based templates.
- Added footer template to every page.
- Added experimental IMAP and SMTP STARTTLS extension support.
-
+ - Security: Fix possible cross site scripting through the right_main
+ parameter of webmail.php. This now uses a whitelist of acceptable
+ values. [CVE-2006-0188]
Version 1.5.0 - 2 February 2004
-------------------------------
$right_frame = '';
}
-if ($right_frame == 'right_main.php') {
- $urlMailbox = urlencode($mailbox);
- $right_frame_url = "right_main.php?mailbox=$urlMailbox"
+switch($right_frame) {
+ case 'right_main.php':
+ $right_frame_url = "right_main.php?mailbox=".urlencode($mailbox)
. (!empty($sort)?"&sort=$sort":'')
. (!empty($startMessage)?"&startMessage=$startMessage":'');
-} elseif ($right_frame == 'options.php') {
- $right_frame_url = 'options.php';
-} elseif ($right_frame == 'folders.php') {
- $right_frame_url = 'folders.php';
-} elseif ($right_frame == 'compose.php') {
- $right_frame_url = 'compose.php?' . $mailto;
-} else if ($right_frame == '') {
- $right_frame_url = 'right_main.php';
-} else {
- $right_frame_url = htmlspecialchars($right_frame);
-}
+ break;
+ case 'options.php':
+ $right_frame_url = 'options.php';
+ break;
+ case 'folders.php':
+ $right_frame_url = 'folders.php';
+ break;
+ case 'compose.php':
+ $right_frame_url = 'compose.php?' . $mailto;
+ break;
+ case '':
+ $right_frame_url = 'right_main.php';
+ break;
+ default:
+ $right_frame_url = urlencode($right_frame);
+ break;
+}
$left_frame = '<frame src="left_main.php" name="left" frameborder="1" title="'.
_("Folder List") ."\" />\n";
projects / squirrelmail.git / commitdiff