<html><head><meta http-equiv="Content-Type" content="text/html charset=windows-1252"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><div><div apple-content-edited="true"><div style="color: rgb(0, 0, 0); font-family: Helvetica; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; "><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><div apple-content-edited="true"><span class="Apple-style-span" style="border-collapse: separate; border-spacing: 0px; "><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><span></span>
</div>
</span></div></div></div></div><br><div><div>Am 24.07.2013 um 14:46 schrieb Bernhard Posselt <<a href="mailto:nukeawhale@gmail.com">nukeawhale@gmail.com</a>>:</div><br class="Apple-interchange-newline"><blockquote type="cite">
<meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type">
<div bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">Just upload the new package.<br>
<br>
On 07/24/2013 02:43 PM, Jascha Burmeister wrote:<br>
</div>
<blockquote cite="mid:2A6A87C9-2354-4975-B929-1629890997FB@wortbildton.de" type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
<br>
<div apple-content-edited="true">
<div style="font-family: Helvetica; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; ">Hi,</div>
<div style="font-family: Helvetica; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; "><br>
</div>
<div style="font-family: Helvetica; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; ">we want to save it in a
variable to use it in a html mail…</div>
<div style="font-family: Helvetica; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; "><br>
</div>
<div style="font-family: Helvetica; font-size: medium;
font-style: normal; font-variant: normal; font-weight: normal;
letter-spacing: normal; line-height: normal; orphans: 2;
text-align: -webkit-auto; text-indent: 0px; text-transform:
none; white-space: normal; widows: 2; word-spacing: 0px;
-webkit-text-size-adjust: auto; -webkit-text-stroke-width:
0px; ">So the <font color="#ff4013">p()</font> function uses
print. We looked into it and found the <font color="#d58400">OC_Util::sanitizeHTML()</font><span style="">.</span></div>
<div style="font-family: Helvetica; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; "><br>
</div>
<div style="font-family: Helvetica; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; ">I think this should fix the
XSS stuff :)</div>
<div style="font-family: Helvetica; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; "><br>
</div>
<div style="font-family: Helvetica; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; "><br>
</div>
<div style="font-family: Helvetica; font-size: medium;
font-style: normal; font-variant: normal; font-weight: normal;
letter-spacing: normal; line-height: normal; orphans: 2;
text-align: -webkit-auto; text-indent: 0px; text-transform:
none; white-space: normal; widows: 2; word-spacing: 0px;
-webkit-text-size-adjust: auto; -webkit-text-stroke-width:
0px; ">
<div><font color="#4f7a28">foreach($filenames as $file){</font></div>
<div><font color="#4f7a28"><span class="Apple-tab-span" style="white-space: pre; "> </span>$url_path =
OCP\Util::linkToAbsolute('files','index.php').'/download'.OC_Util::sanitizeHTML($file['path']);</font></div>
<div><font color="#4f7a28"><span class="Apple-tab-span" style="white-space: pre; "> </span>$link_text =
basename($file['path']);</font></div>
<div><font color="#4f7a28"><br>
</font></div>
<div><font color="#4f7a28"><span class="Apple-tab-span" style="white-space: pre; "> </span>$str_filenames .=
'<li></font></div>
<div><font color="#4f7a28"><span class="Apple-tab-span" style="white-space: pre; "> </span><a
href="'.$url_path.'" target="_blank">'.
OC_Util::sanitizeHTML($link_text).'</a> </font></div>
<div><font color="#4f7a28"><span class="Apple-tab-span" style="white-space: pre; "> </span><font
color="#696969">('.OC_Util::sanitizeHTML($file['owner']).')</font></font></div>
<div><font color="#4f7a28"><span class="Apple-tab-span" style="white-space: pre; "> </span></li>';</font></div>
<div><font color="#4f7a28"><span class="Apple-tab-span" style="white-space: pre; "> </span>}</font></div>
<div><font color="#4f7a28"><br>
</font></div>
<div><font color="#4f7a28"><br>
</font></div>
<div>So I'm waiting for an admin who approve my app in the
"app store".</div>
<div><br>
</div>
<div><br>
</div>
<div>telcy / Jascha Burmeister</div>
<div><br>
</div>
<div style=""><br>
</div>
</div>
<div style="font-family: Helvetica; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; ">
<div style="word-wrap: break-word; -webkit-nbsp-mode: space;
-webkit-line-break: after-white-space; ">
<div apple-content-edited="true"><span class="Apple-style-span" style="border-collapse:
separate; border-spacing: 0px; ">
</span></div>
</div>
</div>
</div>
<br>
<div>
<div>Am 24.07.2013 um 13:35 schrieb Bernhard Posselt <<a moz-do-not-send="true" href="mailto:nukeawhale@gmail.com">nukeawhale@gmail.com</a>>:</div>
<br class="Apple-interchange-newline">
<blockquote type="cite">
<meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type">
<div bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">Line 299 and 300 in
lib/mailing.php contain XSS. Please either lookup how to
prevent XSS in PHP or even better: consider splitting your
logic and view by using templates (oc templates provide
p() which does all the escaping for you)<br>
<br>
On 07/24/2013 12:58 PM, Jascha Burmeister wrote:<br>
</div>
<blockquote cite="mid:70198B86-4193-44E9-8F15-A51D625196BC@wortbildton.de" type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
Hi,
<div><br>
</div>
<div>Any dev there who can approve my app?</div>
<div><br>
</div>
<div><a moz-do-not-send="true" href="http://apps.owncloud.com/content/show.php/Mail+Notification?content=155982">http://apps.owncloud.com/content/show.php/Mail+Notification?content=155982</a></div>
<div><br>
</div>
<div>Thank you</div>
<div><br>
</div>
<div>telcy</div>
<div><br>
</div>
<div>Jascha Burmeister</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Owncloud mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:Owncloud@kde.org">Owncloud@kde.org</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://mail.kde.org/mailman/listinfo/owncloud">https://mail.kde.org/mailman/listinfo/owncloud</a>
</pre>
</blockquote>
<br>
</div>
_______________________________________________<br>
Owncloud mailing list<br>
<a moz-do-not-send="true" href="mailto:Owncloud@kde.org">Owncloud@kde.org</a><br>
<a class="moz-txt-link-freetext" href="https://mail.kde.org/mailman/listinfo/owncloud">https://mail.kde.org/mailman/listinfo/owncloud</a><br>
</blockquote>
</div>
<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Owncloud mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Owncloud@kde.org">Owncloud@kde.org</a>
<a class="moz-txt-link-freetext" href="https://mail.kde.org/mailman/listinfo/owncloud">https://mail.kde.org/mailman/listinfo/owncloud</a>
</pre>
</blockquote>
<br>
</div>
_______________________________________________<br>Owncloud mailing list<br><a href="mailto:Owncloud@kde.org">Owncloud@kde.org</a><br>https://mail.kde.org/mailman/listinfo/owncloud<br></blockquote></div><br></div></body></html>