Fixed #4893 Stored XSS issue in email name field

interface/lib/classes/listform.inc.php

@@ -179,6 +179,7 @@ class listform {
 								&& $k == $_SESSION['search'][$list_name][$search_prefix.$field]
 								&& $_SESSION['search'][$list_name][$search_prefix.$field] != '')
 								? ' SELECTED' : '';
+							$v = $app->functions->htmlentities($v);
 							$out .= "<option value='$k'$selected>$v</option>\r\n";
 						}
 					}
@@ -610,17 +611,8 @@ class listform {
 	}
 
 	function escapeArrayValues($search_values) {
-		global $conf;
-
-		$out = array();
-		if(is_array($search_values)) {
-			foreach($search_values as $key => $val) {
-				$out[$key] = htmlentities($val, ENT_QUOTES, $conf["html_content_encoding"]);
-			}
-		}
-
-		return $out;
-
+		global $app;
+		return $app->functions->htmlentities($search_values);
 	}
 
 }

interface/lib/classes/quota_lib.inc.php

@@ -243,7 +243,8 @@ class quota_lib {
 		if(is_array($emails) && !empty($emails)){
 			for($i=0;$i<sizeof($emails);$i++){
 				$email = $emails[$i]['email'];
-		
+				
+				$emails[$i]['name'] = $app->functions->htmlentities($emails[$i]['name']);
 				$emails[$i]['used'] = isset($monitor_data[$email]['used']) ? $monitor_data[$email]['used'] : array(1 => 0);
 		
 				if (!is_numeric($emails[$i]['used'])) $emails[$i]['used']=$emails[$i]['used'][1];

interface/lib/classes/tform_base.inc.php

@@ -475,6 +475,7 @@ class tform_base {
 								$selected = ($k == $val)?' SELECTED':'';
 								if(isset($this->wordbook[$v]))
 									$v = $this->wordbook[$v];
+								$v = $app->functions->htmlentities($v);
 								$out .= "<option value='$k'$selected>".$this->lng($v)."</option>\r\n";
 							}
 						}
@@ -494,7 +495,7 @@ class tform_base {
 								foreach($vals as $tvl) {
 									if(trim($tvl) == trim($k)) $selected = ' SELECTED';
 								}
-
+								$v = $app->functions->htmlentities($v);
 								$out .= "<option value='$k'$selected>$v</option>\r\n";
 							}
 						}
@@ -577,7 +578,7 @@ class tform_base {
 					
 					default:
 						if(isset($record[$key])) {
-							$new_record[$key] = htmlspecialchars($record[$key]);
+							$new_record[$key] = $app->functions->htmlentities($record[$key]);
 						} else {
 							$new_record[$key] = '';
 						}
@@ -608,7 +609,8 @@ class tform_base {
 						$out = '';
 						foreach($field['value'] as $k => $v) {
 							$selected = ($k == $field["default"])?' SELECTED':'';
-							$out .= "<option value='$k'$selected>".$this->lng($v)."</option>\r\n";
+							$v = $app->functions->htmlentities($this->lng($v));
+							$out .= "<option value='$k'$selected>".$v."</option>\r\n";
 						}
 					}
 					if(isset($out)) $new_record[$key] = $out;
@@ -622,7 +624,7 @@ class tform_base {
 						// HTML schreiben
 						$out = '';
 						foreach($field['value'] as $k => $v) {
-
+							$v = $app->functions->htmlentities($v);
 							$out .= "<option value='$k'>$v</option>\r\n";
 						}
 					}
@@ -693,7 +695,7 @@ class tform_base {
 					break;
 
 				default:
-					$new_record[$key] = htmlspecialchars($field['default']);
+					$new_record[$key] = $app->functions->htmlentities($field['default']);
 				}
 			}
 
@@ -911,6 +913,12 @@ class tform_base {
 				case 'NOWHITESPACE':
 					$returnval = preg_replace('/\s+/', '', $returnval);
 					break;
+				case 'STRIPTAGS':
+					$returnval = strip_tags(preg_replace('/<script[^>]*>/is', '', $returnval));
+					break;
+				case 'STRIPNL':
+					$returnval = str_replace(array("\n","\r"),'', $returnval);
+					break;
 				default:
 					$this->errorMessage .= "Unknown Filter: ".$filter['type'];
 					break;

interface/web/mail/form/mail_user.tform.php

@@ -144,6 +144,12 @@ $form["tabs"]['mailuser'] = array(
 		'name' => array (
 			'datatype' => 'VARCHAR',
 			'formtype' => 'TEXT',
+			'filters'   => array(
+					0 => array( 'event' => 'SAVE',
+					'type' => 'STRIPTAGS'),
+					1 => array( 'event' => 'SAVE',
+					'type' => 'STRIPNL')
+			),
 			'default' => '',
 			'value'  => '',
 			'width'  => '30',