projects / squirrelmail.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Fixed XSS vulnarability in decodeHeader function spotted by Joost Pol
[squirrelmail.git] / functions / mime.php
diff --git a/functions/mime.php b/functions/mime.php
index 7bacc8625658c2136a934e44a7b2fef7d467dc3e..ca700c83cfa520a6f814219d9842fa1478b83218 100644 (file)
--- a/functions/mime.php
+++ b/functions/mime.php
@@ -659,7 +659,11 @@ function decodeHeader ($string, $utfencode=true,$htmlsave=true,$decide=false) {
             }
             $iLastMatch = $i;
             $j = $i;
-            $ret .= $res[1];
+            if ($htmlsave) {
+                $ret .= htmlspecialchars($res[1]);
+            } else {
+                $ret .= $res[1];
+            }
             $encoding = ucfirst($res[3]);
 
             /* decide about valid decoding */
Unnamed repository; edit this file 'description' to name the repository.