* shown can be given as parameters. If the user is not logged in
* this file will verify username and password.
*
- * @copyright © 1999-2005 The SquirrelMail Project Team
+ * @copyright © 1999-2006 The SquirrelMail Project Team
* @license http://opensource.org/licenses/gpl-license.php GNU Public License
* @version $Id$
* @package squirrelmail
$err=set_up_language(getPref($data_dir, $username, 'language'));
-$output = "<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01 Frameset//EN\">\n".
+$output = "<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01 Frameset//EN\"\n".
+ " \"http://www.w3.org/TR/1999/REC-html401-19991224/frameset.dtd\">\n".
"<html><head>\n" .
"<meta name=\"robots\" content=\"noindex,nofollow\">\n" .
"<title>$org_title</title>\n".
*
* This was done to create a pure HTML way of refreshing the folder list since
* we would like to use as little Javascript as possible.
+ *
+ * The test for // should catch any attempt to include off-site webpages into
+ * our frameset.
*/
-if (empty($right_frame) || (strpos(urldecode($right_frame), '://'))) {
+if (empty($right_frame) || (strpos(urldecode($right_frame), '//') !== false)) {
$right_frame = '';
}
-if ($right_frame == 'right_main.php') {
- $urlMailbox = urlencode($mailbox);
- $right_frame_url = "right_main.php?mailbox=$urlMailbox"
- . (!empty($sort)?"&sort=$sort":'')
- . (!empty($startMessage)?"&startMessage=$startMessage":'');
-} elseif ($right_frame == 'options.php') {
- $right_frame_url = 'options.php';
-} elseif ($right_frame == 'folders.php') {
- $right_frame_url = 'folders.php';
-} elseif ($right_frame == 'compose.php') {
- $right_frame_url = 'compose.php?' . $mailto;
-} else if ($right_frame == '') {
- $right_frame_url = 'right_main.php';
+if ( strpos($right_frame,'?') ) {
+ $right_frame_file = substr($right_frame,0,strpos($right_frame,'?'));
} else {
- $right_frame_url = htmlspecialchars($right_frame);
+ $right_frame_file = $right_frame;
}
+switch($right_frame) {
+ case 'right_main.php':
+ $right_frame_url = "right_main.php?mailbox=".urlencode($mailbox)
+ . (!empty($sort)?"&sort=$sort":'')
+ . (!empty($startMessage)?"&startMessage=$startMessage":'');
+ break;
+ case 'options.php':
+ $right_frame_url = 'options.php';
+ break;
+ case 'folders.php':
+ $right_frame_url = 'folders.php';
+ break;
+ case 'compose.php':
+ $right_frame_url = 'compose.php?' . $mailto;
+ break;
+ case '':
+ $right_frame_url = 'right_main.php';
+ break;
+ default:
+ $right_frame_url = urlencode($right_frame);
+ break;
+}
+
$left_frame = '<frame src="left_main.php" name="left" frameborder="1" title="'.
_("Folder List") ."\" />\n";
$right_frame = '<frame src="'.$right_frame_url.'" name="right" frameborder="1" title="'.
?>
</frameset>
-</html>
\ No newline at end of file
+</html>