<html><head><meta http-equiv="Content-Type" content="text/html charset=windows-1252"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><div><div apple-content-edited="true"><div style="color: rgb(0, 0, 0); font-family: Helvetica; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; "><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><div apple-content-edited="true"><span class="Apple-style-span" style="border-collapse: separate; border-spacing: 0px; "><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><span></span>
</div>
</span></div></div></div></div><br><div><div>Am 24.07.2013 um 14:46 schrieb Bernhard Posselt <<a href="mailto:nukeawhale@gmail.com">nukeawhale@gmail.com</a>>:</div><br class="Apple-interchange-newline"><blockquote type="cite">
  
    <meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type">
  
  <div bgcolor="#FFFFFF" text="#000000">
    <div class="moz-cite-prefix">Just upload the new package.<br>
      <br>
      On 07/24/2013 02:43 PM, Jascha Burmeister wrote:<br>
    </div>
    <blockquote cite="mid:2A6A87C9-2354-4975-B929-1629890997FB@wortbildton.de" type="cite">
      <meta http-equiv="Content-Type" content="text/html;
        charset=ISO-8859-1">
      <br>
      <div apple-content-edited="true">
        <div style="font-family: Helvetica; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; ">Hi,</div>
        <div style="font-family: Helvetica; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; "><br>
        </div>
        <div style="font-family: Helvetica; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; ">we want to save it in a
          variable to use it in a html mail…</div>
        <div style="font-family: Helvetica; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; "><br>
        </div>
        <div style="font-family: Helvetica; font-size: medium;
          font-style: normal; font-variant: normal; font-weight: normal;
          letter-spacing: normal; line-height: normal; orphans: 2;
          text-align: -webkit-auto; text-indent: 0px; text-transform:
          none; white-space: normal; widows: 2; word-spacing: 0px;
          -webkit-text-size-adjust: auto; -webkit-text-stroke-width:
          0px; ">So the <font color="#ff4013">p()</font> function uses
          print. We looked into it and found the <font color="#d58400">OC_Util::sanitizeHTML()</font><span style="">.</span></div>
        <div style="font-family: Helvetica; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; "><br>
        </div>
        <div style="font-family: Helvetica; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; ">I think this should fix the
          XSS stuff :)</div>
        <div style="font-family: Helvetica; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; "><br>
        </div>
        <div style="font-family: Helvetica; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; "><br>
        </div>
        <div style="font-family: Helvetica; font-size: medium;
          font-style: normal; font-variant: normal; font-weight: normal;
          letter-spacing: normal; line-height: normal; orphans: 2;
          text-align: -webkit-auto; text-indent: 0px; text-transform:
          none; white-space: normal; widows: 2; word-spacing: 0px;
          -webkit-text-size-adjust: auto; -webkit-text-stroke-width:
          0px; ">
          <div><font color="#4f7a28">foreach($filenames as $file){</font></div>
          <div><font color="#4f7a28"><span class="Apple-tab-span" style="white-space: pre; "> </span>$url_path =
OCP\Util::linkToAbsolute('files','index.php').'/download'.OC_Util::sanitizeHTML($file['path']);</font></div>
          <div><font color="#4f7a28"><span class="Apple-tab-span" style="white-space: pre; "> </span>$link_text =
              basename($file['path']);</font></div>
          <div><font color="#4f7a28"><br>
            </font></div>
          <div><font color="#4f7a28"><span class="Apple-tab-span" style="white-space: pre; "> </span>$str_filenames .=
              '<li></font></div>
          <div><font color="#4f7a28"><span class="Apple-tab-span" style="white-space: pre; "> </span><a
              href="'.$url_path.'" target="_blank">'.
              OC_Util::sanitizeHTML($link_text).'</a> </font></div>
          <div><font color="#4f7a28"><span class="Apple-tab-span" style="white-space: pre; "> </span><font
color="#696969">('.OC_Util::sanitizeHTML($file['owner']).')</font></font></div>
          <div><font color="#4f7a28"><span class="Apple-tab-span" style="white-space: pre; "> </span></li>';</font></div>
          <div><font color="#4f7a28"><span class="Apple-tab-span" style="white-space: pre; "> </span>}</font></div>
          <div><font color="#4f7a28"><br>
            </font></div>
          <div><font color="#4f7a28"><br>
            </font></div>
          <div>So I'm waiting for an admin who approve my app in the
            "app store".</div>
          <div><br>
          </div>
          <div><br>
          </div>
          <div>telcy / Jascha Burmeister</div>
          <div><br>
          </div>
          <div style=""><br>
          </div>
        </div>
        <div style="font-family: Helvetica; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; ">
          <div style="word-wrap: break-word; -webkit-nbsp-mode: space;
            -webkit-line-break: after-white-space; ">
            <div apple-content-edited="true"><span class="Apple-style-span" style="border-collapse:
                separate; border-spacing: 0px; ">
              </span></div>
          </div>
        </div>
      </div>
      <br>
      <div>
        <div>Am 24.07.2013 um 13:35 schrieb Bernhard Posselt <<a moz-do-not-send="true" href="mailto:nukeawhale@gmail.com">nukeawhale@gmail.com</a>>:</div>
        <br class="Apple-interchange-newline">
        <blockquote type="cite">
          <meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type">
          <div bgcolor="#FFFFFF" text="#000000">
            <div class="moz-cite-prefix">Line 299 and 300 in
              lib/mailing.php contain XSS. Please either lookup how to
              prevent XSS in PHP or even better: consider splitting your
              logic and view by using templates (oc templates provide
              p() which does all the escaping for you)<br>
              <br>
              On 07/24/2013 12:58 PM, Jascha Burmeister wrote:<br>
            </div>
            <blockquote cite="mid:70198B86-4193-44E9-8F15-A51D625196BC@wortbildton.de" type="cite">
              <meta http-equiv="Content-Type" content="text/html;
                charset=ISO-8859-1">
              Hi,
              <div><br>
              </div>
              <div>Any dev there who can approve my app?</div>
              <div><br>
              </div>
              <div><a moz-do-not-send="true" href="http://apps.owncloud.com/content/show.php/Mail+Notification?content=155982">http://apps.owncloud.com/content/show.php/Mail+Notification?content=155982</a></div>
              <div><br>
              </div>
              <div>Thank you</div>
              <div><br>
              </div>
              <div>telcy</div>
              <div><br>
              </div>
              <div>Jascha Burmeister</div>
              <br>
              <fieldset class="mimeAttachmentHeader"></fieldset>
              <br>
              <pre wrap="">_______________________________________________
Owncloud mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:Owncloud@kde.org">Owncloud@kde.org</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://mail.kde.org/mailman/listinfo/owncloud">https://mail.kde.org/mailman/listinfo/owncloud</a>
</pre>
            </blockquote>
            <br>
          </div>
          _______________________________________________<br>
          Owncloud mailing list<br>
          <a moz-do-not-send="true" href="mailto:Owncloud@kde.org">Owncloud@kde.org</a><br>
          <a class="moz-txt-link-freetext" href="https://mail.kde.org/mailman/listinfo/owncloud">https://mail.kde.org/mailman/listinfo/owncloud</a><br>
        </blockquote>
      </div>
      <br>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
      <pre wrap="">_______________________________________________
Owncloud mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Owncloud@kde.org">Owncloud@kde.org</a>
<a class="moz-txt-link-freetext" href="https://mail.kde.org/mailman/listinfo/owncloud">https://mail.kde.org/mailman/listinfo/owncloud</a>
</pre>
    </blockquote>
    <br>
  </div>

_______________________________________________<br>Owncloud mailing list<br><a href="mailto:Owncloud@kde.org">Owncloud@kde.org</a><br>https://mail.kde.org/mailman/listinfo/owncloud<br></blockquote></div><br></div></body></html>