From a9e1e670fab4399260e0790e018393c7dcefcecc Mon Sep 17 00:00:00 2001 From: kink Date: Mon, 26 Apr 2004 23:26:06 +0000 Subject: [PATCH] Improve HTML escaping git-svn-id: https://svn.code.sf.net/p/squirrelmail/code/trunk/squirrelmail@7269 7612ce4b-ef26-0410-bec9-ea0150e637f0 --- plugins/filters/options.php | 5 +++-- plugins/fortune/setup.php | 14 ++++++++------ plugins/info/functions.php | 6 ++---- plugins/info/options.php | 29 +++++++++++++++++++---------- plugins/mail_fetch/fetch.php | 4 ++-- plugins/mail_fetch/options.php | 17 +++++++++++------ plugins/newmail/newmail_opt.php | 7 +++++-- plugins/newmail/setup.php | 3 ++- plugins/newmail/testsound.php | 2 +- plugins/spamcop/spamcop.php | 4 ++-- 10 files changed, 55 insertions(+), 36 deletions(-) diff --git a/plugins/filters/options.php b/plugins/filters/options.php index 35436671..f439ad07 100644 --- a/plugins/filters/options.php +++ b/plugins/filters/options.php @@ -37,6 +37,7 @@ require_once(SM_PATH . 'functions/page_header.php'); require_once(SM_PATH . 'functions/imap.php'); require_once(SM_PATH . 'functions/imap_mailbox.php'); require_once(SM_PATH . 'include/load_prefs.php'); +require_once(SM_PATH . 'functions/forms.php'); require_once(SM_PATH . 'plugins/filters/filters.php'); global $AllowSpamFilters; @@ -207,7 +208,7 @@ if (sqgetGlobalVar('filter_submit',$filter_submit,SQ_POST)) { ''. ''. '\n". - '\n". + addHidden('theid', $theid). ''. ''; @@ -258,4 +259,4 @@ if (sqgetGlobalVar('filter_submit',$filter_submit,SQ_POST)) { ) , 'center', '', 'width="80%" border="0" cellpadding="2" cellspacing="0"' ); echo ''; -?> \ No newline at end of file +?> diff --git a/plugins/fortune/setup.php b/plugins/fortune/setup.php index d1c21bcc..dbdc7b10 100644 --- a/plugins/fortune/setup.php +++ b/plugins/fortune/setup.php @@ -41,16 +41,18 @@ function fortune() { $fortune_location = '/usr/games/fortune'; $exist = file_exists($fortune_location); - echo "
"; - echo '
'; + echo "
\n". + "
\n". + "
\n"; + echo '
'; if (!$exist) { echo "$fortune_location" . _(" not found."); } else { - echo "
" . _("Today's Fortune") . "
";
-        system($fortune_location);
+        echo "
" . _("Today's Fortune") . "
";
+        htmlspecialchars(system($fortune_location));
     } 
   
-    echo '
'; + echo '
'; } /** @@ -91,4 +93,4 @@ function fortune_save() { } } -?> \ No newline at end of file +?> diff --git a/plugins/info/functions.php b/plugins/info/functions.php index b715d933..412a2d89 100644 --- a/plugins/info/functions.php +++ b/plugins/info/functions.php @@ -31,7 +31,7 @@ function get_caps($imap_stream) { */ function imap_test($imap_stream, $string) { global $default_charset; - print "".$string.""; + print "".htmlspecialchars($string).""; $response = sqimap_run_command_list($imap_stream, trim($string),false, $responses, $message,false); array_push($response, $responses . ' ' .$message); return $response; @@ -46,9 +46,7 @@ function print_response($response) { print_response($value); } else { - $value = preg_replace("//", ">", $value); - print $value."
\n"; + print htmlspecialchars($value)."
\n"; } } } diff --git a/plugins/info/options.php b/plugins/info/options.php index 90f34522..fc78d8d0 100644 --- a/plugins/info/options.php +++ b/plugins/info/options.php @@ -22,6 +22,7 @@ define('SM_PATH','../../'); require_once(SM_PATH . 'include/validate.php'); require_once(SM_PATH . 'functions/page_header.php'); require_once(SM_PATH . 'functions/imap.php'); +require_once(SM_PATH . 'functions/forms.php'); require_once(SM_PATH . 'plugins/info/functions.php'); global $username, $color, $folder_prefix, $default_charset; @@ -65,23 +66,29 @@ print "
\n"; print "
Server Capability response:
\n"; foreach($caps_array[0] as $value) { - print $value; + print htmlspecialchars($value); } print "
\n"; if (!isset($submit) || $submit == 'default') { - print "
Select the IMAP commands you would like to run. Most commands require a selected mailbox so the select command is already setup. You can clear all the commands and test your own IMAP command strings. The commands are executed in order. The default values are simple IMAP commands using your default_charset and folder_prefix from Squirrelmail when needed.

NOTE: These commands are live, any changes made will effect your current email account.

\n"; + print "
Select the IMAP commands you would like to run. + Most commands require a selected mailbox so the select command is already setup. + You can clear all the commands and test your own IMAP command strings. The commands are + executed in order. The default values are simple IMAP commands using your default_charset + and folder_prefix from SquirrelMail when needed.

+
NOTE: These commands are live, any changes made will effect your current + email account.

\n"; if (!isset($submit)) { $submit = ''; } } else { - print "folder_prefix = $folder_prefix
\n"; - print "default_charset = $default_charset\n"; + print 'folder_prefix = ' . htmlspecialchars($folder_prefix)."
\n" . + 'default_charset = '.htmlspecialchars($default_charset)."\n"; } -print "

\n"; +print "

\n"; if ($submit == 'submit') { @@ -126,13 +133,15 @@ foreach($type as $index=>$value) { print " CHECKED"; } print ">$index\n"; - print "\n"; + print addInput($index, $value, 60); } -print "
\n"; -print "
\n"; -print "\n"; -print "

\n"; +print "
\n"; +print "
". + addSubmit('submit','submit'). + addSubmit('clear','submit'). + addSubmit('default','submit'). + "

\n"; $tests = array(); diff --git a/plugins/mail_fetch/fetch.php b/plugins/mail_fetch/fetch.php index 39e0d1df..0efb7bb7 100644 --- a/plugins/mail_fetch/fetch.php +++ b/plugins/mail_fetch/fetch.php @@ -183,7 +183,7 @@ sqgetGlobalVar('delimiter', $delimiter, SQ_SESSION); Mail_Fetch_Status(_("Opening POP server")); $Count = $pop3->login($mailfetch_user, $mailfetch_pass); if (($Count == false || $Count == -1) && $pop3->ERROR != '') { - Mail_Fetch_Status(_("Login Failed:") . ' ' . $pop3->ERROR ); + Mail_Fetch_Status(_("Login Failed:") . ' ' . htmlspecialchars($pop3->ERROR) ); continue; } @@ -290,7 +290,7 @@ sqgetGlobalVar('delimiter', $delimiter, SQ_SESSION); if( $pop3->delete($i) ) { Mail_Fetch_Status(_("Message ") . $i . _(" deleted from Remote Server!")); } else { - Mail_Fetch_Status(_("Delete failed:") . $pop3->ERROR ); + Mail_Fetch_Status(_("Delete failed:") . htmlspecialchars($pop3->ERROR) ); } } } else { diff --git a/plugins/mail_fetch/options.php b/plugins/mail_fetch/options.php index 27b1a940..1b91d718 100644 --- a/plugins/mail_fetch/options.php +++ b/plugins/mail_fetch/options.php @@ -281,7 +281,7 @@ sqgetGlobalVar('submit_mailfetch', $submit_mailfetch, SQ_POST); html_tag( 'td', "" . '' . - '
' . _("Selected Server:") . " " . htmlentities($mailfetch_server_[$mf_sn]) . "
" . + '
' . _("Selected Server:") . " " . htmlspecialchars($mailfetch_server_[$mf_sn]) . "
" . _("Confirm delete of selected server?") . '

' . '' . '
' , @@ -308,23 +308,28 @@ sqgetGlobalVar('submit_mailfetch', $submit_mailfetch, SQ_POST); html_tag( 'table' ) . html_tag( 'tr', html_tag( 'th', _("Server:"), 'right' ) . - html_tag( 'td', '', 'left' ) + html_tag( 'td', '', 'left' ) ) . html_tag( 'tr', html_tag( 'th', _("Port:"), 'right' ) . - html_tag( 'td', '', 'left' ) + html_tag( 'td', '', 'left' ) ) . html_tag( 'tr', html_tag( 'th', _("Alias:"), 'right' ) . - html_tag( 'td', '', 'left' ) + html_tag( 'td', '', 'left' ) ) . html_tag( 'tr', html_tag( 'th', _("Username:"), 'right' ) . - html_tag( 'td', '', 'left' ) + html_tag( 'td', '', 'left' ) ) . html_tag( 'tr', html_tag( 'th', _("Password:"), 'right' ) . - html_tag( 'td', '', 'left' ) + html_tag( 'td', '', 'left' ) ) . html_tag( 'tr' ) . html_tag( 'th', _("Store in Folder:"), 'right' ) . diff --git a/plugins/newmail/newmail_opt.php b/plugins/newmail/newmail_opt.php index 181abb36..d41cb111 100644 --- a/plugins/newmail/newmail_opt.php +++ b/plugins/newmail/newmail_opt.php @@ -132,7 +132,8 @@ if ($allowsound == "true") { if ($fname == $media) { echo 'selected '; } - echo 'value="' . $fname . '">' . $entry . "\n"; + echo 'value="' . htmlspecialchars($fname) . '">' . + htmlspecialchars($entry) . "\n"; } } $d->close(); @@ -146,7 +147,9 @@ if ($allowsound == "true") { ''. html_tag( 'tr', "\n" . html_tag( 'td', _("Current File:"), 'right', '', 'nowrap' ) . - html_tag( 'td', '' . $media . '', 'left' ) + html_tag( 'td', '' . + htmlspecialchars($media) . '', 'left' ) ) . "\n"; } echo html_tag( 'tr', "\n" . diff --git a/plugins/newmail/setup.php b/plugins/newmail/setup.php index 9364b9a7..12bd65f7 100644 --- a/plugins/newmail/setup.php +++ b/plugins/newmail/setup.php @@ -215,7 +215,8 @@ } if ($totalNew > 0 && $newmail_enable == 'on' && $newmail_media != '' ) { - echo "\n"; + echo '\n"; } if ($totalNew > 0 && $newmail_popup == 'on') { echo "