X-Git-Url: https://vcs.fsf.org/?p=squirrelmail.git;a=blobdiff_plain;f=include%2Finit.php;h=f6f300b69930d5c094904e187eb6b9002633999b;hp=eb5336537b8b8486fb4cc736edc2817727762792;hb=8ed1923822b383ddb338e9eef75bb7f110cc47b4;hpb=3f55fe04a3f2093e0dc89b83fb3b3c42b16000cd diff --git a/include/init.php b/include/init.php index eb533653..f6f300b6 100644 --- a/include/init.php +++ b/include/init.php @@ -5,7 +5,7 @@ * * File should be loaded in every file in src/ or plugins that occupate an entire frame * - * @copyright 2006-2012 The SquirrelMail Project Team + * @copyright 2006-2019 The SquirrelMail Project Team * @license http://opensource.org/licenses/gpl-license.php GNU Public License * @version $Id$ * @package squirrelmail @@ -274,20 +274,20 @@ if (function_exists('get_magic_quotes_gpc') && @get_magic_quotes_gpc()) { * or * contrib/decrypt_headers.php/%22%20onmouseover=%22alert(%27hello%20world%27)%22%3E * because it doesn't bother with broken tags. - * htmlspecialchars() is the preferred method. + * sm_encode_html_special_chars() is the preferred method. * QUERY_STRING also needs the same treatment since it is * used in php_self(). * Update again: the encoding of ampersands that occurs - * using htmlspecialchars() corrupts the query strings + * using sm_encode_html_special_chars() corrupts the query strings * in normal URIs, so we have to let those through. FIXME: will the de-sanitizing of ampersands create any security/XSS problems? */ if (isset($_SERVER['REQUEST_URI'])) - $_SERVER['REQUEST_URI'] = str_replace('&', '&', htmlspecialchars($_SERVER['REQUEST_URI'])); + $_SERVER['REQUEST_URI'] = str_replace('&', '&', sm_encode_html_special_chars($_SERVER['REQUEST_URI'])); if (isset($_SERVER['PHP_SELF'])) - $_SERVER['PHP_SELF'] = str_replace('&', '&', htmlspecialchars($_SERVER['PHP_SELF'])); + $_SERVER['PHP_SELF'] = str_replace('&', '&', sm_encode_html_special_chars($_SERVER['PHP_SELF'])); if (isset($_SERVER['QUERY_STRING'])) - $_SERVER['QUERY_STRING'] = str_replace('&', '&', htmlspecialchars($_SERVER['QUERY_STRING'])); + $_SERVER['QUERY_STRING'] = str_replace('&', '&', sm_encode_html_special_chars($_SERVER['QUERY_STRING'])); $PHP_SELF = php_self(); @@ -693,6 +693,9 @@ switch (PAGE_NAME) { $set_up_langage_after_template_setup = TRUE; $timeZone = getPref($data_dir, $username, 'timezone'); + global $server_timezone, $server_timezone_offset, $server_timezone_offset_seconds; + list($server_timezone, $server_timezone_offset, $server_timezone_offset_seconds) + = explode('::', date('T::O::Z')); /* Check to see if we are allowed to set the TZ environment variable. * We are able to do this if ...