Hi,
we want to save it in a variable to use it in a html mail…
So the p() function uses print. We looked into it and found the
OC_Util::sanitizeHTML().
I think this should fix the XSS stuff :)
foreach($filenames as $file){
$url_path =
OCP\Util::linkToAbsolute('files','index.php').'/download'.OC_Util::sanitizeHTML($file['path']);
$link_text = basename($file['path']);
$str_filenames .= '<li>
<a href="'.$url_path.'"
target="_blank">'. OC_Util::sanitizeHTML($link_text).'</a>
<font
color="#696969">('.OC_Util::sanitizeHTML($file['owner']).')</font>
</li>';
}
So I'm waiting for an admin who approve my app in the "app store".
telcy / Jascha Burmeister
Am 24.07.2013 um 13:35 schrieb Bernhard Posselt <nukeawh...@gmail.com>:
> Line 299 and 300 in lib/mailing.php contain XSS. Please either lookup how to
> prevent XSS in PHP or even better: consider splitting your logic and view by
> using templates (oc templates provide p() which does all the escaping for you)
>
> On 07/24/2013 12:58 PM, Jascha Burmeister wrote:
>> Hi,
>>
>> Any dev there who can approve my app?
>>
>> http://apps.owncloud.com/content/show.php/Mail+Notification?content=155982
>>
>> Thank you
>>
>> telcy
>>
>> Jascha Burmeister
>>
>>
>> _______________________________________________
>> Owncloud mailing list
>> Owncloud@kde.org
>> https://mail.kde.org/mailman/listinfo/owncloud
>
> _______________________________________________
> Owncloud mailing list
> Owncloud@kde.org
> https://mail.kde.org/mailman/listinfo/owncloud
_______________________________________________
Owncloud mailing list
Owncloud@kde.org
https://mail.kde.org/mailman/listinfo/owncloud
