From: philippe_mingo <philippe_mingo@7612ce4b-ef26-0410-bec9-ea0150e637f0>
Date: Fri, 13 Sep 2002 08:55:52 +0000 (+0000)
Subject: 5) XSS in addressbook (different):
X-Git-Url: https://vcs.fsf.org/?p=squirrelmail.git;a=commitdiff_plain;h=c6554ec089b31a152ab5d4d08a4233c54370f7f1

5) XSS in addressbook (different):

Manually entered nicks, email addresses, first names, last names, and
info sections in the addressbook are not filtered so script can be
placed and executed through them the next time the page is viewed.


git-svn-id: https://svn.code.sf.net/p/squirrelmail/code/trunk/squirrelmail@3653 7612ce4b-ef26-0410-bec9-ea0150e637f0
---

diff --git a/src/addressbook.php b/src/addressbook.php
index 5742cdb2..91f83392 100644
--- a/src/addressbook.php
+++ b/src/addressbook.php
@@ -27,7 +27,7 @@ function adressbook_inp_field($label, $field, $name, $size, $values, $add) {
     global $color;
     $td_str = '<INPUT NAME="' . $name . '[' . $field . ']" SIZE="' . $size . '" VALUE="';
     if (isset($values[$field])) {
-        $td_str .= htmlspecialchars($values[$field]);
+        $td_str .= htmlspecialchars( strip_tags( $values[$field] ) );
     }
     $td_str .= '">' . $add . '';
     return html_tag( 'tr' ,
@@ -40,9 +40,10 @@ function adressbook_inp_field($label, $field, $name, $size, $values, $add) {
 /* Output form to add and modify address data */
 function address_form($name, $submittext, $values = array()) {
     global $color;
+    
     echo html_tag( 'table',
                        adressbook_inp_field(_("Nickname"),     'nickname', $name, 15, $values,
-                           '<SMALL>' . _("Must be unique") . '</SMALL>') .
+                           ' <SMALL>' . _("Must be unique") . '</SMALL>') .
                        adressbook_inp_field(_("E-mail address"),  'email', $name, 45, $values, '') .
                        adressbook_inp_field(_("First name"),  'firstname', $name, 45, $values, '') .
                        adressbook_inp_field(_("Last name"),    'lastname', $name, 45, $values, '') .
@@ -56,7 +57,6 @@ function address_form($name, $submittext, $values = array()) {
     , 'center', '', 'border="0" cellpadding="1" width="90%"') ."\n";
 }
 
-
 /* Open addressbook, with error messages on but without LDAP (the *
  * second "true"). Don't need LDAP here anyway                    */
 $abook = addressbook_init(true, true);
@@ -69,7 +69,6 @@ if($abook->localbackend == 0) {
 
 displayPageHeader($color, 'None');
 
-
 $defdata   = array();
 $formerror = '';
 $abortform = false;
@@ -85,7 +84,9 @@ if($REQUEST_METHOD == 'POST') {
      * Add new address                                *
      **************************************************/
     if (!empty($addaddr['nickname'])) {
-
+        foreach( $addaddr as $k => $adr ) {
+            $addaddr[$k] = strip_tags( $adr );
+        }
         $r = $abook->add($addaddr, $abook->localbackend);
 
         /* Handle error messages */
@@ -98,7 +99,6 @@ if($REQUEST_METHOD == 'POST') {
             $showaddrlist = false;
             $defdata = $addaddr;
         }
-
     } else {
 
         /************************************************
@@ -369,7 +369,7 @@ if ($showaddrlist) {
 /* Display the "new address" form */
 echo '<a name="AddAddress"></a>' . "\n" .
     '<FORM ACTION="' . $form_url . '" NAME=f_add METHOD="POST">' . "\n" .
-    html_tag( 'table',
+    html_tag( 'table',  
         html_tag( 'tr',
             html_tag( 'td', "\n". '<strong>' . sprintf(_("Add to %s"), $abook->localbackendname) . '</strong>' . "\n",
                 'center', $color[0]
@@ -383,4 +383,4 @@ echo '</FORM>';
 do_hook('addressbook_bottom');
 ?>
 
-</BODY></HTML>
+</BODY></HTML>
\ No newline at end of file