From 834d1b2ea755992278848202d756cf783f120e24 Mon Sep 17 00:00:00 2001
From: root <root@www.cacert.org>
Date: Mon, 24 Nov 2008 20:55:23 +0000
Subject: [PATCH] Added XSS prevention

---
 www/disputes.php | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/www/disputes.php b/www/disputes.php
index ee4459a..b65216d 100644
--- a/www/disputes.php
+++ b/www/disputes.php
@@ -282,7 +282,7 @@
 				`IP`='".$_SERVER['REMOTE_ADDR']."'";
 		mysql_query($query);
 
-		$body = sprintf(_("You have been sent this email as the email address '%s' is being disputed. You have the option to accept or reject this request, after 2 days the request will automatically be discarded. Click the following link to accept or reject the dispute:"), sanitizeHTML($email))."\n\n";
+		$body = sprintf(_("You have been sent this email as the email address '%s' is being disputed. You have the option to accept or reject this request, after 2 days the request will automatically be discarded. Click the following link to accept or reject the dispute:"), $email)."\n\n";
 		$body .= "https://".$_SESSION['_config']['normalhostname']."/disputes.php?type=email&emailid=$emailid&hash=$hash\n\n";
 		$body .= _("Best regards")."\n"._("CAcert.org Support!");
 
@@ -310,7 +310,7 @@
 		if(mysql_num_rows($res) > 0)
 		{
 			showheader(_("Domain Dispute"));
-			printf(_("The domain '%s' already exists in the dispute system. Can't continue."), $domain);
+			printf(_("The domain '%s' already exists in the dispute system. Can't continue."), sanitizeHTML($domain));
 			showfooter();
 			exit;
 		}
@@ -321,7 +321,7 @@
 		if(mysql_num_rows($res) <= 0)
 		{
 			showheader(_("Domain Dispute"));
-			printf(_("The domain '%s' doesn't exist in the system. Can't continue."), $email);
+			printf(_("The domain '%s' doesn't exist in the system. Can't continue."), sanitizeHTML($email));
 			showfooter();
 			exit;
 		}
@@ -402,7 +402,7 @@
                 if(mysql_num_rows($res) <= 0)
                 {
                         showheader(_("Domain Dispute!"));
-                        printf(_("The domain '%s' isn't in the system. Can't continue."), $_SESSION['_config']['domain']);
+                        printf(_("The domain '%s' isn't in the system. Can't continue."), sanitizeHTML($_SESSION['_config']['domain']));
                         showfooter();
                         exit;
                 }
@@ -424,7 +424,7 @@
 		sendmail($authaddy, "[CAcert.org] "._("Dispute Probe"), $body, "support@cacert.org", "", "", "CAcert Support");
 
 		showheader(_("Domain Dispute"));
-		printf(_("The domain '%s' has been entered into the dispute system, the email address you choose will now be sent an email which will give the recipent the option of accepting or rejecting the request, if after 2 days we haven't received a valid response for or against we will discard the request."), $domain);
+		printf(_("The domain '%s' has been entered into the dispute system, the email address you choose will now be sent an email which will give the recipent the option of accepting or rejecting the request, if after 2 days we haven't received a valid response for or against we will discard the request."), sanitizeHTML($domain));
 		showfooter();
 		exit;
 	}