*
* File should be loaded in every file in src/ or plugins that occupate an entire frame
*
- * @copyright © 2006 The SquirrelMail Project Team
+ * @copyright 2006-2012 The SquirrelMail Project Team
* @license http://opensource.org/licenses/gpl-license.php GNU Public License
* @version $Id$
* @package squirrelmail
/**
* Set PHP error reporting level based on the SquirrelMail debug mode
+ * E_STRICT = 2048
+ * E_DEPRECATED = 8192
*/
$error_level = 0;
if ($sm_debug_mode & SM_DEBUG_MODE_SIMPLE)
$error_level |= E_ERROR;
if ($sm_debug_mode & SM_DEBUG_MODE_MODERATE
|| $sm_debug_mode & SM_DEBUG_MODE_ADVANCED)
- $error_level |= E_ALL;
+ $error_level = ($error_level | E_ALL) & ~2048 & ~8192;
if ($sm_debug_mode & SM_DEBUG_MODE_STRICT)
- $error_level |= E_STRICT;
+ $error_level |= 2048 | 8192;
error_reporting($error_level);
* htmlspecialchars() is the preferred method.
* QUERY_STRING also needs the same treatment since it is
* used in php_self().
- */
-$_SERVER['PHP_SELF'] = htmlspecialchars($_SERVER['PHP_SELF']);
-$_SERVER['QUERY_STRING'] = htmlspecialchars($_SERVER['QUERY_STRING']);
+ * Update again: the encoding of ampersands that occurs
+ * using htmlspecialchars() corrupts the query strings
+ * in normal URIs, so we have to let those through.
+FIXME: will the de-sanitizing of ampersands create any security/XSS problems?
+ */
+if (isset($_SERVER['REQUEST_URI']))
+ $_SERVER['REQUEST_URI'] = str_replace('&', '&', htmlspecialchars($_SERVER['REQUEST_URI']));
+if (isset($_SERVER['PHP_SELF']))
+ $_SERVER['PHP_SELF'] = str_replace('&', '&', htmlspecialchars($_SERVER['PHP_SELF']));
+if (isset($_SERVER['QUERY_STRING']))
+ $_SERVER['QUERY_STRING'] = str_replace('&', '&', htmlspecialchars($_SERVER['QUERY_STRING']));
$PHP_SELF = php_self();