Aha! It seems to be related to this commit, which I just saw: Am 01.08.2013 14:50, schrieb GitHub:
> Branch: refs/heads/master > Home: https://github.com/roundcube/roundcubemail > Commit: 93b0a30c1c8aa29d862b587b31e52bcc344b8d16 > > https://github.com/roundcube/roundcubemail/commit/93b0a30c1c8aa29d862b587b31e52bcc344b8d16 > Author: Aleksander Machniak <a...@alec.pl> > Date: 2013-08-01 (Thu, 01 Aug 2013) > > Changed paths: > M CHANGELOG > M program/steps/mail/compose.inc > > Log Message: > ----------- > Fix XSS vulnerability when editing a message "as new" or draft (#1489251) - > added HTML content "washing" But apparently it does not "wash" (= remove?) HTML, but does add it...? Cheers, -- Michael Heydekamp Co-Admin freexp.de Düsseldorf/Germany Am 01.08.2013 23:20, schrieb Michael Heydekamp: > 1.0-git: When using "Edit as new" on a text/plain message, Roundcube > suddenly prefixes each message with... > > -------------------------------------------------------------------------- >> <!-- html ignored --><!-- head ignored --><!-- meta ignored --><body><p> > -------------------------------------------------------------------------- > > ... and closes it with... > > ------------- >> </p></body> > ------------- > > Plus that certain characters such as ">" and the double quote itself in the > body are converted to ">" and """. Interestingly, other 8bit chars > such as German Umlauts keep untouched, which is somewhat unlogical. > > I have no idea why Roundcube does this (especially as it didn't do it > before), but it doesn't look correct to me. > > Cheers, > -- > Michael Heydekamp > Co-Admin freexp.de > Düsseldorf/Germany > _______________________________________________ > Roundcube Development discussion mailing list > dev@lists.roundcube.net > http://lists.roundcube.net/mailman/listinfo/dev _______________________________________________ Roundcube Development discussion mailing list dev@lists.roundcube.net http://lists.roundcube.net/mailman/listinfo/dev
