From 926573422f513a929d952e5d8599150b32291aa3 Mon Sep 17 00:00:00 2001 From: kink Date: Wed, 15 Jun 2005 21:12:08 +0000 Subject: [PATCH] Fix serveral cross site scripting bugs found by Martijn Brinkers and ourselves. Part 1/2, patch to magicHTML will follow. This is CAN-2005-1769. git-svn-id: https://svn.code.sf.net/p/squirrelmail/code/trunk/squirrelmail@9610 7612ce4b-ef26-0410-bec9-ea0150e637f0 --- plugins/filters/options.php | 4 ++-- plugins/filters/spamoptions.php | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/plugins/filters/options.php b/plugins/filters/options.php index c4e97451..bc3cb1b0 100644 --- a/plugins/filters/options.php +++ b/plugins/filters/options.php @@ -187,7 +187,7 @@ if (sqgetGlobalVar('filter_submit',$filter_submit,SQ_POST)) { html_tag( 'td', '', 'left' ) . ''. ''. @@ -260,4 +260,4 @@ if (sqgetGlobalVar('filter_submit',$filter_submit,SQ_POST)) { ) , 'center', '', 'width="80%" border="0" cellpadding="2" cellspacing="0"' ); echo ''; -?> \ No newline at end of file +?> diff --git a/plugins/filters/spamoptions.php b/plugins/filters/spamoptions.php index c2ab0b0c..2db4dff2 100644 --- a/plugins/filters/spamoptions.php +++ b/plugins/filters/spamoptions.php @@ -179,7 +179,7 @@ if (isset($action) && $action == 'spam') { echo html_tag( 'p', '', 'center' ) . '[' . _("Edit") . ']' . ' - [' . _("Done") . ']

'; - printf( _("Spam is sent to %s."), ($filters_spam_folder?''.imap_utf7_decode_local($filters_spam_folder).'':'['._("not set yet").']' ) ); + printf( _("Spam is sent to %s."), ($filters_spam_folder?''.htmlspecialchars(imap_utf7_decode_local($filters_spam_folder)).'':'['._("not set yet").']' ) ); echo '
'; printf( _("Spam scan is limited to %s."), '' . ( ($filters_spam_scan == 'new')?_("Unread messages only"):_("All messages") ) . '' ); echo '

'. @@ -216,4 +216,4 @@ if (isset($action) && $action == 'spam') { echo ''; } ?> - \ No newline at end of file + -- 2.25.1