X-Git-Url: https://vcs.fsf.org/?a=blobdiff_plain;f=src%2Foptions_identities.php;h=aada8abe7034a995659b1f056ee4ede7b8bac633;hb=9ae70b623b5bda18ee4b60d9481d49d057b2f508;hp=f4d8eb9a775a5faaa70aa9dda49fd038eb596557;hpb=d4e46166df04792c6b939356ea5dfda8e47bba7b;p=squirrelmail.git

diff --git a/src/options_identities.php b/src/options_identities.php
index f4d8eb9a..aada8abe 100644
--- a/src/options_identities.php
+++ b/src/options_identities.php
@@ -5,7 +5,7 @@
  *
  * Display Identities Options
  *
- * @copyright © 1999-2009 The SquirrelMail Project Team
+ * @copyright 1999-2014 The SquirrelMail Project Team
  * @license http://opensource.org/licenses/gpl-license.php GNU Public License
  * @version $Id$
  * @package squirrelmail
@@ -23,6 +23,7 @@ require('../include/init.php');
 
 /* SquirrelMail required files. */
 require_once(SM_PATH . 'functions/identity.php');
+require_once(SM_PATH . 'functions/forms.php');
 
 /* make sure that page is not available when $edit_identity is false */
 if (!$edit_identity) {
@@ -37,10 +38,14 @@ if (!sqgetGlobalVar('identities', $identities, SQ_SESSION)) {
 sqgetGlobalVar('newidentities', $newidentities, SQ_POST);
 sqgetGlobalVar('smaction', $smaction, SQ_POST);
 sqgetGlobalVar('return', $return, SQ_POST);
+sqgetGlobalVar('smtoken', $submitted_token, SQ_POST, '');
 
 // First lets see if there are any actions to perform //
 if (!empty($smaction) && is_array($smaction)) {
 
+    // first do a security check
+    sm_validate_security_token($submitted_token, -1, TRUE);
+
     $doaction = '';
     $identid = 0;
 
@@ -75,10 +80,10 @@ foreach ($identities as $key=>$ident) {
     $a['Title'] = $key==0 ? _("Default Identity") : sprintf(_("Alternate Identity %d"), $key);
     $a['New'] = false;
     $a['Default'] = $key==0;
-    $a['FullName'] = htmlspecialchars($ident['full_name']);
-    $a['Email'] = htmlspecialchars($ident['email_address']);
-    $a['ReplyTo'] = htmlspecialchars($ident['reply_to']);
-    $a['Signature'] = htmlspecialchars($ident['signature']);
+    $a['FullName'] = sm_encode_html_special_chars($ident['full_name']);
+    $a['Email'] = sm_encode_html_special_chars($ident['email_address']);
+    $a['ReplyTo'] = sm_encode_html_special_chars($ident['reply_to']);
+    $a['Signature'] = sm_encode_html_special_chars($ident['signature']);
     $i[$key] = $a;
 }
 
@@ -93,7 +98,8 @@ $a['Signature'] = '';
 $i[count($i)] = $a;
 
 //FIXME: NO HTML IN THE CORE
-echo '<form name="f" action="options_identities.php" method="post">' . "\n";
+echo '<form name="f" action="options_identities.php" method="post">' . "\n"
+   . addHidden('smtoken', sm_generate_security_token()) . "\n";
 
 $oTemplate->assign('identities', $i);
 $oTemplate->display('options_advidentity_list.tpl');
@@ -111,7 +117,7 @@ $oTemplate->display('footer.tpl');
 /**
  * Returns html formated identity form fields
  *
- * Contains options_identities_buttons and option_identities_table hooks.
+ * Contains options_identities_buttons and options_identities_table hooks.
  * Before 1.4.5/1.5.1 hooks were placed in ShowTableInfo() function.
  * In 1.1.3-1.4.1 they were called in do_hook function with two or
  * three arguments. Since 1.4.1 hooks are called in concat_hook_function.
@@ -189,7 +195,7 @@ function ShowIdentityInfo($title, $identity, $id ) {
  * Creates html formated table row with input field
  * @param string $title Name displayed next to input field
  * @param string $name Name of input field
- * @param string $data Default value of input field (data is sanitized with htmlspecialchars)
+ * @param string $data Default value of input field (data is sanitized with sm_encode_html_special_chars)
  * @param string $bgcolor html attributes added to row element (tr)
  * @return string html formated table row with text input field
  * @since 1.2.0 (arguments differ since 1.4.5/1.5.1)
@@ -201,7 +207,7 @@ function sti_input( $title, $name, $data, $bgcolor ) {
     $str = '';
     $str .= '<tr' . $bgcolor . ">\n";
     $str .= '  <td style="white-space: nowrap;text-align:right;">' . $title . ' </td>' . "\n";
-    $str .= '  <td> <input type="text" name="' . $name . '" size="50" value="'. htmlspecialchars($data) . '" /> </td>' . "\n";
+    $str .= '  <td> <input type="text" name="' . $name . '" size="50" value="'. sm_encode_html_special_chars($data) . '" /> </td>' . "\n";
     $str .= '</tr>';
 
     return $str;
@@ -212,7 +218,7 @@ function sti_input( $title, $name, $data, $bgcolor ) {
  * Creates html formated table row with textarea field
  * @param string $title Name displayed next to textarea field
  * @param string $name Name of textarea field
- * @param string $data Default value of textarea field  (data is sanitized with htmlspecialchars)
+ * @param string $data Default value of textarea field  (data is sanitized with sm_encode_html_special_chars)
  * @param string $bgcolor html attributes added to row element (tr)
  * @return string html formated table row with textarea
  * @since 1.2.5 (arguments differ since 1.4.5/1.5.1)
@@ -224,7 +230,7 @@ function sti_textarea( $title, $name, $data, $bgcolor ) {
     $str = '';
     $str .= '<tr' . $bgcolor . ">\n";
     $str .= '  <td style="white-space: nowrap;text-align:right;">' . $title . ' </td>' . "\n";
-    $str .= '  <td> <textarea name="' . $name . '" cols="50" rows="5">'. htmlspecialchars($data) . '</textarea> </td>' . "\n";
+    $str .= '  <td> <textarea name="' . $name . '" cols="50" rows="5">'. sm_encode_html_special_chars($data) . '</textarea> </td>' . "\n";
     $str .= '</tr>';
 
     return $str;