[Owncloud] App Mail Notify approve

Bernhard Posselt nukeawhale at gmail.com
Wed Jul 24 14:08:24 UTC 2013


BTW, do we also allow downloads with id? The sanitize may break the url fyi.

On 07/24/2013 02:43 PM, Jascha Burmeister wrote:
>
> Hi,
>
> we want to save it in a variable to use it in a html mail...
>
> So the p() function uses print. We looked into it and found the 
> OC_Util::sanitizeHTML().
>
> I think this should fix the XSS stuff :)
>
>
> foreach($filenames as $file){
> $url_path = 
> OCP\Util::linkToAbsolute('files','index.php').'/download'.OC_Util::sanitizeHTML($file['path']);
> $link_text = basename($file['path']);
>
> $str_filenames .= '<li>
> <a href="'.$url_path.'" target="_blank">'. 
> OC_Util::sanitizeHTML($link_text).'</a>
> <font color="#696969">('.OC_Util::sanitizeHTML($file['owner']).')</font>
> </li>';
> }
>
>
> So I'm waiting for an admin who approve my app in the "app store".
>
>
> telcy / Jascha Burmeister
>
>
>
> Am 24.07.2013 um 13:35 schrieb Bernhard Posselt <nukeawhale at gmail.com 
> <mailto:nukeawhale at gmail.com>>:
>
>> Line 299 and 300 in lib/mailing.php contain XSS. Please either lookup 
>> how to prevent XSS in PHP or even better: consider splitting your 
>> logic and view by using templates (oc templates provide p() which 
>> does all the escaping for you)
>>
>> On 07/24/2013 12:58 PM, Jascha Burmeister wrote:
>>> Hi,
>>>
>>> Any dev there who can approve my app?
>>>
>>> http://apps.owncloud.com/content/show.php/Mail+Notification?content=155982
>>>
>>> Thank you
>>>
>>> telcy
>>>
>>> Jascha Burmeister
>>>
>>>
>>> _______________________________________________
>>> Owncloud mailing list
>>> Owncloud at kde.org
>>> https://mail.kde.org/mailman/listinfo/owncloud
>>
>> _______________________________________________
>> Owncloud mailing list
>> Owncloud at kde.org <mailto:Owncloud at kde.org>
>> https://mail.kde.org/mailman/listinfo/owncloud
>
>
>
> _______________________________________________
> Owncloud mailing list
> Owncloud at kde.org
> https://mail.kde.org/mailman/listinfo/owncloud

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.kde.org/pipermail/owncloud/attachments/20130724/54175363/attachment.html>


More information about the Owncloud mailing list