Fix XSS issue in a HTML attachment preview

Reported by aikido_security

Author: alecpl

CHANGELOG.md

@@ -15,6 +15,7 @@ This file includes only changes we consider noteworthy for users, admins and plu
 - Security: Fix remote image blocking bypass via various SVG animate attributes
 - Security: Fix remote image blocking bypass via a crafted body background attribute
 - Security: Fix fixed position mitigation bypass via use of !important
+- Security: Fix XSS issue in a HTML attachment preview
 
 ## 1.7-rc4
 

program/lib/Roundcube/rcube_uploads.php

@@ -255,6 +255,9 @@ public function display_uploaded_file($file, $thumbnail = false)
             header('Content-Type: ' . $file['mimetype']);
             header('Content-Length: ' . $file['size']);
 
+            // Use strict security policy to make sure no javascript is executed
+            header("Content-Security-Policy: script-src 'none'");
+
             if (isset($file['data']) && is_string($file['data'])) {
                 echo $file['data'];
             } elseif (!empty($file['path'])) {