Fixes XSS bug in mailbox_display with malicious From: headers.

Thanks to sailfrog for finding this one!

git-svn-id: https://svn.code.sf.net/p/squirrelmail/code/trunk/squirrelmail@4462 7612ce4b-ef26-0410-bec9-ea0150e637f0

diff --git a/functions/mailbox_display.php b/functions/mailbox_display.php
index 8861f11c0fac82b6eb857a314bec295e19f6720f..f5cdda6182c33496985a8a15bc3939e276fcc052 100644 (file)
--- a/functions/mailbox_display.php
+++ b/functions/mailbox_display.php
@@ -155,7 +155,7 @@ function printMessageInfo($imapConnection, $t, $not_last=true, $key, $mailbox,
                 break;
             case 2: /* from */
                 echo html_tag( 'td',
-                               $italic . $bold . $flag . $fontstr . $senderName .
+                               $italic . $bold . $flag . $fontstr . htmlentities($senderName) .
                                $fontstr_end . $flag_end . $bold_end . $italic_end,
                                'left',
                                $hlt_color );