Happy New Year

[squirrelmail.git] / src / options_highlight.php

diff --git a/src/options_highlight.php b/src/options_highlight.php
index 872a5cdc9524453689e2f5fc20d76dd4ade344ae..7b2751a2143952991091a58c80b1cb4661caf4fb 100644 (file)
--- a/src/options_highlight.php
+++ b/src/options_highlight.php
@@ -5,7 +5,7 @@
  *
  * Displays message highlighting options
  *
- * @copyright © 1999-2007 The SquirrelMail Project Team
+ * @copyright 1999-2018 The SquirrelMail Project Team
  * @license http://opensource.org/licenses/gpl-license.php GNU Public License
  * @version $Id$
  * @package squirrelmail
@@ -32,6 +32,7 @@ sqGetGlobalVar('newcolor_input', $newcolor_input);
 sqGetGlobalVar('color_type', $color_type);
 sqGetGlobalVar('match_type', $match_type);
 sqGetGlobalVar('value', $value);
+sqgetGlobalVar('smtoken', $submitted_token, SQ_FORM, '');
 
 /* end of get globals */
 
@@ -52,6 +53,10 @@ if (! isset($message_highlight_list)) {
 if (isset($theid) && ($action == 'delete') ||
                      ($action == 'up')     ||
                      ($action == 'down')) {
+
+    // security check
+    sm_validate_security_token($submitted_token, -1, TRUE);
+
     $new_rules = array();
     switch($action) {
         case('delete'):
@@ -86,6 +91,9 @@ if (isset($theid) && ($action == 'delete') ||
     exit;
 } else if ($action == 'save') {
 
+    // security check
+    sm_validate_security_token($submitted_token, -1, TRUE);
+
     if ($color_type == 1) $newcolor = $newcolor_choose;
     elseif ($color_type == 2) $newcolor = $newcolor_input;
     else $newcolor = $color_type;
@@ -116,10 +124,10 @@ $rules = array();
 foreach($message_highlight_list as $index=>$rule) {
     $a = array();
     
-    $a['Name'] = htmlspecialchars($rule['name']);
+    $a['Name'] = sm_encode_html_special_chars($rule['name']);
     $a['Color'] = $rule['color'];
     $a['MatchField'] = '';
-    $a['MatchValue'] = htmlspecialchars($rule['value']);
+    $a['MatchValue'] = sm_encode_html_special_chars($rule['value']);
     switch ($rule['match_type']) {
             case 'from' :
                 $a['MatchField'] = _("From");
@@ -143,11 +151,13 @@ foreach($message_highlight_list as $index=>$rule) {
 
 $oTemplate->assign('current_rules', $rules);
 
+$token = sm_generate_security_token();
+
 $oTemplate->assign('add_rule', 'options_highlight.php?action=add');
 $oTemplate->assign('edit_rule', 'options_highlight.php?action=edit&theid=');
-$oTemplate->assign('delete_rule', 'options_highlight.php?action=delete&theid=');
-$oTemplate->assign('move_up', 'options_highlight.php?action=up&theid=');
-$oTemplate->assign('move_down', 'options_highlight.php?action=down&theid=');
+$oTemplate->assign('delete_rule', 'options_highlight.php?action=delete&smtoken=' . $token . '&theid=');
+$oTemplate->assign('move_up', 'options_highlight.php?action=up&smtoken=' . $token . '&theid=');
+$oTemplate->assign('move_down', 'options_highlight.php?action=down&smtoken=' . $token . '&theid=');
 
 $oTemplate->display('options_highlight_list.tpl');
 
@@ -336,7 +346,7 @@ if ($action == 'edit' || $action == 'add') {
     $oTemplate->assign('color_radio', ($selected_choose ? 1 : ($selected_input ? 2 : 0)));
     $oTemplate->assign('color_input', ($selected_input ? $color : ''));
     
-    echo addForm('options_highlight.php', 'post', 'f').
+    echo addForm('options_highlight.php', 'post', 'f', '', '', array(), TRUE).
          addHidden('action', 'save');
     if($action == 'edit') {
         echo addHidden('theid', (isset($theid)?$theid:''));