From 39898b7d44155bf32e329815bad1533cf903e575 Mon Sep 17 00:00:00 2001
From: jangliss <jangliss@7612ce4b-ef26-0410-bec9-ea0150e637f0>
Date: Thu, 5 Feb 2004 05:00:49 +0000
Subject: [PATCH] XSS Fixes, i18n team might want to test various languages out
 to verify it doesn't break stuff.

git-svn-id: https://svn.code.sf.net/p/squirrelmail/code/trunk/squirrelmail@6511 7612ce4b-ef26-0410-bec9-ea0150e637f0
---
 ChangeLog       |  2 ++
 src/compose.php | 20 +++++++++++++++-----
 2 files changed, 17 insertions(+), 5 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 4c8d3811..de4cb754 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -5,6 +5,8 @@
 Version 1.5.1 -- CVS
 --------------------
   - New reply citation to include date and author.
+  - XSS fix.
+
 
 Version 1.5.0
 --------------------
diff --git a/src/compose.php b/src/compose.php
index 8e65706a..ca8374b9 100644
--- a/src/compose.php
+++ b/src/compose.php
@@ -53,11 +53,21 @@ sqgetGlobalVar('mailbox',$mailbox);
 if(!sqgetGlobalVar('identity',$identity)) {
     $identity=0;
 }
-sqgetGlobalVar('send_to',$send_to);
-sqgetGlobalVar('send_to_cc',$send_to_cc);
-sqgetGlobalVar('send_to_bcc',$send_to_bcc);
-sqgetGlobalVar('subject',$subject);
-sqgetGlobalVar('body',$body);
+if (sqgetGlobalVar('send_to',$send_to)) {
+    $send_to = decodeHeader($send_to);
+}
+if (sqgetGlobalVar('send_to_cc',$send_to_cc)) {
+    $send_to_cc = decodeHeader($send_to_cc);
+}
+if (sqgetGlobalVar('send_to_bcc',$send_to_bcc)) {
+    $send_to_bcc = decodeHeader($send_to_bcc);
+}
+if (sqgetGlobalVar('subject',$subject)) {
+    $subject = decodeHeader($subject);
+}
+if (sqgetGlobalVar('body',$body)) {
+    $body = decodeHeader($body);
+}
 sqgetGlobalVar('mailprio',$mailprio);
 sqgetGlobalVar('request_mdn',$request_mdn);
 sqgetGlobalVar('request_dr',$request_dr);
-- 
2.25.1