From 48913cf3af81875d6e5c6f32e030c5913f22f25d Mon Sep 17 00:00:00 2001
From: Michael M Slusarz <slusarz@curecanti.org>
Date: Tue, 7 Sep 2010 23:58:21 -0600
Subject: [PATCH] Bug #9240: properly escape elements in dimp.

Escape mailbox label since it is directly inserted into page in the
message list title bar.
Escape growler message because it may include user submitted input.
---
 imp/docs/CHANGES               | 2 ++
 imp/js/dimpcore.js             | 4 ++--
 imp/lib/Views/ListMessages.php | 2 +-
 3 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/imp/docs/CHANGES b/imp/docs/CHANGES
index 8bb6244a5..6aec7d43c 100644
--- a/imp/docs/CHANGES
+++ b/imp/docs/CHANGES
@@ -2471,6 +2471,8 @@ OLD DIMP CHANGELOG
 v1.1.5-cvs
 ----------
 
+[mms] SECURITY: XSS - Make sure mailbox name displayed on mailbox page is
+      properly encoded (Bug #9240).
 [jan] Fix notices with certain output buffer configurations
       (Valentin.Vidic@CARNet.hr, Bug #7851).
 [mms] Turn DNS prefetching off when displaying untrusted message content
diff --git a/imp/js/dimpcore.js b/imp/js/dimpcore.js
index 67c705685..c16e9d32d 100644
--- a/imp/js/dimpcore.js
+++ b/imp/js/dimpcore.js
@@ -242,7 +242,7 @@ var DimpCore = {
             case 'horde.message':
             case 'horde.success':
             case 'horde.warning':
-                this.Growler.growl(m.message, {
+                this.Growler.growl(m.message.escapeHTML(), {
                     className: m.type.replace('.', '-'),
                     life: (m.type == 'horde.error' ? 12 : 8),
                     log: 1
@@ -252,7 +252,7 @@ var DimpCore = {
             case 'imp.reply':
             case 'imp.forward':
             case 'imp.redirect':
-                this.Growler.growl(m.message, {
+                this.Growler.growl(m.message.escapeHTML(), {
                     className: m.type.replace('.', '-'),
                     life: 8
                 });
diff --git a/imp/lib/Views/ListMessages.php b/imp/lib/Views/ListMessages.php
index 7b3e2bf74..9787c943b 100644
--- a/imp/lib/Views/ListMessages.php
+++ b/imp/lib/Views/ListMessages.php
@@ -456,7 +456,7 @@ class IMP_Views_ListMessages
         $ob = new stdClass;
         $ob->cacheid = 0;
         $ob->data = array();
-        $ob->label = IMP::getLabel($mbox);
+        $ob->label = htmlspecialchars(IMP::getLabel($mbox));
         $ob->metadata = new stdClass;
         $ob->rowlist = array();
         $ob->totalrows = 0;
-- 
2.11.0