- Security: close cross site scripting vulnerability in draft, compose

[squirrelmail.git] / src / webmail.php

diff --git a/src/webmail.php b/src/webmail.php
index c8af2939e7ca39334a479b6cdc98874fa787ebb1..8124e562af6d40fe4607dc73c71c848a5727c9d2 100644 (file)
--- a/src/webmail.php
+++ b/src/webmail.php
@@ -31,8 +31,10 @@ if (!sqgetGlobalVar('mailbox', $mailbox)) {
 
 sqgetGlobalVar('right_frame', $right_frame, SQ_GET);
 
-if(!sqgetGlobalVar('mailto', $mailto)) {
-    $mailto = '';
+if(!sqgetGlobalVar('mailtodata', $mailtodata)) {
+    $mailtourl = 'mailtodata='.urlencode($mailtodata);
+} else {
+    $mailtourl = '';
 }
 
 // Determine the size of the left frame
@@ -95,7 +97,7 @@ switch($right_frame) {
         $right_frame_url = 'folders.php';
         break;
     case 'compose.php':
-        $right_frame_url = 'compose.php?' . $mailto;
+        $right_frame_url = 'compose.php?' . $mailtourl;
         break;
     case '':
         $right_frame_url = 'right_main.php';
@@ -116,4 +118,4 @@ $oTemplate->assign('right_frame_url', $right_frame_url);
 
 $oTemplate->display('webmail.tpl');
 
-$oTemplate->display('footer.tpl');
\ No newline at end of file
+$oTemplate->display('footer.tpl');