[Tickets #7926] Re: Message option "Show All Headers" causes error
bugs at horde.org
bugs at horde.org
Wed Feb 4 21:28:30 UTC 2009
DO NOT REPLY TO THIS MESSAGE. THIS EMAIL ADDRESS IS NOT MONITORED.
Ticket URL: http://bugs.horde.org/ticket/7926
------------------------------------------------------------------------------
Ticket | 7926
Updated By | Chuck Hagenbuch <chuck at horde.org>
Summary | Message option "Show All Headers" causes error
Queue | IMP
Version | 4.3.3
Type | Bug
State | Assigned
Priority | 1. Low
Milestone |
Patch |
Owners | Horde Developers, Michael Slusarz, Chuck Hagenbuch
------------------------------------------------------------------------------
Chuck Hagenbuch <chuck at horde.org> (2009-02-04 16:28) wrote:
> AFAICT, selfUrl() (as called by message.php) has the $full param set
> to false; in selfUrl, Horde::url() is called with $full = false; and
> the URL will necessarily have '&' param separators, instead of '&'
> separators so htmlentities() will be called on the generated URL at
> the bottom of url(). Thus, anything appearing in the URL will/should
> be escaped.
Okay, this is unintuitive, but I follow you and agree - though looking
at Horde::url(), at the very bottom of the function, couldn't you
trick it into not encoding the URL by passing & for one parameter,
and raw data in another?
> As for smime.php, we should probably use
> htmlspecialchars(html_entity_decode(Util::getFormData('reload')))
> instead of htmlspecialchars(Util::getFormData('reload')) (we use the
> former elsewhere in that file). Looks like we aren't doing the
> html_entity_decode() call in pgp.php in either place we are
> processing 'reload' form data, so we should probably be doing that.
If we already do that in those files, that seems fine.
More information about the bugs
mailing list