Attachment #101924 for bug #130068




    
    // Pressed the "Update This Address' Settings" button or the
    // "Update ALL Addresses' Settings" button
    if (htmlentities($button) == $lang['button_update_address'] ||
        htmlentities($button) == $lang['button_update_all_addresses']) {

        if (isset($_POST["policy"])) { // actually, I think we prefer not to use this, in favor of what's in the 
            $policy_id = trim($_POST["policy"]); // users.policy_id

                                    "spam_kill_level = ? " .
                  "WHERE id = ?";

        if (htmlentities($button) == $lang['button_update_all_addresses']) {
            $select = "SELECT policy_id FROM users WHERE maia_user_id = ? ";
            $sth = $dbh->query($select, array($euid));
            while ($row = $sth->fetchrow()) {

        $message = $lang['text_settings_updated'];

    // Pressed the "Update Miscellaneous Settings" button
    } elseif (htmlentities($button) == $lang['button_update_misc']) {

        if (isset($_POST["reminder"])) {
            $reminder = (trim($_POST["reminder"]) == "yes" ? "Y" : "N");



    // Pressed the "Add E-Mail Address" button
    } elseif (htmlentities($button) == $lang['button_add_email_address']) {

        if (isset($_POST["login"])) {
            $login = trim($_POST["login"]);

        }

    // Pressed the "Update Login Credentials" button
    } elseif (htmlentities($button) == $lang['button_change_login_info'] && $auth_method == "internal") {

        if (isset($_POST["new_login_name"])) {
            $new_login = trim($_POST["new_login_name"]);

Lines 112-118 Link Here

(-)maia-1.0.1/php/wblist.php (-2 / +2 lines)
112		112
113	// User pressed the "Add to List" button to add an address to the	113	// User pressed the "Add to List" button to add an address to the
114	// whitelist or blacklist.	114	// whitelist or blacklist.
115	if ($addaddress == $lang['button_add_to_list'])	115	if (htmlentities($addaddress) == htmlentities($lang['button_add_to_list']))
116	{	116	{
117	if ($newaddr != "") {	117	if ($newaddr != "") {
118	$list = trim($_POST["list"]);	118	$list = trim($_POST["list"]);
Lines 122-128 Link Here
122		122
123	// User pressed the "Update" button to modify the whitelist/blacklist	123	// User pressed the "Update" button to modify the whitelist/blacklist
124	// settings.	124	// settings.
125	elseif ($addchange == $lang['button_update'])	125	elseif (htmlentities($addchange) == htmlentities($lang['button_update']))
126	{	126	{
127	$message = $lang['text_lists_updated'];	127	$message = $lang['text_lists_updated'];
128	foreach($_POST as $varname => $value)	128	foreach($_POST as $varname => $value)

Lines 107-113 Link Here

(-)maia-1.0.1/php/welcome.php (-2 / +2 lines)
107	$maxitemid = 0;	107	$maxitemid = 0;
108	}	108	}
109		109
110	if ($button == $lang['button_delete_all_items'])	110	if (htmlentities($button) == $lang['button_delete_all_items'])
111	{	111	{
112	$select = "SELECT mail_id FROM maia_mail_recipients " .	112	$select = "SELECT mail_id FROM maia_mail_recipients " .
113	"WHERE (type = 'S' " .	113	"WHERE (type = 'S' " .
Lines 128-134 Link Here
128	}	128	}
129		129
130		130
131	if ($button == $lang['button_change_protection'] && isset($_POST['protection_level'])) {	131	if (htmlentities($button) == $lang['button_change_protection'] && isset($_POST['protection_level'])) {
132	$select = "SELECT policy_id FROM users WHERE maia_user_id = ?";	132	$select = "SELECT policy_id FROM users WHERE maia_user_id = ?";
133	$sth = $dbh->query($select, $euid);	133	$sth = $dbh->query($select, $euid);
134		134




    require_once ("./locale/$display_language/domainsettings.php"); // shared with domainsettings.php

    require_once ("smarty.php");

    if (isset($_POST["domain_id"])) {
        $domain_id = trim($_POST["domain_id"]);
    } else {

    }

    // Pressed the "Update This Domain's Settings" button
     if ( htmlentities($button) == $lang['button_update_domain']) {

        $select = "SELECT enable_charts, reminder_threshold_count, " .
                         "enable_spamtraps " .


        $message = $lang['text_settings_updated'];
    // Pressed the "Revoke Administrator Privileges" button
    } elseif ($super && (htmlentities($button) == $lang['button_revoke'])) {

        // Register the full set of POST variables.
        foreach($_POST as $varname => $value)

        $message = $lang['text_admins_revoked'];

    // Pressed the "Grant Administrator Privileges" button
    } elseif ($super && (htmlentities($button) == $lang['button_grant'])) {

        // Note that $admins is an array
        if (isset($_POST["administrators"])) {

Return to bug 130068

Lines 87-93 Link Here

(-)maia-1.0.1/php/xdomainsettings.php (-4 / +4 lines)
87	require_once ("./locale/$display_language/domainsettings.php"); // shared with domainsettings.php	87	require_once ("./locale/$display_language/domainsettings.php"); // shared with domainsettings.php
88		88
89	require_once ("smarty.php");	89	require_once ("smarty.php");
90		90
91	if (isset($_POST["domain_id"])) {	91	if (isset($_POST["domain_id"])) {
92	$domain_id = trim($_POST["domain_id"]);	92	$domain_id = trim($_POST["domain_id"]);
93	} else {	93	} else {
Lines 113-119 Link Here
113	}	113	}
114		114
115	// Pressed the "Update This Domain's Settings" button	115	// Pressed the "Update This Domain's Settings" button
116	if ($button == $lang['button_update_domain']) {	116	if ( htmlentities($button) == $lang['button_update_domain']) {
117		117
118	$select = "SELECT enable_charts, reminder_threshold_count, " .	118	$select = "SELECT enable_charts, reminder_threshold_count, " .
119	"enable_spamtraps " .	119	"enable_spamtraps " .
Lines 335-341 Link Here
335		335
336	$message = $lang['text_settings_updated'];	336	$message = $lang['text_settings_updated'];
337	// Pressed the "Revoke Administrator Privileges" button	337	// Pressed the "Revoke Administrator Privileges" button
338	} elseif ($super && ($button == $lang['button_revoke'])) {	338	} elseif ($super && (htmlentities($button) == $lang['button_revoke'])) {
339		339
340	// Register the full set of POST variables.	340	// Register the full set of POST variables.
341	foreach($_POST as $varname => $value)	341	foreach($_POST as $varname => $value)
Lines 379-385 Link Here
379	$message = $lang['text_admins_revoked'];	379	$message = $lang['text_admins_revoked'];
380		380
381	// Pressed the "Grant Administrator Privileges" button	381	// Pressed the "Grant Administrator Privileges" button
382	} elseif ($super && ($button == $lang['button_grant'])) {	382	} elseif ($super && (htmlentities($button) == $lang['button_grant'])) {
383		383
384	// Note that $admins is an array	384	// Note that $admins is an array
385	if (isset($_POST["administrators"])) {	385	if (isset($_POST["administrators"])) {

Lines 121-128 Link Here

(-)maia-1.0.1/php/settings.php (-6 / +6 lines)
121		121
122	// Pressed the "Update This Address' Settings" button or the	122	// Pressed the "Update This Address' Settings" button or the
123	// "Update ALL Addresses' Settings" button	123	// "Update ALL Addresses' Settings" button
124	if ($button == $lang['button_update_address'] \|\|	124	if (htmlentities($button) == $lang['button_update_address'] \|\|
125	$button == $lang['button_update_all_addresses']) {	125	htmlentities($button) == $lang['button_update_all_addresses']) {
126		126
127	if (isset($_POST["policy"])) { // actually, I think we prefer not to use this, in favor of what's in the	127	if (isset($_POST["policy"])) { // actually, I think we prefer not to use this, in favor of what's in the
128	$policy_id = trim($_POST["policy"]); // users.policy_id	128	$policy_id = trim($_POST["policy"]); // users.policy_id
Lines 310-316 Link Here
310	"spam_kill_level = ? " .	310	"spam_kill_level = ? " .
311	"WHERE id = ?";	311	"WHERE id = ?";
312		312
313	if ($button == $lang['button_update_all_addresses']) {	313	if (htmlentities($button) == $lang['button_update_all_addresses']) {
314	$select = "SELECT policy_id FROM users WHERE maia_user_id = ? ";	314	$select = "SELECT policy_id FROM users WHERE maia_user_id = ? ";
315	$sth = $dbh->query($select, array($euid));	315	$sth = $dbh->query($select, array($euid));
316	while ($row = $sth->fetchrow()) {	316	while ($row = $sth->fetchrow()) {
Lines 356-362 Link Here
356	$message = $lang['text_settings_updated'];	356	$message = $lang['text_settings_updated'];
357		357
358	// Pressed the "Update Miscellaneous Settings" button	358	// Pressed the "Update Miscellaneous Settings" button
359	} elseif ($button == $lang['button_update_misc']) {	359	} elseif (htmlentities($button) == $lang['button_update_misc']) {
360		360
361	if (isset($_POST["reminder"])) {	361	if (isset($_POST["reminder"])) {
362	$reminder = (trim($_POST["reminder"]) == "yes" ? "Y" : "N");	362	$reminder = (trim($_POST["reminder"]) == "yes" ? "Y" : "N");
Lines 429-435 Link Here
429		429
430		430
431	// Pressed the "Add E-Mail Address" button	431	// Pressed the "Add E-Mail Address" button
432	} elseif ($button == $lang['button_add_email_address']) {	432	} elseif (htmlentities($button) == $lang['button_add_email_address']) {
433		433
434	if (isset($_POST["login"])) {	434	if (isset($_POST["login"])) {
435	$login = trim($_POST["login"]);	435	$login = trim($_POST["login"]);
Lines 477-483 Link Here
477	}	477	}
478		478
479	// Pressed the "Update Login Credentials" button	479	// Pressed the "Update Login Credentials" button
480	} elseif ($button == $lang['button_change_login_info'] && $auth_method == "internal") {	480	} elseif (htmlentities($button) == $lang['button_change_login_info'] && $auth_method == "internal") {
481		481
482	if (isset($_POST["new_login_name"])) {	482	if (isset($_POST["new_login_name"])) {
483	$new_login = trim($_POST["new_login_name"]);	483	$new_login = trim($_POST["new_login_name"]);