X-Git-Url: https://vcs.fsf.org/?p=squirrelmail.git;a=blobdiff_plain;f=include%2Finit.php;fp=include%2Finit.php;h=fd769df75106a8c1db3a897b1613427903d75b7a;hp=eb5336537b8b8486fb4cc736edc2817727762792;hb=3047e291f2982efe9501ec790faafd3da843d22d;hpb=ffa9cc0ed8a813c3009a2aa03cde7f883f4bed32

diff --git a/include/init.php b/include/init.php
index eb533653..fd769df7 100644
--- a/include/init.php
+++ b/include/init.php
@@ -274,20 +274,20 @@ if (function_exists('get_magic_quotes_gpc') && @get_magic_quotes_gpc()) {
  * or
  * contrib/decrypt_headers.php/%22%20onmouseover=%22alert(%27hello%20world%27)%22%3E
  * because it doesn't bother with broken tags.
- * htmlspecialchars() is the preferred method.
+ * sm_encode_html_special_chars() is the preferred method.
  * QUERY_STRING also needs the same treatment since it is
  * used in php_self().
  * Update again: the encoding of ampersands that occurs
- * using htmlspecialchars() corrupts the query strings
+ * using sm_encode_html_special_chars() corrupts the query strings
  * in normal URIs, so we have to let those through.
 FIXME: will the de-sanitizing of ampersands create any security/XSS problems?
  */
 if (isset($_SERVER['REQUEST_URI']))
-    $_SERVER['REQUEST_URI'] = str_replace('&', '&', htmlspecialchars($_SERVER['REQUEST_URI']));
+    $_SERVER['REQUEST_URI'] = str_replace('&', '&', sm_encode_html_special_chars($_SERVER['REQUEST_URI']));
 if (isset($_SERVER['PHP_SELF']))
-    $_SERVER['PHP_SELF'] = str_replace('&', '&', htmlspecialchars($_SERVER['PHP_SELF']));
+    $_SERVER['PHP_SELF'] = str_replace('&', '&', sm_encode_html_special_chars($_SERVER['PHP_SELF']));
 if (isset($_SERVER['QUERY_STRING']))
-    $_SERVER['QUERY_STRING'] = str_replace('&', '&', htmlspecialchars($_SERVER['QUERY_STRING']));
+    $_SERVER['QUERY_STRING'] = str_replace('&', '&', sm_encode_html_special_chars($_SERVER['QUERY_STRING']));
 
 $PHP_SELF = php_self();