*
* Manage personal address book.
*
- * @copyright © 1999-2009 The SquirrelMail Project Team
+ * @copyright 1999-2017 The SquirrelMail Project Team
* @license http://opensource.org/licenses/gpl-license.php GNU Public License
* @version $Id$
* @package squirrelmail
/** lets get the global vars we may need */
/* From the address form */
+sqgetGlobalVar('smtoken', $submitted_token, SQ_POST, '');
sqgetGlobalVar('addaddr', $addaddr, SQ_POST);
sqgetGlobalVar('editaddr', $editaddr, SQ_POST);
sqgetGlobalVar('deladdr', $deladdr, SQ_POST);
/* Handle user's actions */
if(sqgetGlobalVar('REQUEST_METHOD', $req_method, SQ_SERVER) && $req_method == 'POST') {
+ // first, validate security token
+ sm_validate_security_token($submitted_token, -1, TRUE);
+
/**************************************************
* Add new address *
**************************************************/
if (!$r) {
/* Remove backend name from error string */
$errstr = $abook->error;
- $errstr = ereg_replace('^\[.*\] *', '', $errstr);
+ $errstr = preg_replace('/^\[.*\] */', '', $errstr);
$formerror = $errstr;
$showaddrlist = false;
$olddata = $abook->lookup($enick, $ebackend);
// Test if $olddata really contains anything and return an error message if it doesn't
if (!$olddata) {
- error_box(nl2br(htmlspecialchars($abook->error)));
+ error_box(nl2br(sm_encode_html_special_chars($abook->error)));
} else {
/* Display the "new address" form */
echo abook_create_form($form_url, 'editaddr',
/* Handle error messages */
if (!$r) {
/* Display error */
- plain_error_message( nl2br(htmlspecialchars($abook->error)));
+ plain_error_message( nl2br(sm_encode_html_special_chars($abook->error)));
/* Display the "new address" form again */
echo abook_create_form($form_url, 'editaddr',
/* Display error messages */
if (!empty($formerror)) {
- plain_error_message(nl2br(htmlspecialchars($formerror)));
+ plain_error_message(nl2br(sm_encode_html_special_chars($formerror)));
}
$addresses[$backend->bnum] = $a;
} else {
// list_addr() returns boolean
- plain_error_message(nl2br(htmlspecialchars($abook->error)));
+ plain_error_message(nl2br(sm_encode_html_special_chars($abook->error)));
}
} else {
$addresses[$backend->bnum] = $a;