diff options
| author | Michael Hamann <michael@content-space.de> | 2012-09-08 15:38:02 +0200 |
|---|---|---|
| committer | Michael Hamann <michael@content-space.de> | 2012-09-08 15:52:06 +0200 |
| commit | 00b89f9b24934b93f57c50dbe11f36f5289b704b (patch) | |
| tree | 555140780cba92626503a3a0c3127a5cbbdcb5d1 /inc | |
| parent | fbfbbe8a285a488c3feab53f47a9216fdd999a42 (diff) | |
| download | rpg-00b89f9b24934b93f57c50dbe11f36f5289b704b.tar.gz rpg-00b89f9b24934b93f57c50dbe11f36f5289b704b.tar.bz2 | |
Fix encoding of special characters in HTML mails FS#2590
Before this change it was possible to send arbitrary HTML content to
subscribers, if you are using HTML subscription mails and have
untrustworthy editors, it is recommended to upgrade as soon as possible
(this doesn't affect the current stable release).
Diffstat (limited to 'inc')
| -rw-r--r-- | inc/common.php | 10 |
1 files changed, 7 insertions, 3 deletions
diff --git a/inc/common.php b/inc/common.php index ac7e744d8..20baed6c0 100644 --- a/inc/common.php +++ b/inc/common.php @@ -1150,14 +1150,18 @@ function notify($id, $who, $rev = '', $summary = '', $minor = false, $replace = } elseif($rev) { $subject = $lang['mail_changed'].' '.$id; $trep['OLDPAGE'] = wl($id, "rev=$rev", true, '&'); - $df = new Diff(explode("\n", rawWiki($id, $rev)), - explode("\n", rawWiki($id))); + $old_content = rawWiki($id, $rev); + $new_content = rawWiki($id); + $df = new Diff(explode("\n", $old_content), + explode("\n", $new_content)); $dformat = new UnifiedDiffFormatter(); $tdiff = $dformat->format($df); $DIFF_INLINESTYLES = true; + $hdf = new Diff(explode("\n", hsc($old_content)), + explode("\n", hsc($new_content))); $dformat = new InlineDiffFormatter(); - $hdiff = $dformat->format($df); + $hdiff = $dformat->format($hdf); $hdiff = '<table>'.$hdiff.'</table>'; $DIFF_INLINESTYLES = false; } else { |