X-Git-Url: https://vcs.fsf.org/?a=blobdiff_plain;f=include%2Finit.php;h=db0d9e6b12e0a59457e8b82d70b0b597d811ebb7;hb=c6c3ccc42d7115697c1511e75ec5c00a2286e568;hp=2017640db2fe437d07f7ff35fd4bad0a0106d48d;hpb=c0d968010e710870fdfee2f22d7cc9fad370c7a9;p=squirrelmail.git diff --git a/include/init.php b/include/init.php index 2017640d..db0d9e6b 100644 --- a/include/init.php +++ b/include/init.php @@ -5,7 +5,7 @@ * * File should be loaded in every file in src/ or plugins that occupate an entire frame * - * @copyright 2006-2012 The SquirrelMail Project Team + * @copyright 2006-2017 The SquirrelMail Project Team * @license http://opensource.org/licenses/gpl-license.php GNU Public License * @version $Id$ * @package squirrelmail @@ -223,15 +223,17 @@ if (file_exists(SM_PATH . 'config/config_local.php')) { /** * Set PHP error reporting level based on the SquirrelMail debug mode + * E_STRICT = 2048 + * E_DEPRECATED = 8192 */ $error_level = 0; if ($sm_debug_mode & SM_DEBUG_MODE_SIMPLE) $error_level |= E_ERROR; if ($sm_debug_mode & SM_DEBUG_MODE_MODERATE || $sm_debug_mode & SM_DEBUG_MODE_ADVANCED) - $error_level |= E_ALL; + $error_level = ($error_level | E_ALL) & ~2048 & ~8192; if ($sm_debug_mode & SM_DEBUG_MODE_STRICT) - $error_level |= E_STRICT; + $error_level |= 2048 | 8192; error_reporting($error_level); @@ -272,20 +274,20 @@ if (function_exists('get_magic_quotes_gpc') && @get_magic_quotes_gpc()) { * or * contrib/decrypt_headers.php/%22%20onmouseover=%22alert(%27hello%20world%27)%22%3E * because it doesn't bother with broken tags. - * htmlspecialchars() is the preferred method. + * sm_encode_html_special_chars() is the preferred method. * QUERY_STRING also needs the same treatment since it is * used in php_self(). * Update again: the encoding of ampersands that occurs - * using htmlspecialchars() corrupts the query strings + * using sm_encode_html_special_chars() corrupts the query strings * in normal URIs, so we have to let those through. FIXME: will the de-sanitizing of ampersands create any security/XSS problems? */ if (isset($_SERVER['REQUEST_URI'])) - $_SERVER['REQUEST_URI'] = str_replace('&', '&', htmlspecialchars($_SERVER['REQUEST_URI'])); + $_SERVER['REQUEST_URI'] = str_replace('&', '&', sm_encode_html_special_chars($_SERVER['REQUEST_URI'])); if (isset($_SERVER['PHP_SELF'])) - $_SERVER['PHP_SELF'] = str_replace('&', '&', htmlspecialchars($_SERVER['PHP_SELF'])); + $_SERVER['PHP_SELF'] = str_replace('&', '&', sm_encode_html_special_chars($_SERVER['PHP_SELF'])); if (isset($_SERVER['QUERY_STRING'])) - $_SERVER['QUERY_STRING'] = str_replace('&', '&', htmlspecialchars($_SERVER['QUERY_STRING'])); + $_SERVER['QUERY_STRING'] = str_replace('&', '&', sm_encode_html_special_chars($_SERVER['QUERY_STRING'])); $PHP_SELF = php_self();