From 51d8dffac8e1c6a897ff513669bcc87928e17e79 Mon Sep 17 00:00:00 2001
From: INOPIAE <inopiae@cacert.org>
Date: Sun, 9 Aug 2015 17:51:07 +0200
Subject: [PATCH 1/2] bug 932: added escaping with htmlspecialchars function
 and encoding UTF-8 for subject

---
 .../application/views/scripts/mail/full.phtml    | 16 ++++++++--------
 .../application/views/scripts/mail/index.phtml   | 16 ++++++++--------
 2 files changed, 16 insertions(+), 16 deletions(-)

diff --git a/manager/application/views/scripts/mail/full.phtml b/manager/application/views/scripts/mail/full.phtml
index 1bfed87..01d8ff2 100644
--- a/manager/application/views/scripts/mail/full.phtml
+++ b/manager/application/views/scripts/mail/full.phtml
@@ -23,14 +23,14 @@ else {
     </tr>
 <?php
     foreach ($this->headers as $header) {
-        print "        <tr>\n";
-        print "            <td><a href=\"" . $header->detailslink . "\">" . $header->fromaddress . "</a></td>";
-        print "            <td>" . $header->toaddress . "</td>";
-        print "            <td>" . $header->subject . "</td>";
-        print "            <td>" . $header->date . "</td>";
-        print "            <td>" . $header->Size . "</td>";
-        print "            <td><a class=\"delete\" href=\"" . $header->deletelink . "\"><img src=\"/img/delete_icon.jpg\"></a></td>";
-        print "        </tr>\n";
+        print "    <tr>\n";
+        print "        <td><a href=\"" . $header->detailslink . "\">" . $header->fromaddress . "</a></td>";
+        print "        <td>" . $header->toaddress . "</td>";
+        print "        <td>" . htmlspecialchars(quoted_printable_decode($header->subject), ENT_QUOTES | ENT_SUBSTITUTE, 'UTF-8') . "</td>";
+        print "        <td>" . $header->date . "</td>";
+        print "        <td>" . $header->Size . "</td>";
+        print "        <td><a class=\"delete\" href=\"" . $header->deletelink . "\"><img src=\"/img/delete_icon.jpg\"></a></td>";
+        print "    </tr>\n";
     }
 }
 ?>
diff --git a/manager/application/views/scripts/mail/index.phtml b/manager/application/views/scripts/mail/index.phtml
index 427d0e9..3eecfdc 100644
--- a/manager/application/views/scripts/mail/index.phtml
+++ b/manager/application/views/scripts/mail/index.phtml
@@ -23,14 +23,14 @@ else {
     </tr>
 <?php
     foreach ($this->headers as $header) {
-        print "        <tr>\n";
-        print "            <td><a href=\"" . $header->detailslink . "\">" . $header->fromaddress . "</a></td>";
-        print "            <td>" . $header->toaddress . "</td>";
-        print "            <td>" . $header->subject . "</td>";
-        print "            <td>" . $header->date . "</td>";
-        print "            <td>" . $header->Size . "</td>";
-        print "            <td><a class=\"delete\" href=\"" . $header->deletelink . "\"><img src=\"/img/delete_icon.jpg\"></a></td>";
-        print "        </tr>\n";
+        print "    <tr>\n";
+        print "        <td><a href=\"" . $header->detailslink . "\">" . $header->fromaddress . "</a></td>";
+        print "        <td>" . $header->toaddress . "</td>";
+        print "        <td>" . htmlspecialchars(quoted_printable_decode($header->subject), ENT_QUOTES | ENT_SUBSTITUTE, 'UTF-8') . "</td>";
+        print "        <td>" . $header->date . "</td>";
+        print "        <td>" . $header->Size . "</td>";
+        print "        <td><a class=\"delete\" href=\"" . $header->deletelink . "\"><img src=\"/img/delete_icon.jpg\"></a></td>";
+        print "    </tr>\n";
     }
 }
 ?>

From 269829b175dac7bf3f2128fbd5c55ba08f48d2d0 Mon Sep 17 00:00:00 2001
From: INOPIAE <inopiae@cacert.org>
Date: Sun, 9 Aug 2015 18:11:52 +0200
Subject: [PATCH 2/2] bug 932: added escaping with htmlspecialchars function
 for user name

---
 manager/application/views/helpers/UserInfo.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/manager/application/views/helpers/UserInfo.php b/manager/application/views/helpers/UserInfo.php
index bf98f1b..b0f8703 100644
--- a/manager/application/views/helpers/UserInfo.php
+++ b/manager/application/views/helpers/UserInfo.php
@@ -82,7 +82,7 @@ class Zend_View_Helper_UserInfo extends Zend_View_Helper_Placeholder_Container_S
 
         $output .= $indent . "<div id=\"userinfo\">\n";
         $output .= $indent . "\tUser: " . $this->items['authed_username'] . "<br>\n";
-        $output .= $indent . "\tName: " . $this->items['authed_fname'] . ' ' . $this->items['authed_lname'] . "<br>\n";
+        $output .= $indent . "\tName: " . htmlentities(strip_tags($this->items['authed_fname'] . ' ' . $this->items['authed_lname']), ENT_QUOTES, 'ISO-8859-1') . "<br>\n";
         $output .= $indent . "\tRole: " . $this->items['authed_role'] . "<br>\n";
         if ($this->items['authed_by_crt'] === true)
             $output .= $indent . "\tLoginmethod: CRT<br>\n";