From: Marc G. K. <st...@us...> - 2003-02-24 18:51:37
|
Update of /cvsroot/squirrelmail/squirrelmail/src In directory sc8-pr-cvs1:/tmp/cvs-serv31105 Modified Files: read_body.php Log Message: fixed problems with subjects with html special chars in it. Fix for possible xss holes Index: read_body.php =================================================================== RCS file: /cvsroot/squirrelmail/squirrelmail/src/read_body.php,v retrieving revision 1.276 retrieving revision 1.277 diff -u -w -r1.276 -r1.277 --- read_body.php 6 Feb 2003 04:55:20 -0000 1.276 +++ read_body.php 24 Feb 2003 18:51:33 -0000 1.277 @@ -368,7 +368,7 @@ $cnt = count($recipients); foreach($recipients as $r) { - $add = htmlspecialchars($r->getAddress()); + $add = htmlspecialchars(decodeHeader($r->getAddress())); if ($string) { $string .= '<BR>' . $add; } else { @@ -396,11 +396,7 @@ $header = $message->rfc822_header; $env = array(); - if ($squirrelmail_language == 'ja_JP') { $env[_("Subject")] = htmlspecialchars(decodeHeader($header->subject)); - } else { - $env[_("Subject")] = decodeHeader(htmlspecialchars($header->subject)); - } $from_name = $header->getAddr_s('from'); if (!$from_name) { $from_name = $header->getAddr_s('sender'); @@ -414,10 +410,10 @@ $env[_("Cc")] = formatRecipientString($header->cc, "cc"); $env[_("Bcc")] = formatRecipientString($header->bcc, "bcc"); if ($default_use_priority) { - $env[_("Priority")] = getPriorityStr($header->priority); + $env[_("Priority")] = htmlspecialchars(getPriorityStr($header->priority)); } if ($show_xmailer_default) { - $env[_("Mailer")] = htmlentities(decodeHeader($header->xmailer)); + $env[_("Mailer")] = htmlspecialchars(decodeHeader($header->xmailer)); } if ($default_use_mdn) { if ($mdn_user_support) { |