#
# COPYRIGHT:
#
-# This software is Copyright (c) 1996-2012 Best Practical Solutions, LLC
+# This software is Copyright (c) 1996-2013 Best Practical Solutions, LLC
# <sales@bestpractical.com>
#
# (Except where explicitly superseded by other copyright notices)
use RT::Interface::Web::Handler;
use RT::Interface::Web;
use File::Temp 'tempdir';
+use HTML::Scrubber;
sub MailDashboards {
my $self = shift;
}
}
+ $content = ScrubContent($content);
+
$RT::Logger->debug("Got ".length($content)." characters of output.");
$content = HTML::RewriteAttributes::Links->rewrite(
Type => $mimetype,
Encoding => $encoding,
Disposition => 'inline',
- Name => $filename,
+ Name => RT::Interface::Email::EncodeToMIME( String => $filename ),
'Content-Id' => $cid_of{$uri},
);
);
my $entity = MIME::Entity->build(
- From => $args{From},
- To => $args{To},
- Subject => $args{Subject},
+ From => Encode::encode_utf8($args{From}),
+ To => Encode::encode_utf8($args{To}),
+ Subject => RT::Interface::Email::EncodeToMIME( String => $args{Subject} ),
Type => "multipart/mixed",
);
}
}
+{
+ my $scrubber;
+
+ sub _scrubber {
+ unless ($scrubber) {
+ $scrubber = HTML::Scrubber->new;
+ # Allow everything by default, except JS attributes ...
+ $scrubber->default(
+ 1 => {
+ '*' => 1,
+ map { ("on$_" => 0) }
+ qw(blur change click dblclick error focus keydown keypress keyup load
+ mousedown mousemove mouseout mouseover mouseup reset select submit unload)
+ }
+ );
+ # ... and <script>s
+ $scrubber->deny('script');
+ }
+ return $scrubber;
+ }
+
+ sub ScrubContent {
+ my $content = shift;
+ return _scrubber->scrub($content);
+ }
+}
+
{
my %cache;
{
package RT::Dashboard::FakeRequest;
sub new { bless {}, shift }
- sub header_out { shift }
- sub headers_out { shift }
+ sub header_out { return undef }
+ sub headers_out { wantarray ? () : {} }
+ sub err_headers_out { wantarray ? () : {} }
sub content_type {
my $self = shift;
$self->{content_type} = shift if @_;