Avoid XSS silliness in the calendar plugin
authortassium <tassium@7612ce4b-ef26-0410-bec9-ea0150e637f0>
Thu, 23 Jan 2003 20:57:39 +0000 (20:57 +0000)
committertassium <tassium@7612ce4b-ef26-0410-bec9-ea0150e637f0>
Thu, 23 Jan 2003 20:57:39 +0000 (20:57 +0000)
git-svn-id: https://svn.code.sf.net/p/squirrelmail/code/trunk/squirrelmail@4460 7612ce4b-ef26-0410-bec9-ea0150e637f0

plugins/calendar/calendar_data.php
plugins/calendar/event_create.php

index 9db7433..dff6733 100644 (file)
@@ -35,8 +35,8 @@ function readcalendardata() {
             while ($fdata = fgetcsv ($fp, 4096, '|')) {
                 $calendardata[$fdata[0]][$fdata[1]] = array( 'length' => $fdata[2],
                                                             'priority' => $fdata[3],
             while ($fdata = fgetcsv ($fp, 4096, '|')) {
                 $calendardata[$fdata[0]][$fdata[1]] = array( 'length' => $fdata[2],
                                                             'priority' => $fdata[3],
-                                                            'title' => $fdata[4],
-                                                            'message' => $fdata[5],
+                                                            'title' => htmlentities($fdata[4],ENT_NOQUOTES),
+                                                            'message' => htmlentities($fdata[5],ENT_NOQUOTES),
                                                             'reminder' => $fdata[6] );
             }
             fclose ($fp);
                                                             'reminder' => $fdata[6] );
             }
             fclose ($fp);
index 62cd0e7..8cf9b06 100644 (file)
@@ -186,11 +186,11 @@ if(!isset($event_text)){
                 ) .
                 html_tag( 'tr',
                     html_tag( 'td', _("Title:"), 'right', $color[4] ) . "\n" .
                 ) .
                 html_tag( 'tr',
                     html_tag( 'td', _("Title:"), 'right', $color[4] ) . "\n" .
-                    html_tag( 'td', $event_title, 'left', $color[4] ) . "\n"
+                    html_tag( 'td', htmlentities($event_title,ENT_NOQUOTES), 'left', $color[4] ) . "\n"
                 ) .
                 html_tag( 'tr',
                     html_tag( 'td', _("Message:"), 'right', $color[4] ) . "\n" .
                 ) .
                 html_tag( 'tr',
                     html_tag( 'td', _("Message:"), 'right', $color[4] ) . "\n" .
-                    html_tag( 'td', $event_text, 'left', $color[4] ) . "\n"
+                    html_tag( 'td', htmlentities($event_text,ENT_NOQUOTES), 'left', $color[4] ) . "\n"
                 ) .
                 html_tag( 'tr',
                     html_tag( 'td',
                 ) .
                 html_tag( 'tr',
                     html_tag( 'td',