Improve HTML escaping

[squirrelmail.git] / plugins / newmail / newmail_opt.php

diff --git a/plugins/newmail/newmail_opt.php b/plugins/newmail/newmail_opt.php
index 01197b4f4a4751bb5d4dd93275c6dbac6180594a..d41cb111203d2bc076e8f54791d4cdce61132f42 100644 (file)
--- a/plugins/newmail/newmail_opt.php
+++ b/plugins/newmail/newmail_opt.php
@@ -3,7 +3,7 @@
 /**
  * newmails_opt.php
  *
- * Copyright (c) 1999-2003 The SquirrelMail Project Team
+ * Copyright (c) 1999-2004 The SquirrelMail Project Team
  * Licensed under the GNU GPL. For full terms see the file COPYING.
  *
  * Displays all options relating to new mail sounds
@@ -132,7 +132,8 @@ if ($allowsound == "true") {
             if ($fname == $media) {
                 echo 'selected ';
             }
-            echo 'value="' . $fname . '">' . $entry . "</option>\n";
+            echo 'value="' . htmlspecialchars($fname) . '">' .
+                htmlspecialchars($entry) . "</option>\n";
         }
     }
     $d->close();
@@ -146,7 +147,9 @@ if ($allowsound == "true") {
          '</tr>'.
          html_tag( 'tr', "\n" .
              html_tag( 'td', _("Current File:"), 'right', '', 'nowrap' ) .
-             html_tag( 'td', '<input type="hidden" value="' . $media . '" name="media_default">' . $media . '', 'left' )
+             html_tag( 'td', '<input type="hidden" value="' . 
+                 htmlspecialchars($media) . '" name="media_default">' .
+                 htmlspecialchars($media) . '', 'left' )
          ) . "\n";
     }
          echo html_tag( 'tr', "\n" .
@@ -158,7 +161,7 @@ if ($allowsound == "true") {
                  ) . "\n" .
       '</table>'. "\n" .
    '</form>'. "\n" .
-   '</td></tr></table>'. "\n";
-   noframes_bottom();
+   '</td></tr></table>'. "\n" .
+'</body></html>';
 
-?>
\ No newline at end of file
+?>