From d249394a37bafafb5a8da054091c531609d9cbac Mon Sep 17 00:00:00 2001 From: Jamie Snape Date: Wed, 26 Nov 2014 14:27:11 -0500 Subject: [PATCH] Escape variables in mail module --- modules/mail/Notification.php | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/modules/mail/Notification.php b/modules/mail/Notification.php index fb8feda3d..8bdb71181 100644 --- a/modules/mail/Notification.php +++ b/modules/mail/Notification.php @@ -80,14 +80,14 @@ protected function handleSendMailMessage($params) } $mail = new Midas_Mail(); - $mail->setFrom($this->Setting->getValueByName(MAIL_FROM_ADDRESS_KEY, $this->moduleName)); + $mail->setFrom(htmlspecialchars($this->Setting->getValueByName(MAIL_FROM_ADDRESS_KEY, $this->moduleName), ENT_QUOTES, 'UTF-8')); if (isset($params['bcc'])) { - $mail->addBcc($params['bcc']); + $mail->addBcc(htmlspecialchars($params['bcc'], ENT_QUOTES, 'UTF-8')); } if (isset($params['cc'])) { - $mail->addCc($params['cc']); + $mail->addCc(htmlspecialchars($params['cc'], ENT_QUOTES, 'UTF-8')); } if (isset($params['html'])) { @@ -95,15 +95,15 @@ protected function handleSendMailMessage($params) } if (isset($params['subject'])) { - $mail->setSubject($params['subject']); + $mail->setSubject(htmlspecialchars($params['subject'], ENT_QUOTES, 'UTF-8')); } if (isset($params['text'])) { - $mail->setBodyText($params['text']); + $mail->setBodyText(htmlspecialchars($params['text'], ENT_QUOTES, 'UTF-8')); } if (isset($params['to'])) { - $mail->addTo($params['to']); + $mail->addTo(htmlspecialchars($params['to'], ENT_QUOTES, 'UTF-8')); } try {