<html><head><meta http-equiv="Content-Type" content="text/html charset=windows-1252"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><br><div apple-content-edited="true">
<div style="color: rgb(0, 0, 0); font-family: Helvetica; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; ">Hi,</div><div style="color: rgb(0, 0, 0); font-family: Helvetica; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; "><br></div><div style="color: rgb(0, 0, 0); font-family: Helvetica; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; ">we want to save it in a variable to use it in a html mail…</div><div style="color: rgb(0, 0, 0); font-family: Helvetica; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; "><br></div><div style="font-family: Helvetica; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; ">So the <font color="#ff4013">p()</font> function uses print. We looked into it and found the <font color="#d58400">OC_Util::sanitizeHTML()</font><span style="color: rgb(0, 0, 0); ">.</span></div><div style="color: rgb(0, 0, 0); font-family: Helvetica; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; "><br></div><div style="color: rgb(0, 0, 0); font-family: Helvetica; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; ">I think this should fix the XSS stuff :)</div><div style="color: rgb(0, 0, 0); font-family: Helvetica; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; "><br></div><div style="color: rgb(0, 0, 0); font-family: Helvetica; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; "><br></div><div style="font-family: Helvetica; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; "><div><font color="#4f7a28">foreach($filenames as $file){</font></div><div><font color="#4f7a28"><span class="Apple-tab-span" style="white-space: pre; "> </span>$url_path = OCP\Util::linkToAbsolute('files','index.php').'/download'.OC_Util::sanitizeHTML($file['path']);</font></div><div><font color="#4f7a28"><span class="Apple-tab-span" style="white-space: pre; "> </span>$link_text = basename($file['path']);</font></div><div><font color="#4f7a28"><br></font></div><div><font color="#4f7a28"><span class="Apple-tab-span" style="white-space: pre; "> </span>$str_filenames .= '<li></font></div><div><font color="#4f7a28"><span class="Apple-tab-span" style="white-space: pre; "> </span><a href="'.$url_path.'" target="_blank">'. OC_Util::sanitizeHTML($link_text).'</a> </font></div><div><font color="#4f7a28"><span class="Apple-tab-span" style="white-space: pre; "> </span><font color="#696969">('.OC_Util::sanitizeHTML($file['owner']).')</font></font></div><div><font color="#4f7a28"><span class="Apple-tab-span" style="white-space: pre; "> </span></li>';</font></div><div><font color="#4f7a28"><span class="Apple-tab-span" style="white-space: pre; "> </span>}</font></div><div><font color="#4f7a28"><br></font></div><div><font color="#4f7a28"><br></font></div><div>So I'm waiting for an admin who approve my app in the "app store".</div><div><br></div><div><br></div><div>telcy / Jascha Burmeister</div><div><br></div><div style="color: rgb(0, 0, 0); "><br></div></div><div style="color: rgb(0, 0, 0); font-family: Helvetica; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; "><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><div apple-content-edited="true"><span class="Apple-style-span" style="border-collapse: separate; border-spacing: 0px; ">
</span></div></div></div></div><br><div><div>Am 24.07.2013 um 13:35 schrieb Bernhard Posselt <<a href="mailto:nukeawhale@gmail.com">nukeawhale@gmail.com</a>>:</div><br class="Apple-interchange-newline"><blockquote type="cite">
<meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type">
<div bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">Line 299 and 300 in lib/mailing.php
contain XSS. Please either lookup how to prevent XSS in PHP or
even better: consider splitting your logic and view by using
templates (oc templates provide p() which does all the escaping
for you)<br>
<br>
On 07/24/2013 12:58 PM, Jascha Burmeister wrote:<br>
</div>
<blockquote cite="mid:70198B86-4193-44E9-8F15-A51D625196BC@wortbildton.de" type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
Hi,
<div><br>
</div>
<div>Any dev there who can approve my app?</div>
<div><br>
</div>
<div><a moz-do-not-send="true" href="http://apps.owncloud.com/content/show.php/Mail+Notification?content=155982">http://apps.owncloud.com/content/show.php/Mail+Notification?content=155982</a></div>
<div><br>
</div>
<div>Thank you</div>
<div><br>
</div>
<div>telcy</div>
<div><br>
</div>
<div>Jascha Burmeister</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Owncloud mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Owncloud@kde.org">Owncloud@kde.org</a>
<a class="moz-txt-link-freetext" href="https://mail.kde.org/mailman/listinfo/owncloud">https://mail.kde.org/mailman/listinfo/owncloud</a>
</pre>
</blockquote>
<br>
</div>
_______________________________________________<br>Owncloud mailing list<br><a href="mailto:Owncloud@kde.org">Owncloud@kde.org</a><br>https://mail.kde.org/mailman/listinfo/owncloud<br></blockquote></div><br></body></html>