$aUid = (isset($msg) && is_array($msg)) ? array_values($msg) : $aUid;
if (count($aUid) && $sButton != 'expunge') {
+ // don't do anything to any messages until we have done security check
+ // FIXME: not sure this code really belongs here, but there's nowhere else to put it with this architecture
+ // FIXME: we might need to open this up to SQ_FORM instead, especially for plugins (?)
+ sqgetGlobalVar('smtoken', $submitted_token, SQ_POST, '');
+ sm_validate_security_token($submitted_token, 3600, TRUE);
+
// make sure message UIDs are sanitized (BIGINT)
foreach ($aUid as $i => $uid)
$aUid[$i] = (preg_match('/^[0-9]+$/', $uid) ? $uid : '0');