diff --git a/interface/lib/classes/functions.inc.php b/interface/lib/classes/functions.inc.php
index da35a370025a75215ef61c7934ad3e778ff58327..136448eefd30029c00a9a6df95066816fc724eab 100644
--- a/interface/lib/classes/functions.inc.php
+++ b/interface/lib/classes/functions.inc.php
@@ -454,6 +454,25 @@ class functions {
$app->log("Failed to create SSH keypair for ".$username, LOGLEVEL_WARN);
}
}
+
+ public function htmlentities($value) {
+ global $conf;
+
+ if(is_array($value)) {
+ $out = array();
+ foreach($values as $key => $val) {
+ if(is_array($val)) {
+ $out[$key] = $this->htmlentities($val);
+ } else {
+ $out[$key] = htmlentities($val, ENT_QUOTES, $conf["html_content_encoding"]);
+ }
+ }
+ } else {
+ $out = htmlentities($value, ENT_QUOTES, $conf["html_content_encoding"]);
+ }
+
+ return $out;
+ }
}
?>
diff --git a/interface/lib/classes/listform.inc.php b/interface/lib/classes/listform.inc.php
index 4999f7e5427b631a8e964a68791cba091a804376..15a1a53add169892e4aaba3e1b7d4dcb775d398c 100644
--- a/interface/lib/classes/listform.inc.php
+++ b/interface/lib/classes/listform.inc.php
@@ -179,6 +179,7 @@ class listform {
&& $k == $_SESSION['search'][$list_name][$search_prefix.$field]
&& $_SESSION['search'][$list_name][$search_prefix.$field] != '')
? ' SELECTED' : '';
+ $v = $app->functions->htmlentities($v);
$out .= "<option value='$k'$selected>$v</option>\r\n";
}
}
@@ -610,17 +611,8 @@ class listform {
}
function escapeArrayValues($search_values) {
- global $conf;
-
- $out = array();
- if(is_array($search_values)) {
- foreach($search_values as $key => $val) {
- $out[$key] = htmlentities($val, ENT_QUOTES, $conf["html_content_encoding"]);
- }
- }
-
- return $out;
-
+ global $app;
+ return $app->functions->htmlentities($search_values);
}
}
diff --git a/interface/lib/classes/quota_lib.inc.php b/interface/lib/classes/quota_lib.inc.php
index 93d8baa5de2cb21154125737e87f400764f81595..e5d55ff80c17c00354fa6001d6add5c49def61a5 100644
--- a/interface/lib/classes/quota_lib.inc.php
+++ b/interface/lib/classes/quota_lib.inc.php
@@ -243,7 +243,8 @@ class quota_lib {
if(is_array($emails) && !empty($emails)){
for($i=0;$i<sizeof($emails);$i++){
$email = $emails[$i]['email'];
-
+
+ $emails[$i]['name'] = $app->functions->htmlentities($emails[$i]['name']);
$emails[$i]['used'] = isset($monitor_data[$email]['used']) ? $monitor_data[$email]['used'] : array(1 => 0);
if (!is_numeric($emails[$i]['used'])) $emails[$i]['used']=$emails[$i]['used'][1];
diff --git a/interface/lib/classes/tform_base.inc.php b/interface/lib/classes/tform_base.inc.php
index 8bb8cb7b7dbb4e9fe907dac4ebbabf67f14d05c3..2df1cd24bcfd11ccf221b7a21c12c9ca0c18d3a9 100644
--- a/interface/lib/classes/tform_base.inc.php
+++ b/interface/lib/classes/tform_base.inc.php
@@ -475,6 +475,7 @@ class tform_base {
$selected = ($k == $val)?' SELECTED':'';
if(isset($this->wordbook[$v]))
$v = $this->wordbook[$v];
+ $v = $app->functions->htmlentities($v);
$out .= "<option value='$k'$selected>".$this->lng($v)."</option>\r\n";
}
}
@@ -494,7 +495,7 @@ class tform_base {
foreach($vals as $tvl) {
if(trim($tvl) == trim($k)) $selected = ' SELECTED';
}
-
+ $v = $app->functions->htmlentities($v);
$out .= "<option value='$k'$selected>$v</option>\r\n";
}
}
@@ -577,7 +578,7 @@ class tform_base {
default:
if(isset($record[$key])) {
- $new_record[$key] = htmlspecialchars($record[$key]);
+ $new_record[$key] = $app->functions->htmlentities($record[$key]);
} else {
$new_record[$key] = '';
}
@@ -608,7 +609,8 @@ class tform_base {
$out = '';
foreach($field['value'] as $k => $v) {
$selected = ($k == $field["default"])?' SELECTED':'';
- $out .= "<option value='$k'$selected>".$this->lng($v)."</option>\r\n";
+ $v = $app->functions->htmlentities($this->lng($v));
+ $out .= "<option value='$k'$selected>".$v."</option>\r\n";
}
}
if(isset($out)) $new_record[$key] = $out;
@@ -622,7 +624,7 @@ class tform_base {
// HTML schreiben
$out = '';
foreach($field['value'] as $k => $v) {
-
+ $v = $app->functions->htmlentities($v);
$out .= "<option value='$k'>$v</option>\r\n";
}
}
@@ -693,7 +695,7 @@ class tform_base {
break;
default:
- $new_record[$key] = htmlspecialchars($field['default']);
+ $new_record[$key] = $app->functions->htmlentities($field['default']);
}
}
@@ -911,6 +913,12 @@ class tform_base {
case 'NOWHITESPACE':
$returnval = preg_replace('/\s+/', '', $returnval);
break;
+ case 'STRIPTAGS':
+ $returnval = strip_tags(preg_replace('/<script[^>]*>/is', '', $returnval));
+ break;
+ case 'STRIPNL':
+ $returnval = str_replace(array("\n","\r"),'', $returnval);
+ break;
default:
$this->errorMessage .= "Unknown Filter: ".$filter['type'];
break;
diff --git a/interface/web/mail/form/mail_user.tform.php b/interface/web/mail/form/mail_user.tform.php
index 7ba56888292636c3e9016a6497ccb22e3ae08ac9..3d2b66daac0e56cedcc605db22a30261bc067938 100644
--- a/interface/web/mail/form/mail_user.tform.php
+++ b/interface/web/mail/form/mail_user.tform.php
@@ -144,6 +144,12 @@ $form["tabs"]['mailuser'] = array(
'name' => array (
'datatype' => 'VARCHAR',
'formtype' => 'TEXT',
+ 'filters' => array(
+ 0 => array( 'event' => 'SAVE',
+ 'type' => 'STRIPTAGS'),
+ 1 => array( 'event' => 'SAVE',
+ 'type' => 'STRIPNL')
+ ),
'default' => '',
'value' => '',
'width' => '30',