projects / squirrelmail.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: cef054e)
fixed problems with subjects with html special chars in it.
authorstekkel <stekkel@7612ce4b-ef26-0410-bec9-ea0150e637f0>
Mon, 24 Feb 2003 18:51:33 +0000 (18:51 +0000)
committerstekkel <stekkel@7612ce4b-ef26-0410-bec9-ea0150e637f0>
Mon, 24 Feb 2003 18:51:33 +0000 (18:51 +0000)
Fix for possible xss holes

git-svn-id: https://svn.code.sf.net/p/squirrelmail/code/trunk/squirrelmail@4542 7612ce4b-ef26-0410-bec9-ea0150e637f0

src/read_body.php patch | blob | blame | history

diff --git a/src/read_body.php b/src/read_body.php
index 7eb195682cfa67618bedd2608213ffb207bc10c7..f16629780bdd26887147ab06fbd1536c9d029a53 100644 (file)
--- a/src/read_body.php
+++ b/src/read_body.php
@@ -368,7 +368,7 @@ function formatRecipientString($recipients, $item ) {
 
         $cnt = count($recipients);
         foreach($recipients as $r) {
 
         $cnt = count($recipients);
         foreach($recipients as $r) {
-            $add = htmlspecialchars($r->getAddress());
+            $add = htmlspecialchars(decodeHeader($r->getAddress()));
             if ($string) {
                 $string .= '<BR>' . $add;
             } else {
             if ($string) {
                 $string .= '<BR>' . $add;
             } else {
@@ -396,11 +396,7 @@ function formatEnvheader($mailbox, $passed_id, $passed_ent_id, $message,
 
     $header = $message->rfc822_header;
     $env = array();
 
     $header = $message->rfc822_header;
     $env = array();
-    if ($squirrelmail_language == 'ja_JP') {
-        $env[_("Subject")] = htmlspecialchars(decodeHeader($header->subject));
-    } else {
-       $env[_("Subject")] = decodeHeader(htmlspecialchars($header->subject));
-    }   
+    $env[_("Subject")] = htmlspecialchars(decodeHeader($header->subject));
     $from_name = $header->getAddr_s('from');
     if (!$from_name) {
         $from_name = $header->getAddr_s('sender');
     $from_name = $header->getAddr_s('from');
     if (!$from_name) {
         $from_name = $header->getAddr_s('sender');
@@ -414,10 +410,10 @@ function formatEnvheader($mailbox, $passed_id, $passed_ent_id, $message,
     $env[_("Cc")] = formatRecipientString($header->cc, "cc");
     $env[_("Bcc")] = formatRecipientString($header->bcc, "bcc");
     if ($default_use_priority) {
     $env[_("Cc")] = formatRecipientString($header->cc, "cc");
     $env[_("Bcc")] = formatRecipientString($header->bcc, "bcc");
     if ($default_use_priority) {
-        $env[_("Priority")] = getPriorityStr($header->priority);
+        $env[_("Priority")] = htmlspecialchars(getPriorityStr($header->priority));
     }
     if ($show_xmailer_default) {
     }
     if ($show_xmailer_default) {
-        $env[_("Mailer")] = htmlentities(decodeHeader($header->xmailer));
+        $env[_("Mailer")] = htmlspecialchars(decodeHeader($header->xmailer));
     }
     if ($default_use_mdn) {
         if ($mdn_user_support) {
     }
     if ($default_use_mdn) {
         if ($mdn_user_support) {
Unnamed repository; edit this file 'description' to name the repository.