From a451ad65991b16fb77de3865ba4eb306308ca2e0 Mon Sep 17 00:00:00 2001 From: Aleksander Machniak Date: Wed, 7 Mar 2018 17:40:12 +0100 Subject: [PATCH] Fix handling encoding of HTML tags in "inline" JSON output (#6207) --- CHANGELOG | 1 + program/include/rcmail_output_json.php | 4 ++-- program/lib/Roundcube/rcube_output.php | 10 +++++++++- 3 files changed, 12 insertions(+), 3 deletions(-) diff --git a/CHANGELOG b/CHANGELOG index ff906672aae..887de186bab 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -79,6 +79,7 @@ CHANGELOG Roundcube Webmail - Enigma: Fix key generation in Safari by upgrade to OpenPGP 2.6.2 (#6149) - Fix security issue in remote content blocking on HTML image and style tags (#6178) - Added 9pt and 11pt to the list of font sizes in HTML editor +- Fix handling encoding of HTML tags in "inline" JSON output (#6207) RELEASE 1.3.4 ------------- diff --git a/program/include/rcmail_output_json.php b/program/include/rcmail_output_json.php index 5b559e2cda1..3a4e76f50e0 100644 --- a/program/include/rcmail_output_json.php +++ b/program/include/rcmail_output_json.php @@ -232,7 +232,7 @@ protected function remote_response($add = '') $response = $hook['response']; unset($hook['response']); - echo self::json_serialize($response, $this->devel_mode); + echo self::json_serialize($response, $this->devel_mode, false); } /** @@ -245,7 +245,7 @@ protected function get_js_commands() foreach ($this->commands as $i => $args) { $method = array_shift($args); foreach ($args as $i => $arg) { - $args[$i] = self::json_serialize($arg, $this->devel_mode); + $args[$i] = self::json_serialize($arg, $this->devel_mode, false); } $out .= sprintf( diff --git a/program/lib/Roundcube/rcube_output.php b/program/lib/Roundcube/rcube_output.php index 6c104522ea1..f52cbee9ab5 100644 --- a/program/lib/Roundcube/rcube_output.php +++ b/program/lib/Roundcube/rcube_output.php @@ -321,14 +321,22 @@ public static function get_edit_field($col, $value, $attrib, $type = 'text') * * @param mixed $input Input value * @param boolean $pretty Enable JSON formatting + * @param boolean $inline Enable inline mode (generates output safe for use inside HTML) * * @return string Serialized JSON string */ - public static function json_serialize($input, $pretty = false) + public static function json_serialize($input, $pretty = false, $inline = true) { + // The input need to be valid UTF-8 to use with json_encode() $input = rcube_charset::clean($input); $options = JSON_UNESCAPED_SLASHES; + // JSON_HEX_TAG is needed for inlining JSON inside of the