From 4e16023756d809ccfee02e1c7743c90ac7ba9d0f Mon Sep 17 00:00:00 2001
From: itsbruce <itsbruce@7612ce4b-ef26-0410-bec9-ea0150e637f0>
Date: Mon, 5 Aug 2002 14:04:46 +0000
Subject: [PATCH] Fixes to properly escape awkward characters in e-mail
 addresses etc.

git-svn-id: https://svn.code.sf.net/p/squirrelmail/code/trunk/squirrelmail@3255 7612ce4b-ef26-0410-bec9-ea0150e637f0
---
 src/addrbook_search.php      | 8 ++++----
 src/addrbook_search_html.php | 6 +++---
 src/addressbook.php          | 4 ++--
 3 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/src/addrbook_search.php b/src/addrbook_search.php
index 5fe1045a..7fd7ee8e 100644
--- a/src/addrbook_search.php
+++ b/src/addrbook_search.php
@@ -108,7 +108,7 @@ function display_result($res, $includesource = true) {
     
     while (list($undef, $row) = each($res)) {
         $tr_bgcolor = '';
-        $email = addslashes(AddressBook::full_address($row));
+        $email = htmlspecialchars(addcslashes(AddressBook::full_address($row), "'"), ENT_QUOTES);
         if ($line % 2) { $tr_bgcolor = $color[0]; }
         echo html_tag( 'tr', '', '', $tr_bgcolor, 'nowrap' ) .
         html_tag( 'td',
@@ -119,12 +119,12 @@ function display_result($res, $includesource = true) {
              '<a href="javascript:bcc_address(' . 
                                  "'" . $email . "');\">Bcc</A></small>",
         'center', '', 'valign="top" width="5%" nowrap' ) .
-        html_tag( 'td', '&nbsp;' . $row['name'], 'left', '', 'valign="top" nowrap' ) .
+        html_tag( 'td', '&nbsp;' . htmlspecialchars($row['name']), 'left', '', 'valign="top" nowrap' ) .
         html_tag( 'td', '&nbsp;' .
              '<a href="javascript:to_and_close(' .
-                 "'" . $email . "');\">" . $row['email'] . '</A>'
+                 "'" . $email . "');\">" . htmlspecialchars($row['email']) . '</A>'
         , 'left', '', 'valign="top"' ) .
-        html_tag( 'td', $row['label'], 'left', '', 'valign="top" nowrap' );
+        html_tag( 'td', htmlspecialchars($row['label']), 'left', '', 'valign="top" nowrap' );
         if ($includesource) {
             echo html_tag( 'td', '&nbsp;' . $row['source'], 'left', '', 'valign="top" nowrap' );
         }
diff --git a/src/addrbook_search_html.php b/src/addrbook_search_html.php
index 1e71b23d..54de9f8f 100644
--- a/src/addrbook_search_html.php
+++ b/src/addrbook_search_html.php
@@ -110,9 +110,9 @@ if ($javascript_on) {
              '<input type=checkbox name="send_to_search[B' . $line . ']" value = "' .
              htmlspecialchars($email) . '">&nbsp;' . _("Bcc") . '&nbsp;' ,
         'center', '', 'width="5%" nowrap' ) .
-        html_tag( 'td', '&nbsp;' . $row['name'] . '&nbsp;', 'left', '', 'nowrap' ) .
-        html_tag( 'td', '&nbsp;' . $row['email'] . '&nbsp;', 'left', '', 'nowrap' ) .
-        html_tag( 'td', '&nbsp;' . $row['label'] . '&nbsp;', 'left', '', 'nowrap' );
+        html_tag( 'td', '&nbsp;' . htmlspecialchars($row['name']) . '&nbsp;', 'left', '', 'nowrap' ) .
+        html_tag( 'td', '&nbsp;' . htmlspecialchars($row['email']) . '&nbsp;', 'left', '', 'nowrap' ) .
+        html_tag( 'td', '&nbsp;' . htmlspecialchars($row['label']) . '&nbsp;', 'left', '', 'nowrap' );
 
          if ($includesource) {
              echo html_tag( 'td', '&nbsp;' . $row['source'] . '&nbsp;', 'left', '', 'nowrap' );
diff --git a/src/addressbook.php b/src/addressbook.php
index 86007d51..9f8e039e 100644
--- a/src/addressbook.php
+++ b/src/addressbook.php
@@ -339,8 +339,8 @@ if ($showaddrlist) {
             else {
                 echo '<A HREF="compose.php?send_to=' . rawurlencode($email).'">';
             }
-            echo $row['email'] . '</A>&nbsp;</td>'."\n".
-            html_tag( 'td', '&nbsp;' . $row['label'] . '&nbsp;', 'left', '', 'valign="top" width="1%"' ) .
+            echo htmlspecialchars($row['email']) . '</A>&nbsp;</td>'."\n".
+            html_tag( 'td', '&nbsp;' . htmlspecialchars($row['label']) . '&nbsp;', 'left', '', 'valign="top" width="1%"' ) .
             "</tr>\n";
             $line++;
         }
-- 
2.25.1