addrsrch_fullname is already fetched by load_prefs.php

[squirrelmail.git] / include / init.php

diff --git a/include/init.php b/include/init.php
index 763674b8154945a4b8760690683ccf34a4da82da..2e88d7776f7a2b9be08d402191318f3bdcef442b 100644 (file)
--- a/include/init.php
+++ b/include/init.php
@@ -5,7 +5,7 @@
  *
  * File should be loaded in every file in src/ or plugins that occupate an entire frame
  *
- * @copyright 2006-2009 The SquirrelMail Project Team
+ * @copyright 2006-2011 The SquirrelMail Project Team
  * @license http://opensource.org/licenses/gpl-license.php GNU Public License
  * @version $Id$
  * @package squirrelmail
@@ -275,9 +275,17 @@ if (function_exists('get_magic_quotes_gpc') && @get_magic_quotes_gpc()) {
  * htmlspecialchars() is the preferred method.
  * QUERY_STRING also needs the same treatment since it is
  * used in php_self().
- */
-$_SERVER['PHP_SELF'] = htmlspecialchars($_SERVER['PHP_SELF']);
-$_SERVER['QUERY_STRING'] = htmlspecialchars($_SERVER['QUERY_STRING']);
+ * Update again: the encoding of ampersands that occurs
+ * using htmlspecialchars() corrupts the query strings
+ * in normal URIs, so we have to let those through.
+FIXME: will the de-sanitizing of ampersands create any security/XSS problems?
+ */
+if (isset($_SERVER['REQUEST_URI']))
+    $_SERVER['REQUEST_URI'] = str_replace('&', '&', htmlspecialchars($_SERVER['REQUEST_URI']));
+if (isset($_SERVER['PHP_SELF']))
+    $_SERVER['PHP_SELF'] = str_replace('&', '&', htmlspecialchars($_SERVER['PHP_SELF']));
+if (isset($_SERVER['QUERY_STRING']))
+    $_SERVER['QUERY_STRING'] = str_replace('&', '&', htmlspecialchars($_SERVER['QUERY_STRING']));
 
 $PHP_SELF = php_self();