[SM-CVS] CVS: squirrelmail/functions page_header.php,1.148.2.9,1.148.2.10

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Update of /cvsroot/squirrelmail/squirrelmail/functions
In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv20852/functions

Modified Files:
      Tag: SM-1_4-STABLE
	page_header.php 
Log Message:
Fix part 1 for XSS issue... call page like this:

  src/compose.php?mailbox="><script>alert('Nuts!');</script>

Because this file is included in other pages, it could affect others too.



Index: page_header.php
===================================================================
RCS file: /cvsroot/squirrelmail/squirrelmail/functions/page_header.php,v
retrieving revision 1.148.2.9
retrieving revision 1.148.2.10
diff -u -w -r1.148.2.9 -r1.148.2.10

--- page_header.php	24 Feb 2004 15:57:26 -0000	1.148.2.9
+++ page_header.php	28 Mar 2004 11:49:19 -0000	1.148.2.10
@@ -243,8 +243,8 @@
 
     echo "<body text=\"$color[8]\" bgcolor=\"$color[4]\" link=\"$color[7]\" vlink=\"$color[7]\" alink=\"$color[7]\" $onload>\n\n";
     /** Here is the header and wrapping table **/
-    $shortBoxName = imap_utf7_decode_local(
-		      readShortMailboxName($mailbox, $delimiter));
+    $shortBoxName = htmlspecialchars(imap_utf7_decode_local(
+		      readShortMailboxName($mailbox, $delimiter)));
     if ( $shortBoxName == 'INBOX' ) {
         $shortBoxName = _("INBOX");
     }



