mirror of
https://github.com/the-djmaze/snappymail.git
synced 2026-07-13 03:27:39 +03:00
Improved app security
This commit is contained in:
parent
b244462fa5
commit
8eb4588917
4 changed files with 20 additions and 1 deletions
|
|
@ -1100,6 +1100,13 @@ class HtmlUtils
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
$sLinkHref = \trim($oElement->getAttribute('xlink:href'));
|
||||||
|
if ($sLinkHref && !\preg_match('/^(http[s]?):/i', $sLinkHref) && '//' !== \substr($sLinkHref, 0, 2))
|
||||||
|
{
|
||||||
|
$oElement->setAttribute('data-x-blocked-xlink-href', $sLinkHref);
|
||||||
|
$oElement->removeAttribute('xlink:href');
|
||||||
|
}
|
||||||
|
|
||||||
if (\in_array($sTagNameLower, array('a', 'form', 'area')))
|
if (\in_array($sTagNameLower, array('a', 'form', 'area')))
|
||||||
{
|
{
|
||||||
$oElement->setAttribute('target', '_blank');
|
$oElement->setAttribute('target', '_blank');
|
||||||
|
|
|
||||||
|
|
@ -198,6 +198,7 @@ class Application extends \RainLoop\Config\AbstractConfig
|
||||||
|
|
||||||
'custom_server_signature' => array('RainLoop'),
|
'custom_server_signature' => array('RainLoop'),
|
||||||
'x_frame_options_header' => array(''),
|
'x_frame_options_header' => array(''),
|
||||||
|
'x_xss_protection_header' => array('1; mode=block'),
|
||||||
|
|
||||||
'openpgp' => array(false),
|
'openpgp' => array(false),
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -47,6 +47,12 @@ class Service
|
||||||
@\header('X-Frame-Options: '.$sXFrameOptionsHeader, true);
|
@\header('X-Frame-Options: '.$sXFrameOptionsHeader, true);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
$sXssProtectionOptionsHeader = \trim($this->oActions->Config()->Get('security', 'x_xss_protection_header', ''));
|
||||||
|
if (0 < \strlen($sXssProtectionOptionsHeader))
|
||||||
|
{
|
||||||
|
@\header('X-XSS-Protection: '.$sXssProtectionOptionsHeader, true);
|
||||||
|
}
|
||||||
|
|
||||||
if ($this->oActions->Config()->Get('labs', 'force_https', false) && !$this->oHttp->IsSecure())
|
if ($this->oActions->Config()->Get('labs', 'force_https', false) && !$this->oHttp->IsSecure())
|
||||||
{
|
{
|
||||||
@\header('Location: https://'.$this->oHttp->GetHost(false, false).$this->oHttp->GetUrl(), true);
|
@\header('Location: https://'.$this->oHttp->GetHost(false, false).$this->oHttp->GetUrl(), true);
|
||||||
|
|
@ -248,6 +254,10 @@ class Service
|
||||||
|
|
||||||
$sResult .= ']-->';
|
$sResult .= ']-->';
|
||||||
}
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
@\header('X-XSS-Protection: 1; mode=block');
|
||||||
|
}
|
||||||
|
|
||||||
// Output result
|
// Output result
|
||||||
echo $sResult;
|
echo $sResult;
|
||||||
|
|
|
||||||
|
|
@ -498,6 +498,7 @@ class ServiceActions
|
||||||
if (\method_exists($this->oActions, $sMethodName))
|
if (\method_exists($this->oActions, $sMethodName))
|
||||||
{
|
{
|
||||||
@\header('X-Raw-Action: '.$sMethodName, true);
|
@\header('X-Raw-Action: '.$sMethodName, true);
|
||||||
|
@\header('Content-Security-Policy: default-src \'self\'; script-src \'none\'; style-src \'none\'; frame-src \'none\'; child-src \'none\'', true);
|
||||||
|
|
||||||
$sRawError = '';
|
$sRawError = '';
|
||||||
$this->oActions->SetActionParams(array(
|
$this->oActions->SetActionParams(array(
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue