htmlspecialchars() folder names. Seem to be the last ones.

git-svn-id: https://svn.code.sf.net/p/squirrelmail/code/trunk/squirrelmail@5604 7612ce4b-ef26-0410-bec9-ea0150e637f0

diff --git a/src/folders_rename_getname.php b/src/folders_rename_getname.php
index 1b8066d72218af09f99a5a052969173af9ea8815..f7c5b8b5ad7233830e4052b1a7cfd5eba8024e51 100644 (file)
--- a/src/folders_rename_getname.php
+++ b/src/folders_rename_getname.php
@@ -66,12 +66,13 @@ echo '<br>' .
             html_tag( 'td', '', 'center', $color[4] ) .
             '<FORM ACTION="folders_rename_do.php" METHOD="POST">'.
      _("New name:").
-     "<br><B>$old_parent $delimiter </B><INPUT TYPE=TEXT SIZE=25 NAME=new_name VALUE=\"$old_name\"><BR>\n";
+     '<br><b>' . htmlspecialchars($old_parent) . ' ' . htmlspecialchars($delimiter) . '</b>' .
+     '<INPUT TYPE="TEXT" SIZE="25" NAME="new_name" VALUE="' . htmlspecialchars($old_name) . '"><BR>' . "\n";
 if ( $isfolder ) {
     echo '<INPUT TYPE=HIDDEN NAME="isfolder" VALUE="true">';
 }
-printf("<INPUT TYPE=HIDDEN NAME=\"orig\" VALUE=\"%s\">\n", $old);
-printf("<INPUT TYPE=HIDDEN NAME=\"old_name\" VALUE=\"%s\">\n", $old_name);
+printf("<INPUT TYPE=HIDDEN NAME=\"orig\" VALUE=\"%s\">\n", htmlspecialchars($old));
+printf("<INPUT TYPE=HIDDEN NAME=\"old_name\" VALUE=\"%s\">\n", htmlspecialchars($old_name));
 echo '<INPUT TYPE=SUBMIT VALUE="'._("Submit")."\">\n".
      '</FORM><BR></td></tr></table>';