Happy New Year

[squirrelmail.git] / src / addressbook.php
diff --git a/src/addressbook.php b/src/addressbook.php

index 3a7977f9c4a75819e963145c4f1a1b5751fee258..90d95dd9b80880fd27a97dbaff5ac6c75bfca0cd 100644 (file)
--- a/src/addressbook.php
+++ b/src/addressbook.php
@@ -5,7 +5,7 @@
   *
   * Manage personal address book.
   *
- * @copyright &copy; 1999-2009 The SquirrelMail Project Team
+ * @copyright 1999-2020 The SquirrelMail Project Team
   * @license http://opensource.org/licenses/gpl-license.php GNU Public License
   * @version $Id$
   * @package squirrelmail
@@ -31,6 +31,7 @@ require_once(SM_PATH . 'functions/forms.php');
  /** lets get the global vars we may need */
  
  /* From the address form */
+sqgetGlobalVar('smtoken',       $submitted_token, SQ_POST, '');
  sqgetGlobalVar('addaddr',       $addaddr,       SQ_POST);
  sqgetGlobalVar('editaddr',      $editaddr,      SQ_POST);
  sqgetGlobalVar('deladdr',       $deladdr,       SQ_POST);
@@ -97,6 +98,9 @@ $form_url = 'addressbook.php';
  /* Handle user's actions */
  if(sqgetGlobalVar('REQUEST_METHOD', $req_method, SQ_SERVER) && $req_method == 'POST') {
  
+    // first, validate security token
+    sm_validate_security_token($submitted_token, -1, TRUE);
+
      /**************************************************
       * Add new address                                *
       **************************************************/
@@ -111,7 +115,7 @@ if(sqgetGlobalVar('REQUEST_METHOD', $req_method, SQ_SERVER) && $req_method == 'P
          if (!$r) {
              /* Remove backend name from error string */
              $errstr = $abook->error;
-            $errstr = ereg_replace('^\[.*\] *', '', $errstr);
+            $errstr = preg_replace('/^\[.*\] */', '', $errstr);
  
              $formerror = $errstr;
              $showaddrlist = false;
@@ -229,7 +233,7 @@ if(sqgetGlobalVar('REQUEST_METHOD', $req_method, SQ_SERVER) && $req_method == 'P
                          $olddata = $abook->lookup($enick, $ebackend);
                          // Test if $olddata really contains anything and return an error message if it doesn't
                          if (!$olddata) {
-                            error_box(nl2br(htmlspecialchars($abook->error)));
+                            error_box(nl2br(sm_encode_html_special_chars($abook->error)));
                          } else {
                              /* Display the "new address" form */
                              echo abook_create_form($form_url, 'editaddr',
@@ -251,7 +255,7 @@ if(sqgetGlobalVar('REQUEST_METHOD', $req_method, SQ_SERVER) && $req_method == 'P
                      /* Handle error messages */
                      if (!$r) {
                          /* Display error */
-                        plain_error_message( nl2br(htmlspecialchars($abook->error)));
+                        plain_error_message( nl2br(sm_encode_html_special_chars($abook->error)));
  
                          /* Display the "new address" form again */
                          echo abook_create_form($form_url, 'editaddr',
@@ -295,7 +299,7 @@ if(sqgetGlobalVar('REQUEST_METHOD', $req_method, SQ_SERVER) && $req_method == 'P
  
  /* Display error messages */
  if (!empty($formerror)) {
-    plain_error_message(nl2br(htmlspecialchars($formerror)));
+    plain_error_message(nl2br(sm_encode_html_special_chars($formerror)));
  }
  
  
@@ -322,7 +326,7 @@ while (list($k, $backend) = each ($abook->backends)) {
              $addresses[$backend->bnum] = $a;
          } else {
              // list_addr() returns boolean
-            plain_error_message(nl2br(htmlspecialchars($abook->error)));
+            plain_error_message(nl2br(sm_encode_html_special_chars($abook->error)));
          }
      } else {
          $addresses[$backend->bnum] = $a;