X-Git-Url: https://vcs.fsf.org/?a=blobdiff_plain;f=src%2Faddressbook.php;h=ef4bbdcba9c646e86896906278a469163b754fd2;hb=aff28a6def253492fa3dda7d655a3fb63fa37d4c;hp=214a6f8fd8fb8b51fea2f6a66cea970d6afe5ac6;hpb=4fe67ca69790ddeb9b85be15e2b7a5e9e451ce03;p=squirrelmail.git

diff --git a/src/addressbook.php b/src/addressbook.php
index 214a6f8f..ef4bbdcb 100644
--- a/src/addressbook.php
+++ b/src/addressbook.php
@@ -5,7 +5,7 @@
  *
  * Manage personal address book.
  *
- * @copyright &copy; 1999-2007 The SquirrelMail Project Team
+ * @copyright 1999-2017 The SquirrelMail Project Team
  * @license http://opensource.org/licenses/gpl-license.php GNU Public License
  * @version $Id$
  * @package squirrelmail
@@ -31,6 +31,7 @@ require_once(SM_PATH . 'functions/forms.php');
 /** lets get the global vars we may need */
 
 /* From the address form */
+sqgetGlobalVar('smtoken',       $submitted_token, SQ_POST, '');
 sqgetGlobalVar('addaddr',       $addaddr,       SQ_POST);
 sqgetGlobalVar('editaddr',      $editaddr,      SQ_POST);
 sqgetGlobalVar('deladdr',       $deladdr,       SQ_POST);
@@ -49,8 +50,12 @@ if (!sqGetGlobalVar('show_all', $show_all, SQ_FORM))
 /* Get sorting order */
 $abook_sort_order = get_abook_sort();
 
-/* Create page header before addressbook_init in order to  display error messages correctly. */
-displayPageHeader($color);
+// Create page header before addressbook_init in order to
+// display error messages correctly, unless we might be
+// redirecting the browser to the compose page.
+//
+if ((empty($compose_to)) || sizeof($sel) < 1)
+    displayPageHeader($color);
 
 /* Open addressbook with error messages on.
  remote backends (LDAP) are enabled because they can be used. (list_addr function)
@@ -93,6 +98,9 @@ $form_url = 'addressbook.php';
 /* Handle user's actions */
 if(sqgetGlobalVar('REQUEST_METHOD', $req_method, SQ_SERVER) && $req_method == 'POST') {
 
+    // first, validate security token
+    sm_validate_security_token($submitted_token, -1, TRUE);
+
     /**************************************************
      * Add new address                                *
      **************************************************/
@@ -107,7 +115,7 @@ if(sqgetGlobalVar('REQUEST_METHOD', $req_method, SQ_SERVER) && $req_method == 'P
         if (!$r) {
             /* Remove backend name from error string */
             $errstr = $abook->error;
-            $errstr = ereg_replace('^\[.*\] *', '', $errstr);
+            $errstr = preg_replace('/^\[.*\] */', '', $errstr);
 
             $formerror = $errstr;
             $showaddrlist = false;
@@ -194,6 +202,9 @@ if(sqgetGlobalVar('REQUEST_METHOD', $req_method, SQ_SERVER) && $req_method == 'P
             if ($lookup_failed || empty($send_to)) {
                 $showaddrlist = true;
                 $defselected  = $sel;
+
+                // we skipped the page header above for this functionality, so add it here
+                displayPageHeader($color);
             }
 
 
@@ -222,7 +233,7 @@ if(sqgetGlobalVar('REQUEST_METHOD', $req_method, SQ_SERVER) && $req_method == 'P
                         $olddata = $abook->lookup($enick, $ebackend);
                         // Test if $olddata really contains anything and return an error message if it doesn't
                         if (!$olddata) {
-                            error_box(nl2br(htmlspecialchars($abook->error)));
+                            error_box(nl2br(sm_encode_html_special_chars($abook->error)));
                         } else {
                             /* Display the "new address" form */
                             echo abook_create_form($form_url, 'editaddr',
@@ -244,7 +255,7 @@ if(sqgetGlobalVar('REQUEST_METHOD', $req_method, SQ_SERVER) && $req_method == 'P
                     /* Handle error messages */
                     if (!$r) {
                         /* Display error */
-                        plain_error_message( nl2br(htmlspecialchars($abook->error)));
+                        plain_error_message( nl2br(sm_encode_html_special_chars($abook->error)));
 
                         /* Display the "new address" form again */
                         echo abook_create_form($form_url, 'editaddr',
@@ -288,7 +299,7 @@ if(sqgetGlobalVar('REQUEST_METHOD', $req_method, SQ_SERVER) && $req_method == 'P
 
 /* Display error messages */
 if (!empty($formerror)) {
-    plain_error_message(nl2br(htmlspecialchars($formerror)));
+    plain_error_message(nl2br(sm_encode_html_special_chars($formerror)));
 }
 
 
@@ -315,7 +326,7 @@ while (list($k, $backend) = each ($abook->backends)) {
             $addresses[$backend->bnum] = $a;
         } else {
             // list_addr() returns boolean
-            plain_error_message(nl2br(htmlspecialchars($abook->error)));
+            plain_error_message(nl2br(sm_encode_html_special_chars($abook->error)));
         }
     } else {
         $addresses[$backend->bnum] = $a;