-03-18 10:23:34 +01:00
parent 57dec0c127
commit d742954ccb
2 changed files with 4 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
program/include/rcmail_action.php
View File

@@ -683,6 +683,9 @@ abstract class rcmail_action
header('Content-Type: ' . $file['mimetype']);
header('Content-Length: ' . $file['size']);
// Use strict security policy to make sure no javascript is executed
header("Content-Security-Policy: script-src 'none'");
if (isset($file['data']) && is_string($file['data'])) {
echo $file['data'];
}