$string = "<b><font color=$color[2]>\n" .
_("ERROR : Could not complete request.") .
"</b><br>\n" .
- _("Query:") .
- $query . '<br>' .
+ _("Query:") . ' ' .
+ htmlspecialchars($query) . '<br>' .
_("Reason Given: ") .
- $message . "</font><br>\n";
+ htmlspecialchars($message) . "</font><br>\n";
error_box($string,$color);
exit;
}
$string = "<b><font color=$color[2]>\n" .
_("ERROR : Bad or malformed request.") .
"</b><br>\n" .
- _("Query:") .
- $query . '<br>' .
+ _("Query:") . ' '.
+ htmlspecialchars($query) . '<br>' .
_("Server responded: ") .
- $message . "</font><br>\n";
+ htmlspecialchars($message) . "</font><br>\n";
error_box($string,$color);
exit;
}
if (!$hide) {
if ($response != 'NO') {
/* "BAD" and anything else gets reported here. */
+ $message = htmlspecialchars($message);
set_up_language($squirrelmail_language, true);
require_once(SM_PATH . 'functions/display_messages.php');
if ($response == 'BAD') {
_("ERROR : Could not complete request.") .
'</b><br>' .
_("Unknown response from IMAP server: ") . ' 1.' .
- $r[0] . "</font><br>\n";
+ htmlspecialchars($r[0]) . "</font><br>\n";
} else if (! isset($id2index[$regs[1]]) || !count($id2index[$regs[1]])) {
set_up_language($squirrelmail_language);
echo '<br><b><font color=$color[2]>' .
_("ERROR : Could not complete request.") .
'</b><br>' .
_("Unknown message number in reply from server: ") .
- $regs[1] . "</font><br>\n";
+ htmlspecialchars($regs[1]) . "</font><br>\n";
} else {
$read_list[$id2index[$regs[1]]] = $r;
}
_("ERROR : Could not complete request.") .
'</b><br>' .
_("Unknown response from IMAP server: ") . ' 1.' .
- $r[0] . "</font><br>\n";
+ htmlspecialchars($r[0]) . "</font><br>\n";
} else if (! isset($id2index[$regs[2]]) || !count($id2index[$regs[2]])) {
set_up_language($squirrelmail_language);
echo '<br><b><font color=$color[2]>' .
_("ERROR : Could not complete request.") .
'</b><br>' .
_("Unknown message number in reply from server: ") .
- $regs[2] . "</font><br>\n";
+ htmlspecialchars($regs[2]) . "</font><br>\n";
} else {
$read_list[$id2index[$regs[2]]] = $r;
$unique_id = $regs[2];
$subject = _("(no subject)");
$from = _("Unknown Sender");
$priority = 0;
- $messageid = "<>";
- $cc = "";
- $to = "";
- $date = "";
- $type[0] = "";
- $type[1] = "";
- $inrepto = "";
+ $messageid = '<>';
+ $cc = '';
+ $to = '';
+ $date = '';
+ $type[0] = '';
+ $type[1] = '';
+ $inrepto = '';
$flag_seen = false;
$flag_answered = false;
$flag_deleted = false;
$tmpdate = str_replace(' ',' ',$tmpdate);
$tmpdate = explode(' ',$tmpdate);
$date = str_replace('-',' ',$tmpdate[0]) . " " .
- $tmpdate[1] . " " .
+ $tmpdate[1] . ' ' .
$tmpdate[2];
}
}
if (strstr($errors,'* SEARCH')) {
return array();
}
- echo "<!-- $errors -->";
+ echo '<!-- '.htmlspecialchars($errors) .' -->';
}
$mailbox = $_GET['mailbox'];
if (isset($_GET['saved_draft'])) {
- $saved_draft = $_GET['saved_draft'];
+ $saved_draft = urlencode($_GET['saved_draft']);
}
if (isset($_GET['mail_sent'])) {
- $mail_sent = $_GET['mail_sent'];
+ $mail_sent = urlencode($_GET['mail_sent']);
}
-$sort = $_GET['sort'];
-$startMessage = $_GET['startMessage'];
+$sort = (int) $_GET['sort'];
+$startMessage = (int) $_GET['startMessage'];
if(isset($_GET['where'])) {
- $where = $_GET['where'];
+ $where = urlencode($_GET['where']);
}
if(isset($_GET['what'])) {
- $what = $_GET['what'];
+ $what = urlencode($_GET['what']);
}
$imapConnection = sqimap_login($username, $key, $imapServerAddress, $imapPort, 0);
$location = get_location();
if (isset($where) && isset($what)) {
- header("Location: $location/search.php?where=" . urlencode($where) .
- '&what=' . urlencode($what) . '&mailbox=' . urlencode($mailbox));
+ header("Location: $location/search.php?where=" . $where .
+ '&what=' . $what . '&mailbox=' . urlencode($mailbox));
} else {
if (!empty($saved_draft) || !empty($mail_sent)) {
header("Location: $location/compose.php?mail_sent=$mail_sent&saved_draft=$saved_draft");
$username = $_SESSION['username'];
$onetimepad = $_SESSION['onetimepad'];
$mailbox = $_GET['mailbox'];
-$passed_id = $_GET['passed_id'];
+$passed_id = (int) $_GET['passed_id'];
$ent_id = $_GET['ent_id'];
$messages = $_SESSION['messages'];
-if (isset($_GET['passed_ent_id'])) {
- $passed_ent_id = $_GET['passed_ent_id'];
-} else {
- $passed_ent_id = '';
-}
if (isset($_GET['absolute_dl'])) {
$absolute_dl = $_GET['absolute_dl'];
}
if (strlen($filename) < 1) {
- $filename = "untitled$ent_id.$suffix";
+ $filename = 'untitled'.strip_tags($ent_id).$suffix;
} else {
$filename = "$filename.$suffix";
}
/* globals */
$mailbox = $_GET['mailbox'];
-$passed_id = $_GET['passed_id'];
+$passed_id = (int) $_GET['passed_id'];
$ent_id = $_GET['ent_id'];
$QUERY_STRING = $_SERVER['QUERY_STRING'];
/* end globals */
'<B><CENTER>' .
_("Viewing an image attachment") . " - ";
-$msg_url = 'read_body.php?' . $QUERY_STRING;
+$msg_url = 'read_body.php?' . urlencode(strip_tags(urldecode($QUERY_STRING)));
$msg_url = set_url_var($msg_url, 'ent_id', 0);
echo '<a href="'.$msg_url.'">'. _("View message") . '</a>';
$DownloadLink = '../src/download.php?passed_id=' . $passed_id .
'&mailbox=' . urlencode($mailbox) .
- '&ent_id=' . $ent_id . '&absolute_dl=true';
+ '&ent_id=' . urlencode($ent_id) . '&absolute_dl=true';
echo '</b></td></tr>' . "\n" .
'<tr><td align=center><A HREF="' . $DownloadLink . '">' .
$username = $_SESSION['username'];
$onetimepad = $_SESSION['onetimepad'];
-$passed_ent_id = $_GET['passed_ent_id'];
-$passed_id = $_GET['passed_id'];
+$passed_id = (int) $_GET['passed_id'];
$mailbox = $_GET['mailbox'];
/* end globals */
/* get those globals into gear */
$passed_ent_id = $_GET['passed_ent_id'];
-$passed_id = $_GET['passed_id'];
+$passed_id = (int) $_GET['passed_id'];
$mailbox = $_GET['mailbox'];
/* end globals */
echo "<frameset rows=\"60, *\" noresize border=\"0\">\n".
"<frame src=\"printer_friendly_top.php\" name=\"top_frame\" scrolling=\"no\">".
'<frame src="printer_friendly_bottom.php?passed_ent_id='.
- $passed_ent_id . '&mailbox=' . urlencode($mailbox) .
+ urlencode($passed_ent_id) . '&mailbox=' . urlencode($mailbox) .
'&passed_id=' . $passed_id .
"\" name=\"bottom_frame\">".
"</frameset>\n".
$delimiter = $_SESSION['delimiter'];
if (isset($_GET['passed_id'])) {
- $passed_id = $_GET['passed_id'];
+ $passed_id = (int) $_GET['passed_id'];
}
elseif (isset($_POST['passed_id'])) {
- $passed_id = $_POST['passed_id'];
+ $passed_id = (int) $_POST['passed_id'];
}
if (isset($_GET['passed_ent_id'])) {
}
if (isset($_GET['sort'])) {
- $sort = $_GET['sort'];
+ $sort = (int) $_GET['sort'];
}
elseif (isset($_POST['sort'])) {
- $sort = $_POST['sort'];
+ $sort = (int) $_POST['sort'];
}
if (isset($_GET['startMessage'])) {
- $startMessage = $_GET['startMessage'];
+ $startMessage = (int) $_GET['startMessage'];
}
elseif (isset($_POST['startMessage'])) {
- $startMessage = $_POST['startMessage'];
+ $startMessage = (int) $_POST['startMessage'];
}
if (isset($_GET['show_more'])) {
- $show_more = $_GET['show_more'];
+ $show_more = (int) $_GET['show_more'];
}
if (isset($_GET['show_more_cc'])) {
- $show_more_cc = $_GET['show_more_cc'];
+ $show_more_cc = (int) $_GET['show_more_cc'];
}
if (isset($_GET['show_more_bcc'])) {
- $show_more_bcc = $_GET['show_more_bcc'];
+ $show_more_bcc = (int) $_GET['show_more_bcc'];
}
if (isset($_GET['mailbox'])) {
$mailbox = $_GET['mailbox'];
$what = $_GET['what'];
}
if (isset($_GET['view_hdr'])) {
- $view_hdr = $_GET['view_hdr'];
+ $view_hdr = (int) $_GET['view_hdr'];
}
if (isset($_SESSION['server_sort_array'])) {
$server_sort_array = $_SESSION['server_sort_array'];
$delimiter = $_SESSION['delimiter'];
if (isset($_GET['startMessage'])) {
- $startMessage = $_GET['startMessage'];
+ $startMessage = (int) $_GET['startMessage'];
} elseif (isset($_POST['startMessage'])) {
- $startMessage = $_POST['startMessage'];
+ $startMessage = (int) $_POST['startMessage'];
}
if (isset($_GET['mailbox'])) {
$mailbox = $_GET['mailbox'];
$mailbox = $_POST['mailbox'];
}
if (isset($_GET['PG_SHOWNUM'])) {
- $PG_SHOWNUM = $_GET['PG_SHOWNUM'];
+ $PG_SHOWNUM = (int) $_GET['PG_SHOWNUM'];
}
elseif (isset($_SESSION['PG_SHOWNUM'])) {
- $PG_SHOWNUM = $_SESSION['PG_SHOWNUM'];
+ $PG_SHOWNUM = (int) $_SESSION['PG_SHOWNUM'];
}
if (isset($_GET['PG_SHOWALL'])) {
- $PG_SHOWALL = $_GET['PG_SHOWALL'];
+ $PG_SHOWALL = (int) $_GET['PG_SHOWALL'];
}
if (isset($_GET['newsort'])) {
- $newsort = $_GET['newsort'];
+ $newsort = (int) $_GET['newsort'];
}
if (isset($_GET['composenew'])) {
$composenew = $_GET['composenew'];
}
if (isset($_GET['checkall'])) {
- $checkall = $_GET['checkall'];
+ $checkall = (int) $_GET['checkall'];
}
if (isset($_GET['set_thread'])) {
- $set_thread = $_GET['set_thread'];
+ $set_thread = (int) $_GET['set_thread'];
}
if (isset($_SESSION['lastTargetMailbox'])) {
$lastTargetMailbox =$_SESSION['lastTargetMailbox'];
$username = $_SESSION['username'];
$onetimepad = $_SESSION['onetimepad'];
$mailbox = decodeHeader($_GET['mailbox']);
-$passed_id = $_GET['passed_id'];
+$passed_id = (int) $_GET['passed_id'];
$ent_id = $_GET['ent_id'];
$passed_ent_id = $_GET['passed_ent_id'];
$QUERY_STRING = $_SERVER['QUERY_STRING'];
'<tr><td bgcolor="' . $color[0] . '">' .
'<b><center>' .
_("Viewing a Business Card") . " - ";
-$msg_url = 'read_body.php?' . $QUERY_STRING;
+$msg_url = 'read_body.php?' . urlencode(strip_tags(urldecode($QUERY_STRING)));
$msg_url = set_url_var($msg_url, 'ent_id', 0);
echo '<a href="'.$msg_url.'">'. _("View message") . '</a>';
'<tr><td align=center>' .
'<a href="../src/download.php?absolute_dl=true&passed_id=' .
$passed_id . '&mailbox=' . urlencode($mailbox) .
- '&passed_ent_id=' . $passed_ent_id . '">' .
+ '&passed_ent_id=' . urlencode($passed_ent_id) . '">' .
_("Download this as a file") . '</A>' .
'</TD></TR></TABLE>' .
projects / squirrelmail.git / commitdiff