Improve HTML escaping

[squirrelmail.git] / plugins / newmail / setup.php

diff --git a/plugins/newmail/setup.php b/plugins/newmail/setup.php
index b8a3e65e1e10b6c2e72ec9ab467111d1d5ed919c..12bd65f75679a6926ce1cdd25ec2bedee2a7375c 100644 (file)
--- a/plugins/newmail/setup.php
+++ b/plugins/newmail/setup.php
@@ -23,6 +23,11 @@
     * too (with a plugin).
     *
     * $Id$
+    * @package plugins
+    * @subpackage newmail
+    */
+
+    /**
     */
     include_once(SM_PATH . 'functions/display_messages.php');
 
@@ -73,9 +78,8 @@
        // Gets added to the user's OPTIONS page.
        global $optpage_blocks;
 
-       if ( !soupNazi() ) {
-
-           /* Register Squirrelspell with the $optionpages array. */
+       if ( checkForJavascript() ) {
+       /* Register Squirrelspell with the $optionpages array. */
            $optpage_blocks[] = array(
                'name' => _("NewMail Options"),
                'url'  => SM_PATH . 'plugins/newmail/newmail_opt.php',
@@ -211,7 +215,8 @@
             }
 
             if ($totalNew > 0 && $newmail_enable == 'on' && $newmail_media != '' ) {
-                echo "<EMBED SRC=\"$newmail_media\" HIDDEN=TRUE AUTOSTART=TRUE>\n";
+                echo '<EMBED SRC="'.htmlspecialchars($newmail_media) .
+                    "\" HIDDEN=\"TRUE\" AUTOSTART=\"TRUE\">\n";
             }
             if ($totalNew > 0 && $newmail_popup == 'on') {
                 echo "<SCRIPT LANGUAGE=\"JavaScript\">\n".