Improve HTML escaping

[squirrelmail.git] / plugins / newmail / setup.php

diff --git a/plugins/newmail/setup.php b/plugins/newmail/setup.php
index 9364b9a76ef2844fd4262a7d6cf07798654d3e4d..12bd65f75679a6926ce1cdd25ec2bedee2a7375c 100644 (file)
--- a/plugins/newmail/setup.php
+++ b/plugins/newmail/setup.php
@@ -215,7 +215,8 @@
             }
 
             if ($totalNew > 0 && $newmail_enable == 'on' && $newmail_media != '' ) {
-                echo "<EMBED SRC=\"$newmail_media\" HIDDEN=TRUE AUTOSTART=TRUE>\n";
+                echo '<EMBED SRC="'.htmlspecialchars($newmail_media) .
+                    "\" HIDDEN=\"TRUE\" AUTOSTART=\"TRUE\">\n";
             }
             if ($totalNew > 0 && $newmail_popup == 'on') {
                 echo "<SCRIPT LANGUAGE=\"JavaScript\">\n".