*
* Prints the page header (duh)
*
- * @copyright 1999-2010 The SquirrelMail Project Team
+ * @copyright 1999-2020 The SquirrelMail Project Team
* @license http://opensource.org/licenses/gpl-license.php GNU Public License
* @version $Id$
* @package squirrelmail
}
global $custom_css, $pageheader_sent, $theme, $theme_default, $text_direction,
$default_fontset, $chosen_fontset, $default_fontsize, $chosen_fontsize,
- $chosen_theme, $chosen_theme_path, $user_themes, $user_theme_default;
+ $chosen_theme, $chosen_theme_path, $user_themes, $user_theme_default,
+ $head_tag_extra;
// add no cache headers here
//
//$oTemplate->header('X-Powered-By: SquirrelMail/' . SM_VERSION, FALSE);
$oTemplate->header('X-Powered-By: SquirrelMail', FALSE);
+ // prevent clickjack attempts
+// FIXME: should we use DENY instead? We can also make this a configurable value, including giving the admin the option of removing this entirely in case they WANT to be framed by an external domain
+ $oTemplate->header('X-Frame-Options: SAMEORIGIN');
+
+ // prevent clickjack attempts using JavaScript for browsers that
+ // don't support the X-Frame-Options header...
+ // we check to see if we are *not* the top page, and if not, check
+ // whether or not the top page is in the same domain as we are...
+ // if not, log out immediately -- this is an attempt to do the same
+ // thing that the X-Frame-Options does using JavaScript (never a good
+ // idea to rely on JavaScript-based solutions, though)
+//FIXME: is it a problem that we still force the clickjack protection code whether or not JavaScript is supported or desired by the user?
+ $header_tags = '<script type="text/javascript" language="JavaScript">'
+ . "\n<!--\n"
+ . 'if (self != top) { try { if (document.domain != top.document.domain) {'
+ . ' throw "Clickjacking security violation! Please log out immediately!"; /* this code should never execute - exception should already have been thrown since it\'s a security violation in this case to even try to access top.document.domain (but it\'s left here just to be extra safe) */ } } catch (e) { self.location = "'
+ . sqm_baseuri() . 'src/signout.php"; top.location = "'
+ . sqm_baseuri() . 'src/signout.php" } }'
+ . "\n// -->\n</script>\n";
+
$oTemplate->assign('frames', $frames);
$oTemplate->assign('lang', $squirrelmail_language);
- $header_tags = '';
+ $header_tags .= "<meta name=\"robots\" content=\"noindex,nofollow\" />\n"
- $header_tags .= "<meta name=\"robots\" content=\"noindex,nofollow\" />\n";
+ // For adding a favicon or anything else that should be inserted in *ALL* <head> for *ALL* documents,
+ // define $head_tag_extra in config/config_local.php
+ // The string "###SM BASEURI###" will be replaced with the base URI for this SquirrelMail installation.
+ // When not defined, a default is provided that displays the default favicon.ico.
+ // If you override this and still want to use the default favicon.ico, you'll have to include the following
+ // following in your $head_tag_extra string:
+ // $head_tag_extra = '<link rel="shortcut icon" href="###SM BASEURI###favicon.ico" />...<YOUR CONTENT HERE>...';
+ //
+ . (empty($head_tag_extra) ? '<link rel="shortcut icon" href="' . sqm_baseuri() . 'favicon.ico" />'
+ : str_replace('###SM BASEURI###', sqm_baseuri(), $head_tag_extra));
$used_fontset = (!empty($chosen_fontset) ? $chosen_fontset : $default_fontset);
$used_fontsize = (!empty($chosen_fontsize) ? $chosen_fontsize : $default_fontsize);
* this explains the imap_mailbox.php dependency. We should instead store
* the selected mailbox in the session and fallback to the session var.
*/
- $shortBoxName = htmlspecialchars(imap_utf7_decode_local(
+ $shortBoxName = sm_encode_html_special_chars(imap_utf7_decode_local(
readShortMailboxName($mailbox, $delimiter)));
if (getPref($data_dir, $username, 'translate_special_folders')) {
global $sent_folder, $trash_folder, $draft_folder;