BTW, do we also allow downloads with id? The sanitize may break the url fyi.
On 07/24/2013 02:43 PM, Jascha Burmeister wrote:
Hi,
we want to save it in a variable to use it in a html mail...
So the p() function uses print. We looked into it and found the
OC_Util::sanitizeHTML().
I think this should fix the XSS stuff :)
foreach($filenames as $file){
$url_path =
OCP\Util::linkToAbsolute('files','index.php').'/download'.OC_Util::sanitizeHTML($file['path']);
$link_text = basename($file['path']);
$str_filenames .= '<li>
<a href="'.$url_path.'" target="_blank">'.
OC_Util::sanitizeHTML($link_text).'</a>
<font color="#696969">('.OC_Util::sanitizeHTML($file['owner']).')</font>
</li>';
}
So I'm waiting for an admin who approve my app in the "app store".
telcy / Jascha Burmeister
Am 24.07.2013 um 13:35 schrieb Bernhard Posselt <[email protected]
<mailto:[email protected]>>:
Line 299 and 300 in lib/mailing.php contain XSS. Please either lookup
how to prevent XSS in PHP or even better: consider splitting your
logic and view by using templates (oc templates provide p() which
does all the escaping for you)
On 07/24/2013 12:58 PM, Jascha Burmeister wrote:
Hi,
Any dev there who can approve my app?
http://apps.owncloud.com/content/show.php/Mail+Notification?content=155982
Thank you
telcy
Jascha Burmeister
_______________________________________________
Owncloud mailing list
[email protected]
https://mail.kde.org/mailman/listinfo/owncloud
_______________________________________________
Owncloud mailing list
[email protected] <mailto:[email protected]>
https://mail.kde.org/mailman/listinfo/owncloud
_______________________________________________
Owncloud mailing list
[email protected]
https://mail.kde.org/mailman/listinfo/owncloud
_______________________________________________
Owncloud mailing list
[email protected]
https://mail.kde.org/mailman/listinfo/owncloud
