Fix handling encoding of HTML tags in "inline" JSON output (#6207)

roundcube · Mar 7, 2018 · a451ad6 · a451ad6
1 parent 981cd87
commit a451ad6
Show file tree

Hide file tree

Showing 3 changed files with 12 additions and 3 deletions.
diff --git a/CHANGELOG b/CHANGELOG
@@ -79,6 +79,7 @@ CHANGELOG Roundcube Webmail
 - Enigma: Fix key generation in Safari by upgrade to OpenPGP 2.6.2 (#6149)
 - Fix security issue in remote content blocking on HTML image and style tags (#6178)
 - Added 9pt and 11pt to the list of font sizes in HTML editor
+- Fix handling encoding of HTML tags in "inline" JSON output (#6207)
 
 RELEASE 1.3.4
 -------------

diff --git a/program/include/rcmail_output_json.php b/program/include/rcmail_output_json.php
@@ -232,7 +232,7 @@ protected function remote_response($add = '')
         $response = $hook['response'];
         unset($hook['response']);
 
-        echo self::json_serialize($response, $this->devel_mode);
+        echo self::json_serialize($response, $this->devel_mode, false);
     }
 
     /**
@@ -245,7 +245,7 @@ protected function get_js_commands()
         foreach ($this->commands as $i => $args) {
             $method = array_shift($args);
             foreach ($args as $i => $arg) {
-                $args[$i] = self::json_serialize($arg, $this->devel_mode);
+                $args[$i] = self::json_serialize($arg, $this->devel_mode, false);
             }
 
             $out .= sprintf(

diff --git a/program/lib/Roundcube/rcube_output.php b/program/lib/Roundcube/rcube_output.php
@@ -321,14 +321,22 @@ public static function get_edit_field($col, $value, $attrib, $type = 'text')
      *
      * @param mixed   $input  Input value
      * @param boolean $pretty Enable JSON formatting
+     * @param boolean $inline Enable inline mode (generates output safe for use inside HTML)
      *
      * @return string Serialized JSON string
      */
-    public static function json_serialize($input, $pretty = false)
+    public static function json_serialize($input, $pretty = false, $inline = true)
     {
+        // The input need to be valid UTF-8 to use with json_encode()
         $input   = rcube_charset::clean($input);
         $options = JSON_UNESCAPED_SLASHES;
 
+        // JSON_HEX_TAG is needed for inlining JSON inside of the <script> tag
+        // if input contains a html tag it will cause issues (#6207)
+        if ($inline) {
+            $options |= JSON_HEX_TAG;
+        }
+
         // JSON_UNESCAPED_UNICODE in PHP < 7.1.0 does not escape U+2028 and U+2029
         // which causes issues (#6187)
         if (PHP_VERSION_ID >= 70100) {