XSS Fixes, i18n team might want to test various languages out to verify

it doesn't break stuff.

git-svn-id: https://svn.code.sf.net/p/squirrelmail/code/trunk/squirrelmail@6511 7612ce4b-ef26-0410-bec9-ea0150e637f0

diff --git a/ChangeLog b/ChangeLog
index 4c8d38114eb94ba15afa708d6a3cd8f2169ce569..de4cb754fb9535029a4885d7f372cb5756d7f9dc 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -5,6 +5,8 @@
 Version 1.5.1 -- CVS
 --------------------
   - New reply citation to include date and author.
+  - XSS fix.
+
 
 Version 1.5.0
 --------------------

diff --git a/src/compose.php b/src/compose.php
index 8e65706a74ea55ee1617e81d1522e1af59e39a0d..ca8374b9db17366a316938d741c5728d3dde4253 100644 (file)
--- a/src/compose.php
+++ b/src/compose.php
@@ -53,11 +53,21 @@ sqgetGlobalVar('mailbox',$mailbox);
 if(!sqgetGlobalVar('identity',$identity)) {
     $identity=0;
 }
-sqgetGlobalVar('send_to',$send_to);
-sqgetGlobalVar('send_to_cc',$send_to_cc);
-sqgetGlobalVar('send_to_bcc',$send_to_bcc);
-sqgetGlobalVar('subject',$subject);
-sqgetGlobalVar('body',$body);
+if (sqgetGlobalVar('send_to',$send_to)) {
+    $send_to = decodeHeader($send_to);
+}
+if (sqgetGlobalVar('send_to_cc',$send_to_cc)) {
+    $send_to_cc = decodeHeader($send_to_cc);
+}
+if (sqgetGlobalVar('send_to_bcc',$send_to_bcc)) {
+    $send_to_bcc = decodeHeader($send_to_bcc);
+}
+if (sqgetGlobalVar('subject',$subject)) {
+    $subject = decodeHeader($subject);
+}
+if (sqgetGlobalVar('body',$body)) {
+    $body = decodeHeader($body);
+}
 sqgetGlobalVar('mailprio',$mailprio);
 sqgetGlobalVar('request_mdn',$request_mdn);
 sqgetGlobalVar('request_dr',$request_dr);