From 00b89f9b24934b93f57c50dbe11f36f5289b704b Mon Sep 17 00:00:00 2001
From: Michael Hamann <michael@content-space.de>
Date: Sat, 8 Sep 2012 15:38:02 +0200
Subject: [PATCH] Fix encoding of special characters in HTML mails FS#2590

Before this change it was possible to send arbitrary HTML content to
subscribers, if you are using HTML subscription mails and have
untrustworthy editors, it is recommended to upgrade as soon as possible
(this doesn't affect the current stable release).
---
 inc/common.php | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/inc/common.php b/inc/common.php
index ac7e744d8..20baed6c0 100644
--- a/inc/common.php
+++ b/inc/common.php
@@ -1150,14 +1150,18 @@ function notify($id, $who, $rev = '', $summary = '', $minor = false, $replace =
     } elseif($rev) {
         $subject         = $lang['mail_changed'].' '.$id;
         $trep['OLDPAGE'] = wl($id, "rev=$rev", true, '&');
-        $df              = new Diff(explode("\n", rawWiki($id, $rev)),
-                                    explode("\n", rawWiki($id)));
+        $old_content     = rawWiki($id, $rev);
+        $new_content     = rawWiki($id);
+        $df              = new Diff(explode("\n", $old_content),
+                                    explode("\n", $new_content));
         $dformat         = new UnifiedDiffFormatter();
         $tdiff           = $dformat->format($df);
 
         $DIFF_INLINESTYLES = true;
+        $hdf               = new Diff(explode("\n", hsc($old_content)),
+                                      explode("\n", hsc($new_content)));
         $dformat           = new InlineDiffFormatter();
-        $hdiff             = $dformat->format($df);
+        $hdiff             = $dformat->format($hdf);
         $hdiff             = '<table>'.$hdiff.'</table>';
         $DIFF_INLINESTYLES = false;
     } else {
-- 
GitLab