Manually entered nicks, email addresses, first names, last names, and
info sections in the addressbook are not filtered so script can be
placed and executed through them the next time the page is viewed.
git-svn-id: https://svn.code.sf.net/p/squirrelmail/code/trunk/squirrelmail@3653
7612ce4b-ef26-0410-bec9-
ea0150e637f0
global $color;
$td_str = '<INPUT NAME="' . $name . '[' . $field . ']" SIZE="' . $size . '" VALUE="';
if (isset($values[$field])) {
global $color;
$td_str = '<INPUT NAME="' . $name . '[' . $field . ']" SIZE="' . $size . '" VALUE="';
if (isset($values[$field])) {
- $td_str .= htmlspecialchars($values[$field]);
+ $td_str .= htmlspecialchars( strip_tags( $values[$field] ) );
}
$td_str .= '">' . $add . '';
return html_tag( 'tr' ,
}
$td_str .= '">' . $add . '';
return html_tag( 'tr' ,
/* Output form to add and modify address data */
function address_form($name, $submittext, $values = array()) {
global $color;
/* Output form to add and modify address data */
function address_form($name, $submittext, $values = array()) {
global $color;
echo html_tag( 'table',
adressbook_inp_field(_("Nickname"), 'nickname', $name, 15, $values,
echo html_tag( 'table',
adressbook_inp_field(_("Nickname"), 'nickname', $name, 15, $values,
- '<SMALL>' . _("Must be unique") . '</SMALL>') .
+ ' <SMALL>' . _("Must be unique") . '</SMALL>') .
adressbook_inp_field(_("E-mail address"), 'email', $name, 45, $values, '') .
adressbook_inp_field(_("First name"), 'firstname', $name, 45, $values, '') .
adressbook_inp_field(_("Last name"), 'lastname', $name, 45, $values, '') .
adressbook_inp_field(_("E-mail address"), 'email', $name, 45, $values, '') .
adressbook_inp_field(_("First name"), 'firstname', $name, 45, $values, '') .
adressbook_inp_field(_("Last name"), 'lastname', $name, 45, $values, '') .
, 'center', '', 'border="0" cellpadding="1" width="90%"') ."\n";
}
, 'center', '', 'border="0" cellpadding="1" width="90%"') ."\n";
}
/* Open addressbook, with error messages on but without LDAP (the *
* second "true"). Don't need LDAP here anyway */
$abook = addressbook_init(true, true);
/* Open addressbook, with error messages on but without LDAP (the *
* second "true"). Don't need LDAP here anyway */
$abook = addressbook_init(true, true);
displayPageHeader($color, 'None');
displayPageHeader($color, 'None');
$defdata = array();
$formerror = '';
$abortform = false;
$defdata = array();
$formerror = '';
$abortform = false;
* Add new address *
**************************************************/
if (!empty($addaddr['nickname'])) {
* Add new address *
**************************************************/
if (!empty($addaddr['nickname'])) {
+ foreach( $addaddr as $k => $adr ) {
+ $addaddr[$k] = strip_tags( $adr );
+ }
$r = $abook->add($addaddr, $abook->localbackend);
/* Handle error messages */
$r = $abook->add($addaddr, $abook->localbackend);
/* Handle error messages */
$showaddrlist = false;
$defdata = $addaddr;
}
$showaddrlist = false;
$defdata = $addaddr;
}
} else {
/************************************************
} else {
/************************************************
/* Display the "new address" form */
echo '<a name="AddAddress"></a>' . "\n" .
'<FORM ACTION="' . $form_url . '" NAME=f_add METHOD="POST">' . "\n" .
/* Display the "new address" form */
echo '<a name="AddAddress"></a>' . "\n" .
'<FORM ACTION="' . $form_url . '" NAME=f_add METHOD="POST">' . "\n" .
html_tag( 'tr',
html_tag( 'td', "\n". '<strong>' . sprintf(_("Add to %s"), $abook->localbackendname) . '</strong>' . "\n",
'center', $color[0]
html_tag( 'tr',
html_tag( 'td', "\n". '<strong>' . sprintf(_("Add to %s"), $abook->localbackendname) . '</strong>' . "\n",
'center', $color[0]
do_hook('addressbook_bottom');
?>
do_hook('addressbook_bottom');
?>
+</BODY></HTML>
\ No newline at end of file
projects / squirrelmail.git / commitdiff