Fix XSS problem with unsanitized style tags in messages [CVE-2011-2023]

[squirrelmail.git] / src / addrbook_search_html.php

diff --git a/src/addrbook_search_html.php b/src/addrbook_search_html.php
index 0322132feb0dc6d29b79dd3b7593c6f1918ae86f..2342391d373663e85b0e925b37dcd3c7d18fb46a 100644 (file)
--- a/src/addrbook_search_html.php
+++ b/src/addrbook_search_html.php
@@ -6,7 +6,7 @@
  *
  * This file is included from compose.php
  *
- * @copyright © 1999-2007 The SquirrelMail Project Team
+ * @copyright 1999-2011 The SquirrelMail Project Team
  * @license http://opensource.org/licenses/gpl-license.php GNU Public License
  * @version $Id$
  * @package squirrelmail
@@ -42,15 +42,19 @@ sqgetGlobalVar('backend',   $backend,   SQ_POST);
  * Insert hidden data
  */
 function addr_insert_hidden() {
-    global $body, $subject, $send_to, $send_to_cc, $send_to_bcc, $mailbox,
-           $request_mdn, $request_dr, $identity, $session;
+    global $body, $subject, $send_to, $send_to_cc, $send_to_bcc, $mailbox, $mailprio,
+           $request_mdn, $request_dr, $identity, $session, $composeMessage;
 
+//FIXME Do not echo HTML from the core.  This file already uses templates mostly, so why are we echoing here at all?!?
    if (substr($body, 0, 1) == "\r") {
        echo addHidden('body', "\n".$body);
    } else {
        echo addHidden('body', $body);
    }
 
+   if (is_object($composeMessage) && $composeMessage->entities)
+       echo addHidden('attachments', urlencode(serialize($composeMessage->entities)));
+
    echo addHidden('session', $session).
         addHidden('subject', $subject).
         addHidden('send_to', $send_to).
@@ -74,11 +78,12 @@ function addr_display_result($res, $includesource = true) {
     global $PHP_SELF, $oTemplate, $oErrorHandler;
     
 
-    echo addForm($PHP_SELF, 'post', 'addressbook').
+//FIXME: no HTML output from core
+    echo addForm($PHP_SELF, 'post', 'addressbook', '', '', array(), TRUE).
          addHidden('html_addr_search_done', 'true');
     addr_insert_hidden();
     
-    $oTemplate->assign('use_js', false);
+    $oTemplate->assign('compose_addr_pop', false);
     $oTemplate->assign('include_abook_name', $includesource);
     $oTemplate->assign('addresses', formatAddressList($res));
     
@@ -110,7 +115,7 @@ if (isset($session)) {
     echo addHidden('session', $session);
 }
 
-$oTemplate->assign('use_js', false);
+$oTemplate->assign('compose_addr_pop', false);
 $oTemplate->assign('backends', getBackends());
 
 $oTemplate->display('addressbook_search_form.tpl');
@@ -166,8 +171,9 @@ if ($addrquery == '' || ! empty($listall)) {
 }
 
 if ($addrquery == '' || sizeof($res) == 0) {
+//FIXME don't echo HTML from core -- especially convoluted given that there is template code immediately above AND below this block
     echo '<div style="text-align: center;">'.
-        addForm('compose.php','post','k');
+        addForm('compose.php','post','k', '', '', array(), TRUE);
     addr_insert_hidden();
     echo '<input type="submit" value="' . _("Return") . '" name="return" />' . "\n" .
          '</form></div></nobr>';