X-Git-Url: https://vcs.fsf.org/?p=squirrelmail.git;a=blobdiff_plain;f=src%2Foptions_order.php;h=aae23f6253fb0ac183301f48fbf8aa58ba22db61;hp=8f081acd3875dd2b164f9216b24aa8453cababcf;hb=c4faef335b2362c81b8ebf026d4066c12d70536c;hpb=876fdb605dcb48b44b5c0a3a6f2f106c941e5c20 diff --git a/src/options_order.php b/src/options_order.php index 8f081acd..aae23f62 100644 --- a/src/options_order.php +++ b/src/options_order.php @@ -4,13 +4,16 @@ * * Displays messagelist column order options * - * @copyright © 1999-2007 The SquirrelMail Project Team + * @copyright 1999-2020 The SquirrelMail Project Team * @license http://opensource.org/licenses/gpl-license.php GNU Public License * @version $Id$ * @package squirrelmail * @subpackage prefs */ +/** This is the options_order page */ +define('PAGE_NAME', 'options_order'); + /** * Include the SquirrelMail initialization file. */ @@ -28,7 +31,7 @@ if (sqgetGlobalVar('num', $num, SQ_GET)) { if (!sqgetGlobalVar('method', $method)) { $method = ''; } else { - $method = htmlspecialchars($method); + $method = sm_encode_html_special_chars($method); } if (!sqgetGlobalVar('positions', $pos, SQ_GET)) { $pos = 0; @@ -43,7 +46,7 @@ if (!sqgetGlobalVar('account', $account, SQ_GET)) { } if (sqgetGlobalVar('mailbox', $mailbox, SQ_GET)) { - $aMailboxPrefs = unserialize(getPref($data_dir, $username, "pref_".$iAccount.'_'.urldecode($mailbox))); + $aMailboxPrefs = unserialize(getPref($data_dir, $username, "pref_".$iAccount.'_'.$mailbox)); if (isset($aMailboxPrefs[MBX_PREF_COLUMNS])) { $index_order = $aMailboxPrefs[MBX_PREF_COLUMNS]; } @@ -142,6 +145,7 @@ if (count($index_order) != count($available)) { } } +// FIXME: why are we using this? $PHP_SELF is already a global var processed (and therefore trustworthy) by init.php sqgetGlobalVar('PHP_SELF', $PHP_SELF, SQ_SERVER); $x = isset($mailbox) && $mailbox ? '&mailbox='.urlencode($mailbox) : ''; @@ -150,6 +154,7 @@ $oTemplate->assign('current_order', $index_order); $oTemplate->assign('not_used', $opts); $oTemplate->assign('always_show', array(SQM_COL_SUBJ, SQM_COL_FLAGS)); +// FIXME: (related to the above) $PHP_SELF might already have a query string... don't assume otherwise here by adding the ? sign!! $oTemplate->assign('move_up', $PHP_SELF .'?method=move&positions=-1'. $x .'&num='); $oTemplate->assign('move_down', $PHP_SELF .'?method=move&positions=1'. $x .'&num='); $oTemplate->assign('remove', $PHP_SELF .'?method=remove'. $x .'&num='); @@ -159,4 +164,3 @@ $oTemplate->assign('addField_action', $PHP_SELF); $oTemplate->display('options_order.tpl'); $oTemplate->display('footer.tpl'); -?>