diff --git a/common_config.php b/common_config.php
index c1fd542..0bb5811 100644
--- a/common_config.php
+++ b/common_config.php
@@ -256,7 +256,7 @@ function validate_email_list( array $targets, string &$msg = '' ): string
if ( $validator->isValid( $email, new NoRFCWarningsValidation() ) ) {
$alias_goto .= ",$email";
} else {
- $msg .= '<div class="red" role="alert">'.sprintf(_('Oops, the email "%s" doesn\' look like a valid email address and thus wasn\'t added to the forwarding list.'), htmlspecialchars( $email ) ) . '</div>';
+ $msg .= '<div class="red" role="alert">'.sprintf(htmlspecialchars(_('Oops, the email "%s" doesn\' look like a valid email address and thus wasn\'t added to the forwarding list.')), htmlspecialchars( $email ) ) . '</div>';
}
}
return ltrim( $alias_goto, ',' );
@@ -282,7 +282,7 @@ function check_domain_access( string &$email, string &$msg = '' ): bool
$managed_domains [] = $tmp[ 'domain' ];
}
if ( ! in_array( $domain, $managed_domains, true ) ) {
- $msg .= '<div class="red" role="alert">'._('You are not allowed to manage this domain.').'</div>';
+ $msg .= '<div class="red" role="alert">'.htmlspecialchars(_('You are not allowed to manage this domain.')).'</div>';
return false;
}
}
@@ -293,7 +293,7 @@ function check_email_valid( string $email, string &$msg = '' ): bool
{
$validator = new EmailValidator();
if ( ! $validator->isValid( $email, new NoRFCWarningsValidation() ) ) {
- $msg .= '<div class="red" role="alert">'._('Invalid email address.').'</div>';
+ $msg .= '<div class="red" role="alert">'.htmlspecialchars(_('Invalid email address.)').'</div>';
return false;
}
return true;
diff --git a/www/admin.php b/www/admin.php
index 9784cf1..f7c989e 100644
--- a/www/admin.php
+++ b/www/admin.php
@@ -18,7 +18,7 @@ if ( ! empty( $_SESSION[ 'email_admin_user' ] ) ) {
$_SESSION = [];
session_regenerate_id( true );
$_SESSION[ 'csrf_token' ] = sha1( uniqid() );
- $msg .= '<div class="red" role="alert">'._('It looks like your user no longer exists!').'</div>';
+ $msg .= '<div class="red" role="alert">'.htmlspecialchars(_('It looks like your user no longer exists!')).'</div>';
}
}
if ( $_SERVER[ 'REQUEST_METHOD' ] === 'POST' ) {
@@ -30,17 +30,17 @@ if ( $_SERVER[ 'REQUEST_METHOD' ] === 'POST' ) {
$_SESSION = [];
session_regenerate_id( true );
$_SESSION[ 'csrf_token' ] = sha1( uniqid() );
- $msg .= '<div class="green" role="alert">'._('Successfully logged out').'</div>';
+ $msg .= '<div class="green" role="alert">'.htmlspecialchars(_('Successfully logged out')).'</div>';
} elseif ( $_POST[ 'action' ] === 'login' ) {
if ( empty( $_POST[ 'user' ] ) ) {
$ok = false;
- $msg .= '<div class="red" role="alert">'._('Invalid username').'</div>';
+ $msg .= '<div class="red" role="alert">'.htmlspecialchars(_('Invalid username')).'</div>';
}
$stmt = $db->prepare( 'SELECT username, password, password_hash_type, superadmin FROM admin WHERE username = ? AND active = 1;' );
$stmt->execute( [ $_POST[ 'user' ] ] );
if ( $tmp = $stmt->fetch( PDO::FETCH_ASSOC ) ) {
if ( empty( $_POST[ 'pwd' ] ) || ! password_verify( $_POST[ 'pwd' ], $tmp[ 'password' ] ) ) {
- $msg .= '<div class="red" role="alert">'._('Incorrect username or password').'</div>';
+ $msg .= '<div class="red" role="alert">'.htmlspecialchars(_('Incorrect username or password')).'</div>';
} else {
$_SESSION[ 'email_admin_user' ] = $tmp[ 'username' ];
$_SESSION[ 'email_admin_superadmin' ] = (bool) $tmp[ 'superadmin' ];
@@ -52,7 +52,7 @@ if ( $_SERVER[ 'REQUEST_METHOD' ] === 'POST' ) {
}
}
} else {
- $msg .= '<div class="red" role="alert">'._('Incorrect username or password').'</div>';
+ $msg .= '<div class="red" role="alert">'.htmlspecialchars(_('Incorrect username or password')).'</div>';
}
} elseif ( ! empty( $_SESSION[ 'email_admin_user' ] ) ) {
if ( $_POST[ 'action' ] === 'update_alias' ) {
@@ -69,72 +69,72 @@ if ( $_SERVER[ 'REQUEST_METHOD' ] === 'POST' ) {
$stmt->execute( [ $alias_goto, $_SESSION[ 'email_admin_user' ] ] );
} elseif ( $_POST[ 'action' ] === 'delete_admin' && ! empty( $_POST[ 'admin' ] ) && $_SESSION[ 'email_admin_superadmin' ] ) {
- $msg .= '<div class="red" role="alert">'.sprintf(_('Warning: This will permanently delete the admin account "%s". It cannot be reversed. Are you absolutely sure?'), htmlspecialchars( $_POST[ 'admin' ] ) ).'</div>';
+ $msg .= '<div class="red" role="alert">'.sprintf(htmlspecialchars(_('Warning: This will permanently delete the admin account "%s". It cannot be reversed. Are you absolutely sure?')), htmlspecialchars( $_POST[ 'admin' ] ) ).'</div>';
$msg .= '<form method="post"><input type="hidden" name="csrf_token" value="' . $_SESSION[ 'csrf_token' ] . '">';
$msg .= '<input type="hidden" name="admin" value="' . htmlspecialchars( $_POST[ 'admin' ] ) . '">';
- $msg .= '<button type="submit" name="action" value="delete_admin2">'._('Yes, I want to permanently delete this admin account').'</button></form>';
+ $msg .= '<button type="submit" name="action" value="delete_admin2">'.htmlspecialchars(_('Yes, I want to permanently delete this admin account')).'</button></form>';
} elseif ( $_POST[ 'action' ] === 'delete_domain' && ! empty( $_POST[ 'domain' ] ) && $_SESSION[ 'email_admin_superadmin' ] ) {
- $msg .= '<div class="red" role="alert">'.sprintf(_('Warning: This will permanently delete the domain "%s". It cannot be reversed. Are you absolutely sure?'), htmlspecialchars( $_POST[ 'domain' ] ) ).'</div>';
+ $msg .= '<div class="red" role="alert">'.sprintf(htmlspecialchars(_('Warning: This will permanently delete the domain "%s". It cannot be reversed. Are you absolutely sure?')), htmlspecialchars( $_POST[ 'domain' ] ) ).'</div>';
$msg .= '<form method="post"><input type="hidden" name="csrf_token" value="' . $_SESSION[ 'csrf_token' ] . '">';
$msg .= '<input type="hidden" name="domain" value="' . htmlspecialchars( $_POST[ 'domain' ] ) . '">';
- $msg .= '<button type="submit" name="action" value="delete_domain2">'._('Yes, I want to permanently delete this domain').'</button></form>';
+ $msg .= '<button type="submit" name="action" value="delete_domain2">'.htmlspecialchars(_('Yes, I want to permanently delete this domain')).'</button></form>';
} elseif ( $_POST[ 'action' ] === 'delete_alias_domain' && ! empty( $_POST[ 'alias_domain' ] ) && $_SESSION[ 'email_admin_superadmin' ] ) {
- $msg .= '<div class="red" role="alert">'.sprintf(_('Warning: This will permanently delete the alias domain "%s". It cannot be reversed. Are you absolutely sure?'), htmlspecialchars( $_POST[ 'alias_domain' ] ) ).'</div>';
+ $msg .= '<div class="red" role="alert">'.sprintf(htmlspecialchars(_('Warning: This will permanently delete the alias domain "%s". It cannot be reversed. Are you absolutely sure?')), htmlspecialchars( $_POST[ 'alias_domain' ] ) ).'</div>';
$msg .= '<form method="post"><input type="hidden" name="csrf_token" value="' . $_SESSION[ 'csrf_token' ] . '">';
$msg .= '<input type="hidden" name="alias_domain" value="' . htmlspecialchars( $_POST[ 'alias_domain' ] ) . '">';
- $msg .= '<button type="submit" name="action" value="delete_alias_domain2">'._('Yes, I want to permanently delete this alias domain').'</button></form>';
+ $msg .= '<button type="submit" name="action" value="delete_alias_domain2">'.htmlspecialchars(_('Yes, I want to permanently delete this alias domain')).'</button></form>';
} elseif ( $_POST[ 'action' ] === 'delete_alias' && ! empty( $_POST[ 'alias' ] ) ) {
- $msg .= '<div class="red" role="alert">'.sprintf(_('Warning: This will permanently delete the alias "%s". It cannot be reversed. Are you absolutely sure?'), htmlspecialchars( $_POST[ 'alias' ] ) ).'</div>';
+ $msg .= '<div class="red" role="alert">'.sprintf(htmlspecialchars(_('Warning: This will permanently delete the alias "%s". It cannot be reversed. Are you absolutely sure?')), htmlspecialchars( $_POST[ 'alias' ] ) ).'</div>';
$msg .= '<form method="post"><input type="hidden" name="csrf_token" value="' . $_SESSION[ 'csrf_token' ] . '">';
$msg .= '<input type="hidden" name="alias" value="' . htmlspecialchars( $_POST[ 'alias' ] ) . '">';
- $msg .= '<button type="submit" name="action" value="delete_alias2">'._('Yes, I want to permanently delete this alias').'</button></form>';
+ $msg .= '<button type="submit" name="action" value="delete_alias2">'.htmlspecialchars(_('Yes, I want to permanently delete this alias')).'</button></form>';
} elseif ( $_POST[ 'action' ] === 'delete_mailbox' && ! empty( $_POST[ 'user' ] ) ) {
- $msg .= '<div class="red" role="alert">'.sprintf(_('Warning: This will permanently delete the mailbox "%s". It cannot be reversed. Are you absolutely sure?'), htmlspecialchars( $_POST[ 'user' ] ) ).'</div>';
+ $msg .= '<div class="red" role="alert">'.sprintf(htmlspecialchars(_('Warning: This will permanently delete the mailbox "%s". It cannot be reversed. Are you absolutely sure?')), htmlspecialchars( $_POST[ 'user' ] ) ).'</div>';
$msg .= '<form method="post"><input type="hidden" name="csrf_token" value="' . $_SESSION[ 'csrf_token' ] . '">';
$msg .= '<input type="hidden" name="user" value="' . htmlspecialchars( $_POST[ 'user' ] ) . '">';
- $msg .= '<button type="submit" name="action" value="delete_mailbox2">'._('Yes, I want to permanently delete this mailbox').'</button></form>';
+ $msg .= '<button type="submit" name="action" value="delete_mailbox2">'.htmlspecialchars(_('Yes, I want to permanently delete this mailbox')).'</button></form>';
} elseif ( $_POST[ 'action' ] === 'delete_admin2' && ! empty( $_POST[ 'admin' ] ) && $_SESSION[ 'email_admin_superadmin' ] ) {
if ( $_SESSION[ 'email_admin_user' ] === $_POST[ 'admin' ] ) {
- $msg .= '<div class="red" role="alert">'._('You can\'t delete your own admin account!').'</div>';
+ $msg .= '<div class="red" role="alert">'.htmlspecialchars(_('You can\'t delete your own admin account!')).'</div>';
} else {
$stmt = $db->prepare( 'DELETE FROM admin WHERE username = ?;' );
$stmt->execute( [ $_POST[ 'admin' ] ] );
- $msg .= '<div class="green" role="alert">'._('Successfully deleted admin account.').'</div>';
+ $msg .= '<div class="green" role="alert">'.htmlspecialchars(_('Successfully deleted admin account.')).'</div>';
}
} elseif ( $_POST[ 'action' ] === 'delete_domain2' && ! empty( $_POST[ 'domain' ] ) && $_SESSION[ 'email_admin_superadmin' ] ) {
$stmt = $db->prepare( 'UPDATE domain SET active = -1 WHERE domain = ?;' );
$stmt->execute( [ $_POST[ 'domain' ] ] );
- $msg .= '<div class="green" role="alert">'._('Successfully deleted domain.').'</div>';
+ $msg .= '<div class="green" role="alert">'.htmlspecialchars(_('Successfully deleted domain.')).'</div>';
} elseif ( $_POST[ 'action' ] === 'delete_alias_domain2' && ! empty( $_POST[ 'alias_domain' ] ) && $_SESSION[ 'email_admin_superadmin' ] ) {
$stmt = $db->prepare( 'DELETE FROM alias_domain WHERE alias_domain = ?;' );
$stmt->execute( [ $_POST[ 'alias_domain' ] ] );
- $msg .= '<div class="green" role="alert">'._('Successfully deleted alias domain.').'</div>';
+ $msg .= '<div class="green" role="alert">'.htmlspecialchars(_('Successfully deleted alias domain.')).'</div>';
} elseif ( $_POST[ 'action' ] === 'delete_alias2' && ! empty( $_POST[ 'alias' ] ) ) {
if ( check_domain_access( $_POST[ 'alias' ], $msg ) ) {
$stmt = $db->prepare( 'DELETE FROM alias WHERE address = ?;' );
$stmt->execute( [ $_POST[ 'alias' ] ] );
- $msg .= '<div class="green" role="alert">'._('Successfully deleted alias.').'</div>';
+ $msg .= '<div class="green" role="alert">'.htmlspecialchars(_('Successfully deleted alias.')).'</div>';
}
} elseif ( $_POST[ 'action' ] === 'delete_mailbox2' && ! empty( $_POST[ 'user' ] ) ) {
if ( check_domain_access( $_POST[ 'user' ], $msg ) ) {
$stmt = $db->prepare( 'UPDATE mailbox SET active = -2 WHERE username = ?;' );
$stmt->execute( [ $_POST[ 'user' ] ] );
- $msg .= '<div class="green" role="alert">'._('Successfully deleted mailbox.').'</div>';
+ $msg .= '<div class="green" role="alert">'.htmlspecialchars(_('Successfully deleted mailbox.')).'</div>';
}
} elseif ( $_POST[ 'action' ] === 'save_edit_admin' && ! empty( $_POST[ 'admin' ] ) && ( $_SESSION[ 'email_admin_superadmin' ] || $_POST[ 'admin' ] === $_SESSION[ 'email_admin_user' ] ) ) {
$stmt = $db->prepare( 'SELECT null FROM admin WHERE username = ?;' );
$stmt->execute( [ $_POST[ 'admin' ] ] );
if ( ! $stmt->fetch() ) {
- $msg .= '<div class="red" role="alert">'.sprintf(_('Oops, it looks like the admin account "%s" doesn\'t exist.'), htmlspecialchars( $_POST[ 'admin' ] ) ).'</div>';
+ $msg .= '<div class="red" role="alert">'.sprintf(htmlspecialchars(_('Oops, it looks like the admin account "%s" doesn\'t exist.')), htmlspecialchars( $_POST[ 'admin' ] ) ).'</div>';
} else {
if ( ! empty( $_POST[ 'pass_update' ] ) ) {
if ( empty( $_POST[ 'pass_update2' ] ) || $_POST[ 'pass_update' ] !== $_POST[ 'pass_update2' ] ) {
- $msg .= '<div class="red" role="alert">'._('Passwords don\'t match!').'</div>';
+ $msg .= '<div class="red" role="alert">'.htmlspecialchars(_('Passwords don\'t match!')).'</div>';
} else {
$hash = password_hash( $_POST[ 'pass_update' ], PASSWORD_ARGON2ID );
$stmt = $db->prepare( 'UPDATE admin SET password_hash_type = "{ARGON2ID}", password = ?, modified = NOW() WHERE username = ?;' );
$stmt->execute( [ $hash, $_POST[ 'admin' ] ] );
- $msg .= '<div class="green" role="alert">'._('Successfully updated password.').'</div>';
+ $msg .= '<div class="green" role="alert">'.htmlspecialchars(_('Successfully updated password.')).'</div>';
}
}
if ( $_SESSION[ 'email_admin_superadmin' ] ) {
@@ -163,52 +163,52 @@ if ( $_SERVER[ 'REQUEST_METHOD' ] === 'POST' ) {
}
}
}
- $msg .= '<div class="green" role="alert">'._('Successfully edited admin account.').'</div>';
+ $msg .= '<div class="green" role="alert">'.htmlspecialchars(_('Successfully edited admin account.')).'</div>';
}
} elseif ( $_POST[ 'action' ] === 'save_new_admin' && ! empty( $_POST[ 'admin' ] ) && $_SESSION[ 'email_admin_superadmin' ] ) {
$stmt = $db->prepare( 'SELECT null FROM admin WHERE username = ?;' );
$stmt->execute( [ $_POST[ 'admin' ] ] );
if ( $stmt->fetch() ) {
- $msg .= '<div class="red" role="alert">'.sprintf(_('Oops, it looks like the admin account "%s" already exists.'), htmlspecialchars( $_POST[ 'admin' ] ) ).'</div>';
+ $msg .= '<div class="red" role="alert">'.sprintf(htmlspecialchars(_('Oops, it looks like the admin account "%s" already exists.')), htmlspecialchars( $_POST[ 'admin' ] ) ).'</div>';
} else {
if ( empty( $_POST[ 'pass_update2' ] ) || $_POST[ 'pass_update' ] !== $_POST[ 'pass_update2' ] ) {
- $msg .= '<div class="red" role="alert">'._('Passwords empty or don\'t match').'</div>';
+ $msg .= '<div class="red" role="alert">'.htmlspecialchars(_('Passwords empty or don\'t match')).'</div>';
} else {
$hash = password_hash( $_POST[ 'pass_update' ], PASSWORD_ARGON2ID );
$active = isset( $_POST[ 'active' ] ) ? 1 : 0;
$superadmin = isset( $_POST[ 'superadmin' ] ) ? 1 : 0;
$stmt = $db->prepare( 'INSERT INTO admin (password_hash_type, password, superadmin, active, username, created, modified) VALUES ("{ARGON2ID}", ?, ?, ?, ?, NOW(), NOW());' );
$stmt->execute( [ $hash, $superadmin, $active, $_POST[ 'admin' ] ] );
- $msg .= '<div class="green" role="alert">'._('Successfully created admin account.').'</div>';
+ $msg .= '<div class="green" role="alert">'.htmlspecialchars(_('Successfully created admin account.')).'</div>';
}
}
} elseif ( $_POST[ 'action' ] === 'save_edit_domain' && ! empty( $_POST[ 'domain' ] ) && $_SESSION[ 'email_admin_superadmin' ] ) {
$stmt = $db->prepare( 'SELECT null FROM domain WHERE domain = ?;' );
$stmt->execute( [ $_POST[ 'domain' ] ] );
if ( ! $stmt->fetch() ) {
- $msg .= '<div class="red" role="alert">'.sprintf(_('Oops, it looks like the domain "%s" doesn\'t exists.'), htmlspecialchars( $_POST[ 'domain' ] ) ).'</div>';
+ $msg .= '<div class="red" role="alert">'.sprintf(htmlspecialchars(_('Oops, it looks like the domain "%s" doesn\'t exists.')), htmlspecialchars( $_POST[ 'domain' ] ) ).'</div>';
} else {
$active = isset( $_POST[ 'active' ] ) ? 1 : 0;
$stmt = $db->prepare( 'UPDATE domain set active = ?, modified = NOW() WHERE domain = ?;' );
$stmt->execute( [ $active, $_POST[ 'domain' ] ] );
- $msg .= '<div class="green" role="alert">'._('Successfully updated domain.').'</div>';
+ $msg .= '<div class="green" role="alert">'.htmlspecialchars(_('Successfully updated domain.')).'</div>';
}
} elseif ( $_POST[ 'action' ] === 'save_edit_alis_domain' && ! empty( $_POST[ 'alias_domain' ] ) && $_SESSION[ 'email_admin_superadmin' ] ) {
$stmt = $db->prepare( 'SELECT null FROM alias_domain WHERE alias_domain = ?;' );
$stmt->execute( [ $_POST[ 'alias_domain' ] ] );
if ( ! $stmt->fetch() ) {
- $msg .= '<div class="red" role="alert">'.sprintf(_('Oops, it looks like the alias domain "%s" doesn\'t exists.'), htmlspecialchars( $_POST[ 'alias_domain' ] ) ).'</div>';
+ $msg .= '<div class="red" role="alert">'.sprintf(htmlspecialchars(_('Oops, it looks like the alias domain "%s" doesn\'t exists.')), htmlspecialchars( $_POST[ 'alias_domain' ] ) ).'</div>';
} else {
$active = isset( $_POST[ 'active' ] ) ? 1 : 0;
$stmt = $db->prepare( 'UPDATE alias_domain set active = ?, modified = NOW() WHERE alias_domain = ?;' );
$stmt->execute( [ $active, $_POST[ 'alias_domain' ] ] );
- $msg .= '<div class="green" role="alert">'._('Successfully updated alias domain.').'</div>';
+ $msg .= '<div class="green" role="alert">'.htmlspecialchars(_('Successfully updated alias domain.')).'</div>';
}
} elseif ( $_POST[ 'action' ] === 'save_new_domain' && ! empty( $_POST[ 'domain' ] ) && $_SESSION[ 'email_admin_superadmin' ] ) {
$stmt = $db->prepare( 'SELECT null FROM domain WHERE domain = ? UNION SELECT null FROM alias_domain WHERE alias_domain = ?;' );
$stmt->execute( [ $_POST[ 'domain' ], $_POST[ 'domain' ] ] );
if ( $stmt->fetch() ) {
- $msg .= '<div class="red" role="alert">'.sprintf(_('Oops, it looks like the domain "%s" already exists.'), htmlspecialchars( $_POST[ 'domain' ] ) ).'</div>';
+ $msg .= '<div class="red" role="alert">'.sprintf(htmlspecialchars(_('Oops, it looks like the domain "%s" already exists.')), htmlspecialchars( $_POST[ 'domain' ] ) ).'</div>';
} else {
$ascii_domain = idn_to_ascii($_POST['domain'], IDNA_NONTRANSITIONAL_TO_ASCII);
$utf8_domain = idn_to_utf8($_POST['domain'], IDNA_NONTRANSITIONAL_TO_UNICODE);
@@ -219,13 +219,13 @@ if ( $_SERVER[ 'REQUEST_METHOD' ] === 'POST' ) {
$stmt = $db->prepare( 'INSERT INTO alias_domain (active, alias_domain, target_domain, created, modified) VALUES (1, ?, ?, NOW(), NOW());' );
$stmt->execute( [ $ascii_domain, $utf8_domain ] );
}
- $msg .= '<div class="green" role="alert">'._('Successfully created domain.').'</div>';
+ $msg .= '<div class="green" role="alert">'.htmlspecialchars(_('Successfully created domain.')).'</div>';
}
} elseif ( $_POST[ 'action' ] === 'save_new_alias_domain' && ! empty( $_POST[ 'alias_domain' ] ) && $_SESSION[ 'email_admin_superadmin' ] ) {
$stmt = $db->prepare( 'SELECT null FROM domain WHERE domain = ? UNION SELECT null FROM alias_domain WHERE alias_domain = ?;' );
$stmt->execute( [ $_POST[ 'alias_domain' ], $_POST[ 'alias_domain' ] ] );
if ( $stmt->fetch() ) {
- $msg .= '<div class="red" role="alert">'.sprintf(_('Oops, it looks like the alias domain "%s" already exists.'), htmlspecialchars( $_POST[ 'alias_domain' ] ) ).'</div>';
+ $msg .= '<div class="red" role="alert">'.sprintf(htmlspecialchars(_('Oops, it looks like the alias domain "%s" already exists.')), htmlspecialchars( $_POST[ 'alias_domain' ] ) ).'</div>';
} else {
$ascii_domain = idn_to_ascii($_POST['alias_domain'], IDNA_NONTRANSITIONAL_TO_ASCII);
$utf8_domain = idn_to_utf8($_POST['alias_domain'], IDNA_NONTRANSITIONAL_TO_UNICODE);
@@ -236,7 +236,7 @@ if ( $_SERVER[ 'REQUEST_METHOD' ] === 'POST' ) {
$stmt = $db->prepare( 'INSERT INTO alias_domain (active, alias_domain, target_domain, created, modified) VALUES (?, ?, ?, NOW(), NOW());' );
$stmt->execute( [ $active, $ascii_domain, $_POST[ 'target_domain' ] ] );
}
- $msg .= '<div class="green" role="alert">'._('Successfully created alias domain.').'</div>';
+ $msg .= '<div class="green" role="alert">'.htmlspecialchars(_('Successfully created alias domain.')).'</div>';
}
} elseif ( $_POST[ 'action' ] === 'save_new_alias' && ! empty( $_POST[ 'alias' ] ) && ! empty( $_POST[ 'target' ] ) ) {
$ok = check_email_valid( $_POST[ 'alias' ], $msg );
@@ -249,7 +249,7 @@ if ( $_SERVER[ 'REQUEST_METHOD' ] === 'POST' ) {
$stmt = $db->prepare( 'SELECT null FROM alias WHERE address = ?;' );
$stmt->execute( [ $_POST[ 'alias' ] ] );
if ( $stmt->fetch() ) {
- $msg .= '<div class="red" role="alert">'.sprintf(_('Oops, it looks like the alias "%s" already exists.'), htmlspecialchars( $_POST[ 'alias' ] ) ).'</div>';
+ $msg .= '<div class="red" role="alert">'.sprintf(htmlspecialchars(_('Oops, it looks like the alias "%s" already exists.')), htmlspecialchars( $_POST[ 'alias' ] ) ).'</div>';
} else {
$parser = new EmailParser( new EmailLexer() );
$parser->parse( $_POST[ 'alias' ] );
@@ -258,7 +258,7 @@ if ( $_SERVER[ 'REQUEST_METHOD' ] === 'POST' ) {
$enforce_tls_in = isset( $_POST[ 'enforce_tls_in' ] ) ? 1 : 0;
$stmt = $db->prepare( 'INSERT INTO alias (goto, address, domain, active, created, modified, enforce_tls_in) VALUES (?, ?, ?, ?, NOW(), NOW(), ?);' );
$stmt->execute( [ $alias_goto, $_POST[ 'alias' ], $domain, $active, $enforce_tls_in ] );
- $msg .= '<div class="green" role="alert">'._('Successfully added alias.').'</div>';
+ $msg .= '<div class="green" role="alert">'.htmlspecialchars(_('Successfully added alias.')).'</div>';
}
}
} elseif ( $_POST[ 'action' ] === 'save_edit_alias' && ! empty( $_POST[ 'alias' ] ) && ! empty( $_POST[ 'target' ] ) ) {
@@ -273,7 +273,7 @@ if ( $_SERVER[ 'REQUEST_METHOD' ] === 'POST' ) {
$enforce_tls_in = isset( $_POST[ 'enforce_tls_in' ] ) ? 1 : 0;
$stmt = $db->prepare( 'UPDATE alias SET goto = ?, active = ?, enforce_tls_in = ?, modified = NOW() WHERE address = ?;' );
$stmt->execute( [ $alias_goto, $active, $enforce_tls_in, $_POST[ 'alias' ] ] );
- $msg .= '<div class="green" role="alert">'._('Successfully updated alias.').'</div>';
+ $msg .= '<div class="green" role="alert">'.htmlspecialchars(_('Successfully updated alias.')).'</div>';
}
} elseif ( $_POST[ 'action' ] === 'save_edit_mailbox' && ! empty( $_POST[ 'user' ] ) ) {
$ok = check_email_valid( $_POST[ 'user' ], $msg );
@@ -295,7 +295,7 @@ if ( $_SERVER[ 'REQUEST_METHOD' ] === 'POST' ) {
$stmt->execute( [ $alias_goto, ( isset( $_POST[ 'enforce_tls_in' ] ) ? 1 : 0 ), ( isset( $_POST[ 'active' ] ) ? 1 : 0 ), $_POST[ 'user' ] ] );
$stmt = $db->prepare( 'UPDATE mailbox SET enforce_tls_in = ?, enforce_tls_out = ?, active = ?, quota = ?, modified = NOW() WHERE username = ?;' );
$stmt->execute( [ ( isset( $_POST[ 'enforce_tls_in' ] ) ? 1 : 0 ), ( isset( $_POST[ 'enforce_tls_out' ] ) ? 1 : 0 ), ( isset( $_POST[ 'active' ] ) ? 1 : 0 ), $quota, $_POST[ 'user' ] ] );
- $msg .= '<div class="green" role="alert">'._('Successfully updated mailbox.').'</div>';
+ $msg .= '<div class="green" role="alert">'.htmlspecialchars(_('Successfully updated mailbox.')).'</div>';
}
} elseif ( $_POST[ 'action' ] === 'save_new_mailbox' && ! empty( $_POST[ 'user' ] ) ) {
$email = $_POST[ 'user' ];
@@ -308,7 +308,7 @@ if ( $_SERVER[ 'REQUEST_METHOD' ] === 'POST' ) {
$stmt->execute( [ $email, $email ] );
if ( $stmt->fetch() ) {
$ok = false;
- $msg .= '<div class="red" role="alert">'._('Sorry, this user already exists').'</div>';
+ $msg .= '<div class="red" role="alert">'.htmlspecialchars(_('Sorry, this user already exists')).'</div>';
}
if ( $ok ) {
$parser = new EmailParser( new EmailLexer() );
@@ -330,7 +330,7 @@ if ( $_SERVER[ 'REQUEST_METHOD' ] === 'POST' ) {
$stmt->execute( [ $email, $alias_goto, $domain, ( isset( $_POST[ 'enforce_tls_in' ] ) ? 1 : 0 ), ( isset( $_POST[ 'active' ] ) ? 1 : 0 ) ] );
$stmt = $db->prepare( 'INSERT INTO mailbox (username, password, quota, local_part, domain, created, modified, password_hash_type, openpgpkey_wkd, enforce_tls_in, enforce_tls_out, active) VALUES(?, ?, ?, ?, ?, NOW(), NOW(), ?, ?, ?, ?, ?);' );
$stmt->execute( [ $email, $hash, $quota, $user, $domain, '{ARGON2ID}', z_base32_encode( hash( 'sha1', mb_strtolower( $user ), true ) ), ( isset( $_POST[ 'enforce_tls_in' ] ) ? 1 : 0 ), ( isset( $_POST[ 'enforce_tls_out' ] ) ? 1 : 0 ), ( isset( $_POST[ 'active' ] ) ? 1 : 0 ) ] );
- $msg .= '<div class="green" role="alert">'._('Successfully created new mailbox!').'</div>';
+ $msg .= '<div class="green" role="alert">'.htmlspecialchars(_('Successfully created new mailbox!')).'</div>';
}
}
} elseif ( $_POST[ 'action' ] === 'save_password_mailbox' && ! empty( $_POST[ 'user' ] ) ) {
@@ -340,12 +340,12 @@ if ( $_SERVER[ 'REQUEST_METHOD' ] === 'POST' ) {
}
if ( $ok ) {
if ( empty( $_POST[ 'pass_update' ] ) || empty( $_POST[ 'pass_update2' ] ) || $_POST[ 'pass_update' ] !== $_POST[ 'pass_update2' ] ) {
- $msg .= '<div class="red" role="alert">'._('Passwords empty or don\'t match').'</div>';
+ $msg .= '<div class="red" role="alert">'.htmlspecialchars(_('Passwords empty or don\'t match')).'</div>';
} else {
$hash = password_hash( $_POST[ 'pass_update' ], PASSWORD_ARGON2ID );
$stmt = $db->prepare( 'UPDATE mailbox SET password_hash_type = "{ARGON2ID}", password = ? WHERE username = ?;' );
$stmt->execute( [ $hash, $_POST[ 'user' ] ] );
- $msg .= '<div class="green" role="alert">'._('Successfully updated password').'</div>';
+ $msg .= '<div class="green" role="alert">'.htmlspecialchars(_('Successfully updated password')).'</div>';
}
}
} elseif ( $_POST[ 'action' ] === 'disable_tfa_mailbox' && ! empty( $_POST[ 'user' ] ) ) {
@@ -356,7 +356,7 @@ if ( $_SERVER[ 'REQUEST_METHOD' ] === 'POST' ) {
if ( $ok ) {
$stmt = $db->prepare( 'UPDATE mailbox SET tfa = 0 WHERE username = ?;' );
$stmt->execute( [ $_POST[ 'user' ] ] );
- $msg .= '<div class="green" role="alert">'._('Successfully disabled two-factor authentication').'</div>';
+ $msg .= '<div class="green" role="alert">'.htmlspecialchars(_('Successfully disabled two-factor authentication')).'</div>';
}
}
}
@@ -366,37 +366,37 @@ if ( $_SERVER[ 'REQUEST_METHOD' ] === 'POST' ) {
<!DOCTYPE html>
<html lang="<?php echo $language; ?>" dir="<?php echo $dir; ?>">
<head>
- <title><?php echo _('E-Mail and XMPP - Admin management'); ?></title>
+ <title><?php echo htmlspecialchars(_('E-Mail and XMPP - Admin management')); ?></title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="author" content="Daniel Winzen">
<meta name="viewport" content="width=device-width, initial-scale=1">
- <meta name="description" content="<?php echo _('Lets domain owners manage their email domain and user accounts.'); ?>">
+ <meta name="description" content="<?php echo htmlspecialchars(_('Lets domain owners manage their email domain and user accounts.')); ?>">
<link rel="canonical" href="<?php echo CANONICAL_URL; ?>admin.php">
<link rel="alternate" href="<?php echo CANONICAL_URL; ?>admin.php" hreflang="x-default">
<?php alt_links(); ?>
<meta property="og:type" content="website">
- <meta property="og:title" content="<?php echo _('E-Mail and XMPP - Admin management'); ?>">
- <meta property="og:description" content="<?php echo _('Lets domain owners manage their email domain and user accounts.'); ?>">
+ <meta property="og:title" content="<?php echo htmlspecialchars(_('E-Mail and XMPP - Admin management')); ?>">
+ <meta property="og:description" content="<?php echo htmlspecialchars(_('Lets domain owners manage their email domain and user accounts.')); ?>">
<meta property="og:url" content="<?php echo CANONICAL_URL; ?>admin.php">
<meta property="og:locale" content="<?php echo $locale; ?>">
- <script type="application/ld+json">{"@context":"https://schema.org","@type":"WebPage","name":"<?php echo _('E-Mail and XMPP - Admin management'); ?>", "description": "<?php echo _('Lets domain owners manage their email domain and user accounts.'); ?>"}</script>
+ <script type="application/ld+json">{"@context":"https://schema.org","@type":"WebPage","name":"<?php echo htmlspecialchars(_('E-Mail and XMPP - Admin management')); ?>", "description": "<?php echo htmlspecialchars(_('Lets domain owners manage their email domain and user accounts.')); ?>"}</script>
</head>
<body>
- <main><h1><?php echo _('E-Mail and XMPP - Admin management'); ?></h1>
+ <main><h1><?php echo htmlspecialchars(_('E-Mail and XMPP - Admin management')); ?></h1>
<?php
if ( ! empty( $_SESSION[ 'email_admin_user' ] ) ) { ?>
<form method="post"><input type="hidden" name="csrf_token" value="<?php echo $_SESSION[ 'csrf_token' ]; ?>">
- <p><?php printf(_('Logged in as %s'), htmlspecialchars( $_SESSION[ 'email_admin_user' ] ) ); ?> |
- <button name="action" value="logout" type="submit"><?php echo _('Logout'); ?></button><?php
+ <p><?php printf(htmlspecialchars(_('Logged in as %s')), htmlspecialchars( $_SESSION[ 'email_admin_user' ] ) ); ?> |
+ <button name="action" value="logout" type="submit"><?php echo htmlspecialchars(_('Logout')); ?></button><?php
if ( $_SESSION[ 'email_admin_superadmin' ] ) {
- ?> | <a href="?action=admins"><?php echo _('Manage admins'); ?></a><?php
- ?> | <a href="?action=alias_domains"><?php echo _('Manage alias domains'); ?></a><?php
+ ?> | <a href="?action=admins"><?php echo htmlspecialchars(_('Manage admins')); ?></a><?php
+ ?> | <a href="?action=alias_domains"><?php echo htmlspecialchars(_('Manage alias domains')); ?></a><?php
} else {
- ?> | <a href="?action=edit_admin"><?php echo _('Manage your admin account'); ?></a><?php
+ ?> | <a href="?action=edit_admin"><?php echo htmlspecialchars(_('Manage your admin account')); ?></a><?php
}
- ?> | <a href="?action=domains"><?php echo _('Manage domains'); ?></a><?php
- ?> | <a href="?action=alias"><?php echo _('Manage aliases'); ?></a><?php
- ?> | <a href="?action=mailbox"><?php echo _('Manage mailboxes'); ?></a><?php
+ ?> | <a href="?action=domains"><?php echo htmlspecialchars(_('Manage domains')); ?></a><?php
+ ?> | <a href="?action=alias"><?php echo htmlspecialchars(_('Manage aliases')); ?></a><?php
+ ?> | <a href="?action=mailbox"><?php echo htmlspecialchars(_('Manage mailboxes')); ?></a><?php
?></p></form><?php
}
echo "<p>$msg</p>";
@@ -404,22 +404,22 @@ if ( $_SERVER[ 'REQUEST_METHOD' ] === 'POST' ) {
<form class="form_limit" action="admin.php" method="post">
<input type="hidden" name="csrf_token" value="<?php echo $_SESSION[ 'csrf_token' ]; ?>">
<div class="row">
- <div class="col"><label for="user"><?php echo _('Username'); ?></label></div>
+ <div class="col"><label for="user"><?php echo htmlspecialchars(_('Username')); ?></label></div>
<div class="col"><input type="text" name="user" id="user" autocomplete="username" required></div>
</div>
<div class="row">
- <div class="col"><label for="pwd"><?php echo _('Password'); ?></label></div>
+ <div class="col"><label for="pwd"><?php echo htmlspecialchars(_('Password')); ?></label></div>
<div class="col"><input type="password" name="pwd" id="pwd" autocomplete="new-password" required></div>
</div>
<div class="row">
<div class="col">
- <button name="action" value="login" type="submit"><?php echo _('Login'); ?></button>
+ <button name="action" value="login" type="submit"><?php echo htmlspecialchars(_('Login')); ?></button>
</div>
</div>
</form>
<?php } else {
if ( empty( $_REQUEST[ 'action' ] ) || $_REQUEST[ 'action' ] === 'login' ) {
- ?><p><?php echo _('Welcome to the admin management interface. You can configure your domain(s) and accounts here. Please select an option from the menu.'); ?></p><?php
+ ?><p><?php echo htmlspecialchars(_('Welcome to the admin management interface. You can configure your domain(s) and accounts here. Please select an option from the menu.')); ?></p><?php
} elseif ( in_array( $_REQUEST[ 'action' ], [ 'admins', 'delete_admin2' ], true ) && $_SESSION[ 'email_admin_superadmin' ] ) {
send_manage_admins();
} elseif ( in_array( $_REQUEST[ 'action' ], [ 'domains', 'delete_domain2' ], true ) ) {
@@ -451,7 +451,7 @@ if ( $_SERVER[ 'REQUEST_METHOD' ] === 'POST' ) {
} elseif ( in_array( $_REQUEST[ 'action' ], [ 'edit_mailbox', 'save_edit_mailbox', 'save_password_mailbox', 'disable_tfa_mailbox' ], true ) ) {
send_edit_mailbox();
} elseif ( empty( $msg ) ) {
- ?><p><?php echo _('Oops, it looks like the page you tried to access does not exist or you do not have permission to access it.') ?></p><?php
+ ?><p><?php echo htmlspecialchars(_('Oops, it looks like the page you tried to access does not exist or you do not have permission to access it.')) ?></p><?php
}
} ?>
</main>
@@ -464,26 +464,23 @@ function send_manage_admins(): void
$db = get_db_instance();
$stmt = $db->query( 'SELECT username, modified, active FROM admin;' );
?>
- <p><a href="?action=new_admin"><?php echo _('Create new admin'); ?></a></p>
+ <p><a href="?action=new_admin"><?php echo htmlspecialchars(_('Create new admin')); ?></a></p>
<form class="form_limit" action="admin.php" method="post">
<input type="hidden" name="csrf_token" value="<?php echo $_SESSION[ 'csrf_token' ]; ?>">
<input type="hidden" name="action" value="edit_admin">
<div class="row">
- <div class="col"><?php echo _('Admin'); ?></div>
- <div class="col"><?php echo _('Active'); ?></div>
- <div class="col"><?php echo _('Last modified'); ?></div>
- <div class="col"><?php echo _('Edit account'); ?></div>
+ <div class="col"><?php echo htmlspecialchars(_('Admin')); ?></div>
+ <div class="col"><?php echo htmlspecialchars(_('Active')); ?></div>
+ <div class="col"><?php echo htmlspecialchars(_('Last modified')); ?></div>
+ <div class="col"><?php echo htmlspecialchars(_('Edit account')); ?></div>
</div>
<?php
while ( $tmp = $stmt->fetch( PDO::FETCH_ASSOC ) ) {
- $active = 'Disabled';
- if ( $tmp[ 'active' ] === 1 ) {
- $active = 'Active';
- }
- echo '<div class="row"><div class="col">' . htmlspecialchars( $tmp[ 'username' ] ) . '</div><div class="col">' . $active . '</div><div class="col">' . $tmp[ 'modified' ] . '</div><div class="col"><button type="submit" name="admin" value="' . htmlspecialchars( $tmp[ 'username' ] ) . '">'._('Edit').'</button></div></div>';
+ $active = $tmp[ 'active' ] === 1 ? _('Active') : _('Disabled');
+ echo '<div class="row"><div class="col">' . htmlspecialchars( $tmp[ 'username' ] ) . '</div><div class="col">' . htmlspecialchars($active) . '</div><div class="col">' . $tmp[ 'modified' ] . '</div><div class="col"><button type="submit" name="admin" value="' . htmlspecialchars( $tmp[ 'username' ] ) . '">'.htmlspecialchars(_('Edit')).'</button></div></div>';
}
?></form>
- <p><a href="?action=new_admin"><?php echo _('Create new admin'); ?></a></p>
+ <p><a href="?action=new_admin"><?php echo htmlspecialchars(_('Create new admin')); ?></a></p>
<?php
}
@@ -495,48 +492,48 @@ function send_edit_admin(): void
$stmt->execute( [ $admin ] );
if ( $admin = $stmt->fetch( PDO::FETCH_ASSOC ) ) {
?>
- <h2><?php printf(_('Edit admin account %s'), htmlspecialchars( $admin[ 'username' ] ) ); ?></h2>
+ <h2><?php printf(htmlspecialchars(_('Edit admin account %s')), htmlspecialchars( $admin[ 'username' ] ) ); ?></h2>
<form class="form_limit" action="admin.php" method="post">
<input type="hidden" name="csrf_token" value="<?php echo $_SESSION[ 'csrf_token' ]; ?>">
<input type="hidden" name="admin" value="<?php echo htmlspecialchars( $admin[ 'username' ] ); ?>"
autocomplete="username">
<div class="row">
- <div class="col"><label for="pass_update"><?php echo _('Password'); ?></label></div>
+ <div class="col"><label for="pass_update"><?php echo htmlspecialchars(_('Password')); ?></label></div>
<div class="col"><input type="password" name="pass_update" id="pass_update" autocomplete="new-password">
</div>
</div>
<div class="row">
- <div class="col"><label for="pass_update2"><?php echo _('Password again'); ?></label></div>
+ <div class="col"><label for="pass_update2"><?php echo htmlspecialchars(_('Password again')); ?></label></div>
<div class="col"><input type="password" name="pass_update2" id="pass_update2"
autocomplete="new-password"></div>
</div>
<?php if ( $admin[ 'username' ] !== $_SESSION[ 'email_admin_user' ] ) { ?>
<div class="row">
<div class="col"><label><input type="checkbox" name="superadmin"
- value="1"<?php echo $admin[ 'superadmin' ] ? ' checked' : ''; ?>><?php echo _('Superadmin'); ?></label>
+ value="1"<?php echo $admin[ 'superadmin' ] ? ' checked' : ''; ?>><?php echo htmlspecialchars(_('Superadmin')); ?></label>
</div>
- <div class="col"><?php echo _('Superadmins can manage other admins'); ?></div>
+ <div class="col"><?php echo htmlspecialchars(_('Superadmins can manage other admins')); ?></div>
</div>
<div class="row">
<div class="col"><label><input type="checkbox" name="active"
- value="1"<?php echo $admin[ 'active' ] ? ' checked' : ''; ?>><?php echo _('Active'); ?></label>
+ value="1"<?php echo $admin[ 'active' ] ? ' checked' : ''; ?>><?php echo htmlspecialchars(_('Active')); ?></label>
</div>
</div>
<?php } else { ?>
<div class="row">
<div class="col"><label><input type="checkbox" name="superadmin"
value="1"<?php echo $admin[ 'superadmin' ] ? ' checked' : ''; ?>
- disabled><?php echo _('Superadmin'); ?></label></div>
- <div class="col"><?php echo _('Superadmins can manage other admins'); ?></div>
+ disabled><?php echo htmlspecialchars(_('Superadmin')); ?></label></div>
+ <div class="col"><?php echo htmlspecialchars(_('Superadmins can manage other admins')); ?></div>
</div>
<div class="row">
<div class="col"><label><input type="checkbox" name="active"
value="1"<?php echo $admin[ 'active' ] ? ' checked' : ''; ?>
- disabled><?php echo _('Active'); ?></label></div>
+ disabled><?php echo htmlspecialchars(_('Active')); ?></label></div>
</div>
<?php } ?>
<div class="row">
- <div class="col"><label for="domains"><?php echo _('Managed domains'); ?></label></div>
+ <div class="col"><label for="domains"><?php echo htmlspecialchars(_('Managed domains')); ?></label></div>
<div class="col"><select name="domains[]" id="domains" multiple><?php
$domains = [];
$managed_domains = [];
@@ -556,53 +553,53 @@ function send_edit_admin(): void
</div>
<div class="row">
<div class="col">
- <button name="action" value="save_edit_admin" type="submit"><?php echo _('Save changes'); ?></button>
+ <button name="action" value="save_edit_admin" type="submit"><?php echo htmlspecialchars(_('Save changes')); ?></button>
</div>
</div>
<?php if ( $admin[ 'username' ] !== $_SESSION[ 'email_admin_user' ] ) { ?>
<div class="row">
<div class="col">
- <button type="submit" name="action" value="delete_admin"><?php echo _('Delete admin'); ?></button>
+ <button type="submit" name="action" value="delete_admin"><?php echo htmlspecialchars(_('Delete admin')); ?></button>
</div>
</div>
<?php } ?>
</form>
<?php
} else {
- echo '<p>'._('Oops, this admin doesn\'t seem to exist.') . '</p>';
+ echo '<p>'.htmlspecialchars(_('Oops, this admin doesn\'t seem to exist.')) . '</p>';
}
}
function send_new_admin(): void
{
?>
- <h2><?php echo _('Create new admin account'); ?></h2>
+ <h2><?php echo htmlspecialchars(_('Create new admin account')); ?></h2>
<form class="form_limit" action="admin.php" method="post">
<input type="hidden" name="csrf_token" value="<?php echo $_SESSION[ 'csrf_token' ]; ?>">
<div class="row">
- <div class="col"><label for="admin"><?php echo _('Username'); ?></label></div>
+ <div class="col"><label for="admin"><?php echo htmlspecialchars(_('Username')); ?></label></div>
<div class="col"><input type="text" name="admin" id="admin" autocomplete="username"></div>
</div>
<div class="row">
- <div class="col"><label for="pass_update"><?php echo _('Password'); ?></label></div>
+ <div class="col"><label for="pass_update"><?php echo htmlspecialchars(_('Password')); ?></label></div>
<div class="col"><input type="password" name="pass_update" id="pass_update" autocomplete="new-password">
</div>
</div>
<div class="row">
- <div class="col"><label for="pass_update2"><?php echo _('Password again'); ?></label></div>
+ <div class="col"><label for="pass_update2"><?php echo htmlspecialchars(_('Password again')); ?></label></div>
<div class="col"><input type="password" name="pass_update2" id="pass_update2" autocomplete="new-password">
</div>
</div>
<div class="row">
- <div class="col"><label><input type="checkbox" name="superadmin" value="1"><?php echo _('Superadmin'); ?></label></div>
- <div class="col"><?php echo _('Superadmins can manage other admins'); ?></div>
+ <div class="col"><label><input type="checkbox" name="superadmin" value="1"><?php echo htmlspecialchars(_('Superadmin')); ?></label></div>
+ <div class="col"><?php echo htmlspecialchars(_('Superadmins can manage other admins')); ?></div>
</div>
<div class="row">
- <div class="col"><label><input type="checkbox" name="active" value="1"><?php echo _('Active'); ?></label></div>
+ <div class="col"><label><input type="checkbox" name="active" value="1"><?php echo htmlspecialchars(_('Active')); ?></label></div>
</div>
<div class="row">
<div class="col">
- <button name="action" value="save_new_admin" type="submit"><?php echo _('Add admin'); ?></button>
+ <button name="action" value="save_new_admin" type="submit"><?php echo htmlspecialchars(_('Add admin')); ?></button>
</div>
</div>
</form>
@@ -615,30 +612,30 @@ function send_manage_domains(): void
$stmt = $db->query( 'SELECT domain, modified, active FROM domain;' );
if ( $_SESSION[ 'email_admin_superadmin' ] ) {
?>
- <p><a href="?action=new_domain"><?php echo _('Create new domain'); ?></a></p>
+ <p><a href="?action=new_domain"><?php echo htmlspecialchars(_('Create new domain')); ?></a></p>
<?php } ?>
<form class="form_limit" action="admin.php" method="post">
<input type="hidden" name="csrf_token" value="<?php echo $_SESSION[ 'csrf_token' ]; ?>">
<input type="hidden" name="action" value="edit_domain">
<div class="row">
- <div class="col"><?php echo _('Domain'); ?></div>
- <div class="col"><?php echo _('Active'); ?></div>
- <div class="col"><?php echo _('Last modified'); ?></div>
- <div class="col"><?php echo _('Edit domain'); ?></div>
+ <div class="col"><?php echo htmlspecialchars(_('Domain')); ?></div>
+ <div class="col"><?php echo htmlspecialchars(_('Active')); ?></div>
+ <div class="col"><?php echo htmlspecialchars(_('Last modified')); ?></div>
+ <div class="col"><?php echo htmlspecialchars(_('Edit domain')); ?></div>
</div>
<?php
while ( $tmp = $stmt->fetch( PDO::FETCH_ASSOC ) ) {
- $active = 'Disabled';
+ $active = _('Disabled');
if ( $tmp[ 'active' ] === 1 ) {
- $active = 'Active';
+ $active = _('Active');
} elseif ( $tmp[ 'active' ] === -1 ) {
- $active = 'Deleting';
+ $active = _('Deleting');
}
- echo '<div class="row"><div class="col">' . htmlspecialchars( $tmp[ 'domain' ] ) . '</div><div class="col">' . $active . '</div><div class="col">' . $tmp[ 'modified' ] . '</div><div class="col"><button type="submit" name="domain" value="' . htmlspecialchars( $tmp[ 'domain' ] ) . '">'._('Edit').'</button></div></div>';
+ echo '<div class="row"><div class="col">' . htmlspecialchars( $tmp[ 'domain' ] ) . '</div><div class="col">' . htmlspecialchars($active) . '</div><div class="col">' . $tmp[ 'modified' ] . '</div><div class="col"><button type="submit" name="domain" value="' . htmlspecialchars( $tmp[ 'domain' ] ) . '">'.htmlspecialchars(_('Edit')).'</button></div></div>';
}
?></form>
<?php if ( $_SESSION[ 'email_admin_superadmin' ] ) { ?>
- <p><a href="?action=new_domain"><?php echo _('Create new domain'); ?></a></p>
+ <p><a href="?action=new_domain"><?php echo htmlspecialchars(_('Create new domain')); ?></a></p>
<?php
}
}
@@ -646,19 +643,19 @@ function send_manage_domains(): void
function send_new_domain(): void
{
?>
- <h2><?php echo _('Create new domain'); ?></h2>
+ <h2><?php echo htmlspecialchars(_('Create new domain')); ?></h2>
<form class="form_limit" action="admin.php" method="post">
<input type="hidden" name="csrf_token" value="<?php echo $_SESSION[ 'csrf_token' ]; ?>">
<div class="row">
- <div class="col"><label for="domain"><?php echo _('Domain'); ?></label></div>
+ <div class="col"><label for="domain"><?php echo htmlspecialchars(_('Domain')); ?></label></div>
<div class="col"><input type="text" name="domain" id="domain"></div>
</div>
<div class="row">
- <div class="col"><label><input type="checkbox" name="active" value="1"><?php echo _('Active'); ?></label></div>
+ <div class="col"><label><input type="checkbox" name="active" value="1"><?php echo htmlspecialchars(_('Active')); ?></label></div>
</div>
<div class="row">
<div class="col">
- <button name="action" value="save_new_domain" type="submit"><?php echo _('Add domain'); ?></button>
+ <button name="action" value="save_new_domain" type="submit"><?php echo htmlspecialchars(_('Add domain')); ?></button>
</div>
</div>
</form>
@@ -672,29 +669,29 @@ function send_edit_domain(): void
$stmt->execute( [ $_POST[ 'domain' ] ] );
if ( $admin = $stmt->fetch( PDO::FETCH_ASSOC ) ) {
?>
- <h2><?php printf(_('Edit domain %s'), htmlspecialchars( $_POST[ 'domain' ] ) ); ?></h2>
+ <h2><?php printf(htmlspecialchars(_('Edit domain %s')), htmlspecialchars( $_POST[ 'domain' ] ) ); ?></h2>
<form class="form_limit" action="admin.php" method="post">
<input type="hidden" name="csrf_token" value="<?php echo $_SESSION[ 'csrf_token' ]; ?>">
<input type="hidden" name="domain" value="<?php echo htmlspecialchars( $_POST[ 'domain' ] ); ?>">
<div class="row">
<div class="col"><label><input type="checkbox" name="active"
- value="1"<?php echo $admin[ 'active' ] ? ' checked' : ''; ?>><?php echo _('Active'); ?></label>
+ value="1"<?php echo $admin[ 'active' ] ? ' checked' : ''; ?>><?php echo htmlspecialchars(_('Active')); ?></label>
</div>
</div>
<div class="row">
<div class="col">
- <button name="action" value="save_edit_domain" type="submit"><?php echo _('Save changes'); ?></button>
+ <button name="action" value="save_edit_domain" type="submit"><?php echo htmlspecialchars(_('Save changes')); ?></button>
</div>
</div>
<div class="row">
<div class="col">
- <button type="submit" name="action" value="delete_domain"><?php echo _('Delete domain'); ?></button>
+ <button type="submit" name="action" value="delete_domain"><?php echo htmlspecialchars(_('Delete domain')); ?></button>
</div>
</div>
</form>
<?php
} else {
- echo '<p>'._('Oops, this admin doesn\'t seem to exist.').'</p>';
+ echo '<p>'.htmlspecialchars(_('Oops, this admin doesn\'t seem to exist.')).'</p>';
}
}
@@ -704,29 +701,26 @@ function send_manage_alias_domains(): void
$stmt = $db->query( 'SELECT alias_domain, target_domain, modified, active FROM alias_domain;' );
if ( $_SESSION[ 'email_admin_superadmin' ] ) {
?>
- <p><a href="?action=new_alias_domain"><?php echo _('Create new alias domain'); ?></a></p>
+ <p><a href="?action=new_alias_domain"><?php echo htmlspecialchars(_('Create new alias domain')); ?></a></p>
<?php } ?>
<form class="form_limit" action="admin.php" method="post">
<input type="hidden" name="csrf_token" value="<?php echo $_SESSION[ 'csrf_token' ]; ?>">
<input type="hidden" name="action" value="edit_alias_domain">
<div class="row">
- <div class="col"><?php echo _('Alias Domain'); ?></div>
- <div class="col"><?php echo _('Target Domain'); ?></div>
- <div class="col"><?php echo _('Active'); ?></div>
- <div class="col"><?php echo _('Last modified'); ?></div>
- <div class="col"><?php echo _('Edit alias domain'); ?></div>
+ <div class="col"><?php echo htmlspecialchars(_('Alias Domain')); ?></div>
+ <div class="col"><?php echo htmlspecialchars(_('Target Domain')); ?></div>
+ <div class="col"><?php echo htmlspecialchars(_('Active')); ?></div>
+ <div class="col"><?php echo htmlspecialchars(_('Last modified')); ?></div>
+ <div class="col"><?php echo htmlspecialchars(_('Edit alias domain')); ?></div>
</div>
<?php
while ( $tmp = $stmt->fetch( PDO::FETCH_ASSOC ) ) {
- $active = 'Disabled';
- if ( $tmp[ 'active' ] === 1 ) {
- $active = 'Active';
- }
- echo '<div class="row"><div class="col">' . htmlspecialchars( $tmp[ 'alias_domain' ] ) . '</div><div class="col">' . htmlspecialchars( $tmp[ 'target_domain' ] ) . '</div><div class="col">' . $active . '</div><div class="col">' . $tmp[ 'modified' ] . '</div><div class="col"><button type="submit" name="alias_domain" value="' . htmlspecialchars( $tmp[ 'alias_domain' ] ) . '">'._('Edit').'</button></div></div>';
+ $active = $tmp[ 'active' ] === 1 ? _('Active') : _('Disabled');
+ echo '<div class="row"><div class="col">' . htmlspecialchars( $tmp[ 'alias_domain' ] ) . '</div><div class="col">' . htmlspecialchars( $tmp[ 'target_domain' ] ) . '</div><div class="col">' . htmlspecialchars($active) . '</div><div class="col">' . $tmp[ 'modified' ] . '</div><div class="col"><button type="submit" name="alias_domain" value="' . htmlspecialchars( $tmp[ 'alias_domain' ] ) . '">'.htmlspecialchars(_('Edit')).'</button></div></div>';
}
?></form>
<?php if ( $_SESSION[ 'email_admin_superadmin' ] ) { ?>
- <p><a href="?action=new_alias_domain"><?php echo _('Create new alias domain'); ?></a></p>
+ <p><a href="?action=new_alias_domain"><?php echo htmlspecialchars(_('Create new alias domain')); ?></a></p>
<?php
}
}
@@ -734,23 +728,23 @@ function send_manage_alias_domains(): void
function send_new_alias_domain(): void
{
?>
- <h2><?php echo _('Create new alias domain'); ?></h2>
+ <h2><?php echo htmlspecialchars(_('Create new alias domain')); ?></h2>
<form class="form_limit" action="admin.php" method="post">
<input type="hidden" name="csrf_token" value="<?php echo $_SESSION[ 'csrf_token' ]; ?>">
<div class="row">
- <div class="col"><label for="alias_domain"><?php echo _('Alias Domain'); ?></label></div>
+ <div class="col"><label for="alias_domain"><?php echo htmlspecialchars(_('Alias Domain')); ?></label></div>
<div class="col"><input type="text" name="alias_domain" id="alias_domain"></div>
</div>
<div class="row">
- <div class="col"><label for="target_domain"><?php echo _('Target Domain'); ?></label></div>
+ <div class="col"><label for="target_domain"><?php echo htmlspecialchars(_('Target Domain')); ?></label></div>
<div class="col"><input type="text" name="target_domain" id="target_domain"></div>
</div>
<div class="row">
- <div class="col"><label><input type="checkbox" name="active" value="1"><?php echo _('Active'); ?></label></div>
+ <div class="col"><label><input type="checkbox" name="active" value="1"><?php echo htmlspecialchars(_('Active')); ?></label></div>
</div>
<div class="row">
<div class="col">
- <button name="action" value="save_new_alias_domain" type="submit"><?php echo _('Add alias domain'); ?></button>
+ <button name="action" value="save_new_alias_domain" type="submit"><?php echo htmlspecialchars(_('Add alias domain')); ?></button>
</div>
</div>
</form>
@@ -764,35 +758,35 @@ function send_edit_alias_domain(): void
$stmt->execute( [ $_POST[ 'alias_domain' ] ] );
if ( $alias = $stmt->fetch( PDO::FETCH_ASSOC ) ) {
?>
- <h2><?php printf(_('Edit alias domain %s'), htmlspecialchars( $_POST[ 'alias_domain' ] ) ); ?></h2>
+ <h2><?php printf(htmlspecialchars(_('Edit alias domain %s')), htmlspecialchars( $_POST[ 'alias_domain' ] ) ); ?></h2>
<form class="form_limit" action="admin.php" method="post">
<input type="hidden" name="csrf_token" value="<?php echo $_SESSION[ 'csrf_token' ]; ?>">
<input type="hidden" name="alias_domain"
value="<?php echo htmlspecialchars( $_POST[ 'alias_domain' ] ); ?>">
<div class="row">
- <div class="col"><label for="target_domain"><?php echo _('Target Domain'); ?></label></div>
+ <div class="col"><label for="target_domain"><?php echo htmlspecialchars(_('Target Domain')); ?></label></div>
<div class="col"><input type="text" name="target_domain" id="target_domain"
value="<?php echo htmlspecialchars( $alias[ 'target_domain' ] ); ?>"></div>
</div>
<div class="row">
<div class="col"><label><input type="checkbox" name="active"
- value="1"<?php echo $alias[ 'active' ] ? ' checked' : ''; ?>><?php echo _('Active'); ?></label>
+ value="1"<?php echo $alias[ 'active' ] ? ' checked' : ''; ?>><?php echo htmlspecialchars(_('Active')); ?></label>
</div>
</div>
<div class="row">
<div class="col">
- <button name="action" value="save_edit_alias_domain" type="submit"><?php echo _('Save changes'); ?></button>
+ <button name="action" value="save_edit_alias_domain" type="submit"><?php echo htmlspecialchars(_('Save changes')); ?></button>
</div>
</div>
<div class="row">
<div class="col">
- <button type="submit" name="action" value="delete_alias_domain"><?php echo _('Delete alias domain'); ?></button>
+ <button type="submit" name="action" value="delete_alias_domain"><?php echo htmlspecialchars(_('Delete alias domain')); ?></button>
</div>
</div>
</form>
<?php
} else {
- echo '<p>'._('Oops, this alias domain doesn\'t seem to exist.').'</p>';
+ echo '<p>'.htmlspecialchars(_('Oops, this alias domain doesn\'t seem to exist.')).'</p>';
}
}
@@ -802,54 +796,54 @@ function send_manage_aliases(): void
$stmt = $db->prepare( 'SELECT a.address, a.goto, a.modified, a.active FROM alias AS a LEFT JOIN mailbox AS m ON (m.username=a.address AND m.active=1) WHERE a.domain IN (SELECT domain FROM domain_admins WHERE username = ?) AND isnull(m.username) limit 200;' );
$stmt->execute( [ $_SESSION[ 'email_admin_user' ] ] );
?>
- <p><a href="?action=new_alias"><?php echo _('Create new alias'); ?></a></p>
+ <p><a href="?action=new_alias"><?php echo htmlspecialchars(_('Create new alias')); ?></a></p>
<form class="form_limit" action="admin.php" method="post">
<input type="hidden" name="csrf_token" value="<?php echo $_SESSION[ 'csrf_token' ]; ?>">
<input type="hidden" name="action" value="edit_alias">
<div class="row">
- <div class="col"><?php echo _('Alias'); ?></div>
- <div class="col"><?php echo _('Target'); ?></div>
- <div class="col"><?php echo _('Active'); ?></div>
- <div class="col"><?php echo _('Last modified'); ?></div>
- <div class="col"><?php echo _('Edit alias'); ?></div>
+ <div class="col"><?php echo htmlspecialchars(_('Alias')); ?></div>
+ <div class="col"><?php echo htmlspecialchars(_('Target')); ?></div>
+ <div class="col"><?php echo htmlspecialchars(_('Active')); ?></div>
+ <div class="col"><?php echo htmlspecialchars(_('Last modified')); ?></div>
+ <div class="col"><?php echo htmlspecialchars(_('Edit alias')); ?></div>
</div>
<?php
while ( $tmp = $stmt->fetch( PDO::FETCH_ASSOC ) ) {
- $active = 'Disabled';
+ $active = _('Disabled');
if ( $tmp[ 'active' ] === 1 ) {
- $active = 'Active';
+ $active = _('Active');
}
- echo '<div class="row"><div class="col">' . htmlspecialchars( $tmp[ 'address' ] ) . '</div><div class="col">' . htmlspecialchars( $tmp[ 'goto' ] ) . '</div><div class="col">' . $active . '</div><div class="col">' . $tmp[ 'modified' ] . '</div><div class="col"><button type="submit" name="alias" value="' . htmlspecialchars( $tmp[ 'address' ] ) . '">'._('Edit').'</button></div></div>';
+ echo '<div class="row"><div class="col">' . htmlspecialchars( $tmp[ 'address' ] ) . '</div><div class="col">' . htmlspecialchars( $tmp[ 'goto' ] ) . '</div><div class="col">' . htmlspecialchars($active) . '</div><div class="col">' . $tmp[ 'modified' ] . '</div><div class="col"><button type="submit" name="alias" value="' . htmlspecialchars( $tmp[ 'address' ] ) . '">'.htmlspecialchars(_('Edit')).'</button></div></div>';
}
?></form>
- <p><a href="?action=new_alias"><?php echo _('Create new alias'); ?></a></p>
+ <p><a href="?action=new_alias"><?php echo htmlspecialchars(_('Create new alias')); ?></a></p>
<?php
}
function send_new_alias(): void
{
?>
- <h2><?php echo _('Create new alias'); ?></h2>
+ <h2><?php echo htmlspecialchars(_('Create new alias')); ?></h2>
<form class="form_limit" action="admin.php" method="post">
<input type="hidden" name="csrf_token" value="<?php echo $_SESSION[ 'csrf_token' ]; ?>">
<div class="row">
- <div class="col"><label for="alias"><?php echo _('Alias'); ?></label></div>
+ <div class="col"><label for="alias"><?php echo htmlspecialchars(_('Alias')); ?></label></div>
<div class="col"><input type="text" name="alias" id="alias"></div>
</div>
<div class="row">
- <div class="col"><label for="target"><?php echo _('Target'); ?></label></div>
+ <div class="col"><label for="target"><?php echo htmlspecialchars(_('Target')); ?></label></div>
<div class="col"><input type="text" name="target" id="target"></div>
</div>
<div class="row">
- <div class="col"><label><input type="checkbox" name="active" value="1"><?php echo _('Active'); ?></label></div>
+ <div class="col"><label><input type="checkbox" name="active" value="1"><?php echo htmlspecialchars(_('Active')); ?></label></div>
</div>
<div class="row">
- <div class="col"><label><input type="checkbox" name="enforce_tls_in" value="1"><?php echo _('Enforce encryption'); ?></label>
+ <div class="col"><label><input type="checkbox" name="enforce_tls_in" value="1"><?php echo htmlspecialchars(_('Enforce encryption')); ?></label>
</div>
</div>
<div class="row">
<div class="col">
- <button name="action" value="save_new_alias" type="submit"><?php echo _('Add alias'); ?></button>
+ <button name="action" value="save_new_alias" type="submit"><?php echo htmlspecialchars(_('Add alias')); ?></button>
</div>
</div>
</form>
@@ -863,39 +857,39 @@ function send_edit_alias(): void
$stmt->execute( [ $_POST[ 'alias' ] ] );
if ( $alias = $stmt->fetch( PDO::FETCH_ASSOC ) ) {
?>
- <h2><?php printf(_('Edit alias %s'), htmlspecialchars( $_POST[ 'alias' ] ) ); ?></h2>
+ <h2><?php printf(htmlspecialchars(_('Edit alias %s')), htmlspecialchars( $_POST[ 'alias' ] ) ); ?></h2>
<form class="form_limit" action="admin.php" method="post">
<input type="hidden" name="csrf_token" value="<?php echo $_SESSION[ 'csrf_token' ]; ?>">
<input type="hidden" name="alias" value="<?php echo htmlspecialchars( $_POST[ 'alias' ] ); ?>">
<div class="row">
- <div class="col"><label for="target"><?php echo _('Target'); ?></label></div>
+ <div class="col"><label for="target"><?php echo htmlspecialchars(_('Target')); ?></label></div>
<div class="col"><textarea name="target"
id="target"><?php echo str_replace( ',', "\n", htmlspecialchars( $alias[ 'goto' ] ) ); ?></textarea>
</div>
</div>
<div class="row">
<div class="col"><label><input type="checkbox" name="active"
- value="1"<?php echo $alias[ 'active' ] ? ' checked' : ''; ?>><?php echo _('Active'); ?></label>
+ value="1"<?php echo $alias[ 'active' ] ? ' checked' : ''; ?>><?php echo htmlspecialchars(_('Active')); ?></label>
</div>
</div>
<div class="row">
<div class="col"><label><input type="checkbox" name="enforce_tls_in"
- value="1"<?php echo $alias[ 'enforce_tls_in' ] ? ' checked' : ''; ?>><?php echo _('Enforce encryption'); ?></label></div>
+ value="1"<?php echo $alias[ 'enforce_tls_in' ] ? ' checked' : ''; ?>><?php echo htmlspecialchars(_('Enforce encryption')); ?></label></div>
</div>
<div class="row">
<div class="col">
- <button name="action" value="save_edit_alias" type="submit"><?php echo _('Save changes'); ?></button>
+ <button name="action" value="save_edit_alias" type="submit"><?php echo htmlspecialchars(_('Save changes')); ?></button>
</div>
</div>
<div class="row">
<div class="col">
- <button type="submit" name="action" value="delete_alias"><?php echo _('Delete alias'); ?></button>
+ <button type="submit" name="action" value="delete_alias"><?php echo htmlspecialchars(_('Delete alias')); ?></button>
</div>
</div>
</form>
<?php
} else {
- echo '<p>'._('Oops, this alias doesn\'t seem to exist.').'</p>';
+ echo '<p>'.htmlspecialchars(_('Oops, this alias doesn\'t seem to exist.')).'</p>';
}
}
@@ -905,73 +899,73 @@ function send_manage_mailboxes(): void
$stmt = $db->prepare( 'SELECT username, modified, active FROM mailbox WHERE domain IN (SELECT domain FROM domain_admins WHERE username = ?) limit 200;' );
$stmt->execute( [ $_SESSION[ 'email_admin_user' ] ] );
?>
- <p><a href="?action=new_mailbox"><?php echo _('Create new mailbox'); ?></a></p>
+ <p><a href="?action=new_mailbox"><?php echo htmlspecialchars(_('Create new mailbox')); ?></a></p>
<form class="form_limit" action="admin.php" method="post">
<input type="hidden" name="csrf_token" value="<?php echo $_SESSION[ 'csrf_token' ]; ?>">
<input type="hidden" name="action" value="edit_mailbox">
<div class="row">
- <div class="col"><?php echo _('Username'); ?></div>
- <div class="col"><?php echo _('Active'); ?></div>
- <div class="col"><?php echo _('Last modified'); ?></div>
- <div class="col"><?php echo _('Edit mailbox'); ?></div>
+ <div class="col"><?php echo htmlspecialchars(_('Username')); ?></div>
+ <div class="col"><?php echo htmlspecialchars(_('Active')); ?></div>
+ <div class="col"><?php echo htmlspecialchars(_('Last modified')); ?></div>
+ <div class="col"><?php echo htmlspecialchars(_('Edit mailbox')); ?></div>
</div>
<?php
while ( $tmp = $stmt->fetch( PDO::FETCH_ASSOC ) ) {
$active = 'Disabled';
if ( $tmp[ 'active' ] === 1 ) {
- $active = 'Active';
+ $active = _('Active');
} elseif ( $tmp[ 'active' ] === -1 ) {
- $active = 'Disabling';
+ $active = _('Disabling');
} elseif ( $tmp[ 'active' ] === -2 ) {
- $active = 'Deleting';
+ $active = _('Deleting');
}
- echo '<div class="row"><div class="col">' . htmlspecialchars( $tmp[ 'username' ] ) . '</div><div class="col">' . $active . '</div><div class="col">' . $tmp[ 'modified' ] . '</div><div class="col"><button type="submit" name="user" value="' . htmlspecialchars( $tmp[ 'username' ] ) . '">'._('Edit').'</button></div></div>';
+ echo '<div class="row"><div class="col">' . htmlspecialchars( $tmp[ 'username' ] ) . '</div><div class="col">' . htmlspecialchars($active) . '</div><div class="col">' . $tmp[ 'modified' ] . '</div><div class="col"><button type="submit" name="user" value="' . htmlspecialchars( $tmp[ 'username' ] ) . '">'.htmlspecialchars(_('Edit')).'</button></div></div>';
}
?></form>
- <p><a href="?action=new_mailbox"><?php echo _('Create new mailbox'); ?></a></p>
+ <p><a href="?action=new_mailbox"><?php echo htmlspecialchars(_('Create new mailbox')); ?></a></p>
<?php
}
function send_new_mailbox(): void
{
?>
- <h2><?php echo _('Create new mailbox'); ?></h2>
+ <h2><?php echo htmlspecialchars(_('Create new mailbox')); ?></h2>
<form class="form_limit" action="admin.php" method="post">
<input type="hidden" name="csrf_token" value="<?php echo $_SESSION[ 'csrf_token' ]; ?>">
<div class="row">
- <div class="col"><label for="user"><?php echo _('Username'); ?></label></div>
+ <div class="col"><label for="user"><?php echo htmlspecialchars(_('Username')); ?></label></div>
<div class="col"><input type="text" name="user" id="user"></div>
</div>
<div class="row">
- <div class="col"><label for="pwd"><?php echo _('Password'); ?></label></div>
+ <div class="col"><label for="pwd"><?php echo htmlspecialchars(_('Password')); ?></label></div>
<div class="col"><input type="password" name="pwd" id="pwd" autocomplete="new-password" required></div>
</div>
<div class="row">
- <div class="col"><label for="pwd2"><?php echo _('Password again'); ?></label></div>
+ <div class="col"><label for="pwd2"><?php echo htmlspecialchars(_('Password again')); ?></label></div>
<div class="col"><input type="password" name="pwd2" id="pwd2" autocomplete="new-password" required></div>
</div>
<div class="row">
- <div class="col"><label for="alias_to"><?php echo _('Forward to'); ?></label></div>
+ <div class="col"><label for="alias_to"><?php echo htmlspecialchars(_('Forward to')); ?></label></div>
<div class="col"><textarea name="alias_to" id="alias_to"></textarea></div>
</div>
<div class="row">
- <div class="col"><label for="alias_keep_copy"><?php echo _('Keep a local copy'); ?></label></div>
+ <div class="col"><label for="alias_keep_copy"><?php echo htmlspecialchars(_('Keep a local copy')); ?></label></div>
<div class="col"><input type="checkbox" name="alias_keep_copy" id="alias_keep_copy" checked></div>
</div>
<div class="row">
- <div class="col"><label><input type="checkbox" name="active" value="1" checked><?php echo _('Active'); ?></label></div>
+ <div class="col"><label><input type="checkbox" name="active" value="1" checked><?php echo htmlspecialchars(_('Active')); ?></label></div>
</div>
<div class="row">
- <div class="col"><label><input type="checkbox" name="enforce_tls_in" value="1" checked><?php echo _('Enforce encryption for incoming mail'); ?></label>
+ <div class="col"><label><input type="checkbox" name="enforce_tls_in" value="1" checked><?php echo htmlspecialchars(_('Enforce encryption for incoming mail')); ?></label>
</div>
</div>
<div class="row">
- <div class="col"><label><input type="checkbox" name="enforce_tls_out" value="1" checked><?php echo _('Enforce encryption for outgoing mail'); ?></label>
+ <div class="col"><label><input type="checkbox" name="enforce_tls_out" value="1" checked><?php echo htmlspecialchars(_('Enforce encryption for outgoing mail')); ?></label>
</div>
</div>
<div class="row">
<div class="col">
- <button name="action" value="save_new_mailbox" type="submit"><?php echo _('Add mailbox'); ?></button>
+ <button name="action" value="save_new_mailbox" type="submit"><?php echo htmlspecialchars(_('Add mailbox')); ?></button>
</div>
</div>
</form>
@@ -987,79 +981,79 @@ function send_edit_mailbox(): void
$aliases = explode( ',', $email[ 'goto' ] );
$aliases_to = implode( "\n", array_diff( $aliases, [ $_REQUEST[ 'user' ] ] ) );
?>
- <h2><?php printf(_('Edit mailbox %s'), htmlspecialchars( $_REQUEST[ 'user' ] ) ); ?></h2>
+ <h2><?php printf(htmlspecialchars(_('Edit mailbox %s')), htmlspecialchars( $_REQUEST[ 'user' ] ) ); ?></h2>
<form class="form_limit" action="admin.php" method="post">
<input type="hidden" name="csrf_token" value="<?php echo $_SESSION[ 'csrf_token' ]; ?>">
<input type="hidden" name="user" value="<?php echo htmlspecialchars( $_REQUEST[ 'user' ] ); ?>">
<div class="row">
- <div class="col"><label for="alias_to"><?php echo _('Forward to'); ?></label></div>
+ <div class="col"><label for="alias_to"><?php echo htmlspecialchars(_('Forward to')); ?></label></div>
<div class="col"><textarea name="alias_to"
id="alias_to"><?php echo htmlspecialchars( $aliases_to ); ?></textarea></div>
</div>
<div class="row">
- <div class="col"><label for="alias_keep_copy"><?php echo _('Keep a local copy'); ?></label></div>
+ <div class="col"><label for="alias_keep_copy"><?php echo htmlspecialchars(_('Keep a local copy')); ?></label></div>
<div class="col"><input type="checkbox" name="alias_keep_copy"
id="alias_keep_copy"<?php echo in_array( $_REQUEST[ 'user' ], $aliases, true ) ? ' checked' : ''; ?>>
</div>
</div>
<div class="row">
<div class="col"><label><input type="checkbox" name="active"
- value="1"<?php echo $email[ 'active' ] === 1 ? ' checked' : ''; ?>><?php echo _('Active'); ?></label>
+ value="1"<?php echo $email[ 'active' ] === 1 ? ' checked' : ''; ?>><?php echo htmlspecialchars(_('Active')); ?></label>
</div>
</div>
<div class="row">
<div class="col"><label><input type="checkbox" name="enforce_tls_in"
- value="1"<?php echo $email[ 'enforce_tls_in' ] === 1 ? ' checked' : ''; ?>><?php echo _('Enforce encryption for incoming mail'); ?></label>
+ value="1"<?php echo $email[ 'enforce_tls_in' ] === 1 ? ' checked' : ''; ?>><?php echo htmlspecialchars(_('Enforce encryption for incoming mail')); ?></label>
</div>
</div>
<div class="row">
<div class="col"><label><input type="checkbox" name="enforce_tls_out"
- value="1"<?php echo $email[ 'enforce_tls_out' ] === 1 ? ' checked' : ''; ?>><?php echo _('Enforce encryption for outgoing mail'); ?></label>
+ value="1"<?php echo $email[ 'enforce_tls_out' ] === 1 ? ' checked' : ''; ?>><?php echo htmlspecialchars(_('Enforce encryption for outgoing mail')); ?></label>
</div>
</div>
<div class="row">
<div class="col">
- <button name="action" value="save_edit_mailbox" type="submit"><?php echo _('Save mailbox'); ?></button>
+ <button name="action" value="save_edit_mailbox" type="submit"><?php echo htmlspecialchars(_('Save mailbox')); ?></button>
</div>
</div>
</form>
- <h2><?php echo _('Change password'); ?></h2>
+ <h2><?php echo htmlspecialchars(_('Change password')); ?></h2>
<form class="form_limit" action="admin.php" method="post">
<input type="hidden" name="csrf_token" value="<?php echo $_SESSION[ 'csrf_token' ]; ?>">
<input type="hidden" name="user" value="<?php echo htmlspecialchars( $_POST[ 'user' ] ); ?>">
<div class="row">
- <div class="col"><label for="pass_update"><?php echo _('Password'); ?></label></div>
+ <div class="col"><label for="pass_update"><?php echo htmlspecialchars(_('Password')); ?></label></div>
<div class="col"><input type="password" name="pass_update" id="pass_update" autocomplete="new-password"
required></div>
</div>
<div class="row">
- <div class="col"><label for="pass_update2"><?php echo _('Password again'); ?></label></div>
+ <div class="col"><label for="pass_update2"><?php echo htmlspecialchars(_('Password again')); ?></label></div>
<div class="col"><input type="password" name="pass_update2" id="pass_update2"
autocomplete="new-password" required></div>
</div>
<div class="row">
<div class="col">
- <button name="action" value="save_password_mailbox" type="submit"><?php echo _('Change password'); ?></button>
+ <button name="action" value="save_password_mailbox" type="submit"><?php echo htmlspecialchars(_('Change password')); ?></button>
</div>
</div>
</form>
- <h2><?php echo _('Delete mailbox / Disable two-factor authentication'); ?></h2>
+ <h2><?php echo htmlspecialchars(_('Delete mailbox / Disable two-factor authentication')); ?></h2>
<form class="form_limit" action="admin.php" method="post">
<input type="hidden" name="csrf_token" value="<?php echo $_SESSION[ 'csrf_token' ]; ?>">
<input type="hidden" name="user" value="<?php echo htmlspecialchars( $_POST[ 'user' ] ); ?>">
<div class="row">
<div class="col">
- <button type="submit" name="action" value="disable_tfa_mailbox"><?php echo _('Disable two-factor authentication'); ?></button>
+ <button type="submit" name="action" value="disable_tfa_mailbox"><?php echo htmlspecialchars(_('Disable two-factor authentication')); ?></button>
</div>
</div>
<div class="row">
<div class="col">
- <button type="submit" name="action" value="delete_mailbox"><?php echo _('Delete mailbox'); ?></button>
+ <button type="submit" name="action" value="delete_mailbox"><?php echo htmlspecialchars(_('Delete mailbox')); ?></button>
</div>
</div>
</form>
<?php
} else {
- echo '<p>'._('Oops, this mailbox doesn\'t seem to exist.').'</p>';
+ echo '<p>'.htmlspecialchars(_('Oops, this mailbox doesn\'t seem to exist.')).'</p>';
}
}
diff --git a/www/index.php b/www/index.php
index 435a951..6a72a93 100644
--- a/www/index.php
+++ b/www/index.php
@@ -3,41 +3,41 @@ include_once('../common_config.php');
global $language, $dir, $locale;
?>
<!DOCTYPE html><html lang="<?php echo $language; ?>" dir="<?php echo $dir; ?>"><head>
-<title><?php echo _('E-Mail and XMPP'); ?></title>
+<title><?php echo htmlspecialchars(_('E-Mail and XMPP')); ?></title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="author" content="Daniel Winzen">
<meta name="viewport" content="width=device-width, initial-scale=1">
-<meta name="description" content="<?php echo _('Get a free and anonymous E-Mail address and an XMPP/Jabber account'); ?>">
+<meta name="description" content="<?php echo htmlspecialchars(_('Get a free and anonymous E-Mail address and an XMPP/Jabber account')); ?>">
<link rel="canonical" href="<?php echo CANONICAL_URL; ?>">
<link rel="alternate" href="<?php echo CANONICAL_URL; ?>" hreflang="x-default">
<?php alt_links(); ?>
<meta property="og:type" content="website">
-<meta property="og:title" content="<?php echo _('E-Mail and XMPP'); ?>">
-<meta property="og:description" content="<?php echo _('Get a free and anonymous E-Mail address and an XMPP/Jabber account'); ?>">
+<meta property="og:title" content="<?php echo htmlspecialchars(_('E-Mail and XMPP')); ?>">
+<meta property="og:description" content="<?php echo htmlspecialchars(_('Get a free and anonymous E-Mail address and an XMPP/Jabber account')); ?>">
<meta property="og:url" content="<?php echo CANONICAL_URL; ?>">
<meta property="og:locale" content="<?php echo $locale; ?>">
-<script type="application/ld+json">{"@context":"https://schema.org","@type":"Service","name":"<?php echo _('E-Mail and XMPP'); ?>", "description": "<?php echo _('Get a free and anonymous E-Mail address and an XMPP/Jabber account'); ?>", "availableChannel": {"@type": "ServiceChannel", "serviceUrl": "<?php echo CANONICAL_URL; ?>"}}</script>
+<script type="application/ld+json">{"@context":"https://schema.org","@type":"Service","name":"<?php echo htmlspecialchars(_('E-Mail and XMPP')); ?>", "description": "<?php echo htmlspecialchars(_('Get a free and anonymous E-Mail address and an XMPP/Jabber account')); ?>", "availableChannel": {"@type": "ServiceChannel", "serviceUrl": "<?php echo CANONICAL_URL; ?>"}}</script>
</head><body>
<main>
-<p><?php echo _('Info'); ?> | <a href="<?php echo ROOT_URL; ?>register.php"><?php echo _('Register'); ?></a> | <a href="<?php echo ROOT_URL; ?>manage_account.php"><?php echo _('Manage account'); ?></a> | <a href="<?php echo ROOT_URL; ?>squirrelmail/src/login.php" target="_blank"><?php echo _('SquirrelMail'); ?></a> | <a href="<?php echo ROOT_URL; ?>snappymail/" target="_blank"><?php echo _('SnappyMail'); ?></a> | <a href="<?php echo WEB_XMPP_URL; ?>" target="_blank" rel="noopener"><?php echo _('Web-XMPP'); ?></a></p>
-<h2><?php echo _('What you will get'); ?></h2>
-<p><?php printf(_('You get a free anonymous E-Mail address and an XMPP/Jabber account using the same details. Your Jabber ID is user@%1$s and can be connected to directly from clearnet or via Tor hidden service (%2$s).'), CLEARNET_SERVER, ONION_SERVER); ?></p>
-<p><?php printf(_('You will have 50MB of disk space available for your mails. If you need more space, just <a href="%1$s">contact me</a>. Your E-Mail address will be %2$s'), CONTACT_URL, CLEARNET_SERVER); ?></p>
-<p><?php echo _('For privacy, please use PGP mail encryption, if you can. This prevents others from reading your mails to protect your privacy. You can <a href="https://gnupg.org/download/index.html" target="_blank" rel="noopener noreferrer">download GnuPG</a> or similar software for it. Once you have generated your PGP key, you can <a href="manage_account.php">add it to your account</a> to make use of WKD automatic discovery for mail clients.'); ?></p>
-<p><?php echo _('You can choose between two Web-Mail clients installed on the server. <a href="squirrelmail/src/login.php">SquirrelMail</a> is a very old mail client which works without any JavaScript and is thus the most popular mail client among darknet users. However, it hasn\'t been under development for many years and does not support all features that mail has to offer. You may see strange attachments that should have been inlined in your email, such as PGP/MIME encrypted email messages. A more modern client is <a href="snappymail/">SnappyMail</a>, which also supports PGP encryption within your browser and is more similar to what you may be used to from other mail services. SnappyMail requires JavaScript though, so SquirrelMail is for you if you do not trust executing JavaScript in your browser. Alternatively, you can simply use your favourite desktop mail client and configure it with the settings given below.'); ?></p>
-<p><?php echo _('The XMPP service provides message archiving and HTTP upload, which can keep your messages and files for up to 1 week. Up to 100MB of file storage is available per user.'); ?></p>
-<h2><?php echo _('E-Mail Setup'); ?></h2>
+<p><?php echo htmlspecialchars(_('Info')); ?> | <a href="<?php echo ROOT_URL; ?>register.php"><?php echo htmlspecialchars(_('Register')); ?></a> | <a href="<?php echo ROOT_URL; ?>manage_account.php"><?php echo htmlspecialchars(_('Manage account')); ?></a> | <a href="<?php echo ROOT_URL; ?>squirrelmail/src/login.php" target="_blank"><?php echo htmlspecialchars(_('SquirrelMail')); ?></a> | <a href="<?php echo ROOT_URL; ?>snappymail/" target="_blank"><?php echo htmlspecialchars(_('SnappyMail')); ?></a> | <a href="<?php echo WEB_XMPP_URL; ?>" target="_blank" rel="noopener"><?php echo htmlspecialchars(_('Web-XMPP')); ?></a></p>
+<h2><?php echo htmlspecialchars(_('What you will get')); ?></h2>
+<p><?php printf(htmlspecialchars(_('You get a free anonymous E-Mail address and an XMPP/Jabber account using the same details. Your Jabber ID is user@%1$s and can be connected to directly from clearnet or via Tor hidden service (%2$s).')), CLEARNET_SERVER, ONION_SERVER); ?></p>
+<p><?php printf(htmlspecialchars(_('You will have 50MB of disk space available for your mails. If you need more space, %s. Your E-Mail address will be %2$s')), '<a href="'.CONTACT_URL.'">'.htmlspecialchars(_('contact me')).'</a>', CLEARNET_SERVER); ?></p>
+<p><?php printf(htmlspecialchars(_('For privacy, please use PGP mail encryption, if you can. This prevents others from reading your mails to protect your privacy. You can %1$s or similar software for it. Once you have generated your PGP key, you can %2$s to make use of WKD automatic discovery for mail clients.')), '<a href="https://gnupg.org/download/index.html" target="_blank" rel="noopener noreferrer">'.htmlspecialchars(_('download GnuPG')).'</a>', '<a href="manage_account.php">'.htmlspecialchars(_('add it to your account')).'</a>'); ?></p>
+<p><?php printf(htmlspecialchars(_('You can choose between two Web-Mail clients installed on the server. %1$s is a very old mail client which works without any JavaScript and is thus the most popular mail client among darknet users. However, it hasn\'t been under development for many years and does not support all features that mail has to offer. You may see strange attachments that should have been inlined in your email, such as PGP/MIME encrypted email messages. A more modern client is %2$s, which also supports PGP encryption within your browser and is more similar to what you may be used to from other mail services. SnappyMail requires JavaScript though, so SquirrelMail is for you if you do not trust executing JavaScript in your browser. Alternatively, you can simply use your favourite desktop mail client and configure it with the settings given below.')), '<a href="squirrelmail/src/login.php">'.htmlspecialchars(_('SquirrelMail')).'</a>', '<a href="snappymail/">'.htmlspecialchars(_('SnappyMail')).'</a>'); ?></p>
+<p><?php echo htmlspecialchars(_('The XMPP service provides message archiving and HTTP upload, which can keep your messages and files for up to 1 week. Up to 100MB of file storage is available per user.')); ?></p>
+<h2><?php echo htmlspecialchars(_('E-Mail Setup')); ?></h2>
<p>
- <?php printf(_('SMTP: %s Port 465 (SSL/TLS) or 587 (StartTLS)'), CLEARNET_SERVER); ?><br>
- <?php printf(_('IMAP: %s Port 993 (SSL/TLS) or 143 (StartTLS)'), CLEARNET_SERVER); ?><br>
- <?php printf(_('POP3: %s Port 995 (SSL/TLS) or 110 (StartTLS)'), CLEARNET_SERVER); ?><br>
- <?php echo _('Authentication: PLAIN, LOGIN'); ?>
+ <?php printf(htmlspecialchars(_('SMTP: %s Port 465 (SSL/TLS) or 587 (StartTLS)')), CLEARNET_SERVER); ?><br>
+ <?php printf(htmlspecialchars(_('IMAP: %s Port 993 (SSL/TLS) or 143 (StartTLS)')), CLEARNET_SERVER); ?><br>
+ <?php printf(htmlspecialchars(_('POP3: %s Port 995 (SSL/TLS) or 110 (StartTLS)')), CLEARNET_SERVER); ?><br>
+ <?php echo htmlspecialchars(_('Authentication: PLAIN, LOGIN')); ?>
</p>
-<p><?php printf(_('You can also connect on the same ports via the Tor onion address %s, but you will have to accept an SSL certificate only valid for the clearnet domain.'), ONION_SERVER); ?></p>
-<h2><?php echo _('XMPP setup'); ?></h2>
-<p><?php printf(_('Domain: %s'), CLEARNET_SERVER); ?><br>
- <?php printf(_('Connect server: %s (optional for torification)'), ONION_SERVER); ?><br>
- <?php printf(_('File transfer proxy: %s'), XMPP_FILE_PROXY); ?><br>
- <?php printf(_('BOSH URL: %s (only enable if you have to, as it is slower than directly using xmpp)'), XMPP_BOSH_URL); ?></p>
+<p><?php printf(htmlspecialchars(_('You can also connect on the same ports via the Tor onion address %s, but you will have to accept an SSL certificate only valid for the clearnet domain.')), ONION_SERVER); ?></p>
+<h2><?php echo htmlspecialchars(_('XMPP setup')); ?></h2>
+<p><?php printf(htmlspecialchars(_('Domain: %s')), CLEARNET_SERVER); ?><br>
+ <?php printf(htmlspecialchars(_('Connect server: %s (optional for torification)')), ONION_SERVER); ?><br>
+ <?php printf(htmlspecialchars(_('File transfer proxy: %s')), XMPP_FILE_PROXY); ?><br>
+ <?php printf(htmlspecialchars(_('BOSH URL: %s (only enable if you have to, as it is slower than directly using xmpp)')), XMPP_BOSH_URL); ?></p>
</main>
</body></html>
diff --git a/www/manage_account.php b/www/manage_account.php
index f01a0cd..837d5af 100644
--- a/www/manage_account.php
+++ b/www/manage_account.php
@@ -14,7 +14,7 @@ if ( ! empty( $_SESSION[ 'email_user' ] ) ) {
$_SESSION = [];
session_regenerate_id( true );
$_SESSION[ 'csrf_token' ] = sha1( uniqid() );
- $msg .= '<div class="red" role="alert">'._('It looks like your user no longer exists!').'</div>';
+ $msg .= '<div class="red" role="alert">'.htmlspecialchars(_('It looks like your user no longer exists!')).'</div>';
}
}
@@ -27,7 +27,7 @@ if ( $_SERVER[ 'REQUEST_METHOD' ] === 'POST' ) {
unset( $_SESSION[ '2fa_code' ] );
unset( $_SESSION[ 'pgp_key' ] );
} else {
- $msg .= '<p style="color:red">'._('Wrong 2FA code').'</p>';
+ $msg .= '<p style="color:red">'.htmlspecialchars(_('Wrong 2FA code')).'</p>';
}
}
if ( ! isset( $_SESSION[ '2fa_code' ] ) && isset( $_POST[ 'action' ] ) ) {
@@ -35,16 +35,16 @@ if ( $_SERVER[ 'REQUEST_METHOD' ] === 'POST' ) {
$_SESSION = [];
session_regenerate_id( true );
$_SESSION[ 'csrf_token' ] = sha1( uniqid() );
- $msg .= '<div class="green" role="alert">'._('Successfully logged out').'</div>';
+ $msg .= '<div class="green" role="alert">'.htmlspecialchars(_('Successfully logged out')).'</div>';
} elseif ( $_POST[ 'action' ] === 'login' ) {
$ok = true;
if ( ! check_captcha( $_POST[ 'challenge' ] ?? '', $_POST[ 'captcha' ] ?? '' ) ) {
$ok = false;
- $msg .= '<div class="red" role="alert">'._('Invalid captcha').'</div>';
+ $msg .= '<div class="red" role="alert">'.htmlspecialchars(_('Invalid captcha')).'</div>';
}
if ( empty( $_POST[ 'user' ] ) || ! preg_match( '/^([^+]+?)(@([^@]+))?$/i', $_POST[ 'user' ], $match ) ) {
$ok = false;
- $msg .= '<div class="red" role="alert">'._('Invalid username').'</div>';
+ $msg .= '<div class="red" role="alert">'.htmlspecialchars(_('Invalid username')).'</div>';
}
if ( $ok ) {
$db = get_db_instance();
@@ -60,7 +60,7 @@ if ( $_SERVER[ 'REQUEST_METHOD' ] === 'POST' ) {
if ( $tmp = $stmt->fetch( PDO::FETCH_ASSOC ) ) {
if ( empty( $_POST[ 'pwd' ] ) || ! password_verify( $_POST[ 'pwd' ], $tmp[ 'password' ] ) ) {
$ok = false;
- $msg .= '<div class="red" role="alert">'._('Incorrect username or password').'</div>';
+ $msg .= '<div class="red" role="alert">'.htmlspecialchars(_('Incorrect username or password')).'</div>';
} else {
$_SESSION[ 'email_user' ] = $tmp[ 'username' ];
$stmt = $db->prepare( 'UPDATE mailbox SET last_login = ? WHERE username = ? AND active = 1;' );
@@ -78,7 +78,7 @@ if ( $_SERVER[ 'REQUEST_METHOD' ] === 'POST' ) {
}
}
} else {
- $msg .= '<div class="red" role="alert">'._('Incorrect username or password').'</div>';
+ $msg .= '<div class="red" role="alert">'.htmlspecialchars(_('Incorrect username or password')).'</div>';
}
}
} elseif ( ! empty( $_SESSION[ 'email_user' ] ) && $_POST[ 'action' ] === 'update_settings' ) {
@@ -97,21 +97,21 @@ if ( $_SERVER[ 'REQUEST_METHOD' ] === 'POST' ) {
$stmt->execute( [ ( isset( $_POST[ 'enforce_tls_in' ] ) ? 1 : 0 ), ( isset( $_POST[ 'enforce_tls_out' ] ) ? 1 : 0 ), $_SESSION[ 'email_user' ] ] );
} elseif ( ! empty( $_SESSION[ 'email_user' ] ) && $_POST[ 'action' ] === 'update_password' ) {
if ( empty( $_POST[ 'pass_update' ] ) || empty( $_POST[ 'pass_update2' ] ) || $_POST[ 'pass_update' ] !== $_POST[ 'pass_update2' ] ) {
- $msg .= '<div class="red" role="alert">'._('Passwords empty or don\'t match').'</div>';
+ $msg .= '<div class="red" role="alert">'.htmlspecialchars(_('Passwords empty or don\'t match')).'</div>';
} else {
$hash = password_hash( $_POST[ 'pass_update' ], PASSWORD_ARGON2ID );
$stmt = $db->prepare( 'UPDATE mailbox SET password_hash_type = "{ARGON2ID}", password = ? WHERE username = ? AND active = 1;' );
$stmt->execute( [ $hash, $_SESSION[ 'email_user' ] ] );
- $msg .= '<div class="green" role="alert">'._('Successfully updated password').'</div>';
+ $msg .= '<div class="green" role="alert">'.htmlspecialchars(_('Successfully updated password')).'</div>';
}
} elseif ( ! empty( $_SESSION[ 'email_user' ] ) && $_POST[ 'action' ] === 'delete_account' ) {
- $msg .= '<div class="red" role="alert">'._('Warning: This will permenently delete your account and all your data. Anyone can immediately register with this user again. It cannot be reversed. Are you absolutely sure?').'</div>';
+ $msg .= '<div class="red" role="alert">'.htmlspecialchars(_('Warning: This will permenently delete your account and all your data. Anyone can immediately register with this user again. It cannot be reversed. Are you absolutely sure?')).'</div>';
$msg .= '<form method="post"><input type="hidden" name="csrf_token" value="' . $_SESSION[ 'csrf_token' ] . '">';
- $msg .= '<button type="submit" name="action" value="delete_account2">'._('Yes, I want to permanently delete my account').'</button></form>';
+ $msg .= '<button type="submit" name="action" value="delete_account2">'.htmlspecialchars(_('Yes, I want to permanently delete my account')).'</button></form>';
} elseif ( ! empty( $_SESSION[ 'email_user' ] ) && $_POST[ 'action' ] === 'disable_account' ) {
- $msg .= '<div class="red" role="alert">'._('Warning: This will disable your account for a year and delete all your data. After a year it is available for registrations again. It cannot be reversed. Are you absolutely sure?').'</div>';
+ $msg .= '<div class="red" role="alert">'.htmlspecialchars(_('Warning: This will disable your account for a year and delete all your data. After a year it is available for registrations again. It cannot be reversed. Are you absolutely sure?')).'</div>';
$msg .= '<form method="post"><input type="hidden" name="csrf_token" value="' . $_SESSION[ 'csrf_token' ] . '">';
- $msg .= '<button type="submit" name="action" value="disable_account2">'._('Yes, I want to disable my account').'</button></form>';
+ $msg .= '<button type="submit" name="action" value="disable_account2">'.htmlspecialchars(_('Yes, I want to disable my account')).'</button></form>';
} elseif ( ! empty( $_SESSION[ 'email_user' ] ) && $_POST[ 'action' ] === 'delete_account2' ) {
$stmt = $db->prepare( 'DELETE FROM alias WHERE address = ?;' );
$stmt->execute( [ $_SESSION[ 'email_user' ] ] );
@@ -120,7 +120,7 @@ if ( $_SERVER[ 'REQUEST_METHOD' ] === 'POST' ) {
$_SESSION = [];
session_regenerate_id( true );
$_SESSION[ 'csrf_token' ] = sha1( uniqid() );
- $msg .= '<div class="green" role="alert">'._('Successfully deleted account').'</div>';
+ $msg .= '<div class="green" role="alert">'.htmlspecialchars(_('Successfully deleted account')).'</div>';
} elseif ( ! empty( $_SESSION[ 'email_user' ] ) && $_POST[ 'action' ] === 'disable_account2' ) {
$stmt = $db->prepare( 'UPDATE alias SET active = 0 WHERE address = ?;' );
$stmt->execute( [ $_SESSION[ 'email_user' ] ] );
@@ -129,11 +129,11 @@ if ( $_SERVER[ 'REQUEST_METHOD' ] === 'POST' ) {
$_SESSION = [];
session_regenerate_id( true );
$_SESSION[ 'csrf_token' ] = sha1( uniqid() );
- $msg .= '<div class="green" role="alert">'._('Successfully disabled account').'</div>';
+ $msg .= '<div class="green" role="alert">'.htmlspecialchars(_('Successfully disabled account')).'</div>';
} elseif ( isset( $_POST[ 'pgp_key' ] ) && ! empty( $_SESSION[ 'email_user' ] ) && $_POST[ 'action' ] === 'update_pgp_key' ) {
$pgp_key = trim( $_POST[ 'pgp_key' ] );
if ( empty( $pgp_key ) ) {
- $msg .= '<p class="green">'._('Successfully removed the key').'</p>';
+ $msg .= '<p class="green">'.htmlspecialchars(_('Successfully removed the key')).'</p>';
$stmt = $db->prepare( 'UPDATE mailbox SET pgp_key = "", tfa = 0, pgp_verified = 0 WHERE username = ?;' );
$stmt->execute( [ $_SESSION[ 'email_user' ] ] );
} else {
@@ -142,7 +142,7 @@ if ( $_SERVER[ 'REQUEST_METHOD' ] === 'POST' ) {
gnupg_setarmor( $gpg, 1 );
$imported_key = gnupg_import( $gpg, $pgp_key );
if ( ! $imported_key ) {
- $msg .= '<p class="red">'._('There was an error importing the key').'</p>';
+ $msg .= '<p class="red">'.htmlspecialchars(_('There was an error importing the key')).'</p>';
} else {
$has_this_email = false;
$key_info = gnupg_keyinfo( $gpg, $imported_key[ 'fingerprint' ] );
@@ -155,21 +155,21 @@ if ( $_SERVER[ 'REQUEST_METHOD' ] === 'POST' ) {
}
}
if ( $has_this_email ) {
- $msg .= '<p class="green">'._('Successfully imported the key').'</p>';
+ $msg .= '<p class="green">'.htmlspecialchars(_('Successfully imported the key')).'</p>';
$stmt = $db->prepare( 'UPDATE mailbox SET pgp_key = ?, tfa = 0, pgp_verified = 0 WHERE username = ?;' );
$stmt->execute( [ $pgp_key, $_SESSION[ 'email_user' ] ] );
} else {
- $msg .= '<p class="red">' . sprintf( _('Oops, looks like the key is missing this email address as user id. Please add your address "%s" as user ID to your pgp key or create a new key pair.'), htmlspecialchars( $_SESSION[ 'email_user' ] ) ) . '</p>';
+ $msg .= '<p class="red">' . sprintf( htmlspecialchars(_('Oops, looks like the key is missing this email address as user id. Please add your address "%s" as user ID to your pgp key or create a new key pair.')), htmlspecialchars( $_SESSION[ 'email_user' ] ) ) . '</p>';
}
}
}
} elseif ( isset( $_POST[ 'enable_2fa_code' ] ) && ! empty( $_SESSION[ 'email_user' ] ) && $_POST[ 'action' ] === 'enable_2fa' ) {
if ( $_POST[ 'enable_2fa_code' ] !== $_SESSION[ 'enable_2fa_code' ] ) {
- $msg .= '<p class="red">'._('Sorry, the code was incorrect').'</p>';
+ $msg .= '<p class="red">'.htmlspecialchars(_('Sorry, the code was incorrect')).'</p>';
} else {
$stmt = $db->prepare( 'UPDATE mailbox SET tfa = 1, pgp_verified = 1 WHERE username = ?;' );
$stmt->execute( [ $_SESSION[ 'email_user' ] ] );
- $msg .= '<p class="green">'._('Successfully enabled 2FA').'</p>';
+ $msg .= '<p class="green">'.htmlspecialchars(_('Successfully enabled 2FA')).'</p>';
}
}
}
@@ -178,21 +178,21 @@ if ( $_SERVER[ 'REQUEST_METHOD' ] === 'POST' ) {
<!DOCTYPE html>
<html lang="<?php echo $language; ?>" dir="<?php echo $dir; ?>">
<head>
- <title><?php echo _('E-Mail and XMPP - Manage account'); ?></title>
+ <title><?php echo htmlspecialchars(_('E-Mail and XMPP - Manage account')); ?></title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="author" content="Daniel Winzen">
<meta name="viewport" content="width=device-width, initial-scale=1">
<meta name="description"
- content="<?php echo _('Manage your free and anonymous E-Mail address and an XMPP/Jabber account. Add forwarding addresses, change your password or disable/delete your account.'); ?>">
+ content="<?php echo htmlspecialchars(_('Manage your free and anonymous E-Mail address and an XMPP/Jabber account. Add forwarding addresses, change your password or disable/delete your account.')); ?>">
<link rel="canonical" href="<?php echo CANONICAL_URL; ?>manage_account.php">
<link rel="alternate" href="<?php echo CANONICAL_URL; ?>manage_account.php" hreflang="x-default">
<?php alt_links(); ?>
<meta property="og:type" content="website">
- <meta property="og:title" content="<?php echo _('E-Mail and XMPP - Manage account'); ?>">
- <meta property="og:description" content="<?php echo _('Manage your free and anonymous E-Mail address and an XMPP/Jabber account. Add forwarding addresses, change your password or disable/delete your account.'); ?>">
+ <meta property="og:title" content="<?php echo htmlspecialchars(_('E-Mail and XMPP - Manage account')); ?>">
+ <meta property="og:description" content="<?php echo htmlspecialchars(_('Manage your free and anonymous E-Mail address and an XMPP/Jabber account. Add forwarding addresses, change your password or disable/delete your account.')); ?>">
<meta property="og:url" content="<?php echo CANONICAL_URL; ?>manage_account.php">
<meta property="og:locale" content="<?php echo $locale; ?>">
- <script type="application/ld+json">{"@context":"https://schema.org","@type":"WebPage","name":"<?php echo _('E-Mail and XMPP - Manage account'); ?>", "description": "<?php echo _('Manage your free and anonymous E-Mail address and an XMPP/Jabber account. Add forwarding addresses, change your password or disable/delete your account.'); ?>"}</script>
+ <script type="application/ld+json">{"@context":"https://schema.org","@type":"WebPage","name":"<?php echo htmlspecialchars(_('E-Mail and XMPP - Manage account')); ?>", "description": "<?php echo htmlspecialchars(_('Manage your free and anonymous E-Mail address and an XMPP/Jabber account. Add forwarding addresses, change your password or disable/delete your account.')); ?>"}</script>
</head>
<body>
<main>
@@ -213,15 +213,15 @@ foreach ( $key_info as $key ) {
}
$encrypted = gnupg_encrypt( $gpg, _('To login, please enter the following code to confirm ownership of your key:')."\n\n" . $_SESSION[ '2fa_code' ] . "\n" );
echo $msg;
-echo '<p>'._('To login, please decrypt the following PGP encrypted message and confirm the code:').'</p>';
+echo '<p>'.htmlspecialchars(_('To login, please decrypt the following PGP encrypted message and confirm the code:')).'</p>';
echo "<pre>$encrypted</pre>";
?>
<form class="form_limit" action="manage_account.php" method="post">
<input type="hidden" name="csrf_token" value="<?php echo $_SESSION[ 'csrf_token' ]; ?>">
<div class="row">
- <div class="col"><input type="text" name="2fa_code" aria-label="<?php echo _('2FA code'); ?>"></div>
+ <div class="col"><input type="text" name="2fa_code" aria-label="<?php echo htmlspecialchars(_('2FA code')); ?>"></div>
<div class="col">
- <button type="submit"><?php echo _('Confirm'); ?></button>
+ <button type="submit"><?php echo htmlspecialchars(_('Confirm')); ?></button>
</div>
</div>
</form>
@@ -234,36 +234,36 @@ exit;
if ( ! empty( $_SESSION[ 'email_user' ] ) ){ ?>
<form method="post"><input type="hidden" name="csrf_token" value="<?php echo $_SESSION[ 'csrf_token' ]; ?>">
<?php } ?>
- <p><a href="<?php echo ROOT_URL; ?>"><?php echo _('Info'); ?></a> |<?php
+ <p><a href="<?php echo ROOT_URL; ?>"><?php echo htmlspecialchars(_('Info')); ?></a> |<?php
if ( ! empty( $_SESSION[ 'email_user' ] ) ) {
- printf(_('Logged in as %s'), htmlspecialchars( $_SESSION[ 'email_user' ] ) );
+ printf(htmlspecialchars(_('Logged in as %s')), htmlspecialchars( $_SESSION[ 'email_user' ] ) );
} else { ?>
- <a href="<?php echo ROOT_URL; ?>register.php"><?php echo _('Register'); ?></a>
+ <a href="<?php echo ROOT_URL; ?>register.php"><?php echo htmlspecialchars(_('Register')); ?></a>
<?php }
if ( ! empty( $_SESSION[ 'email_user' ] ) ) { ?>
|
- <button name="action" value="logout" type="submit"><?php echo _('Logout'); ?></button>
+ <button name="action" value="logout" type="submit"><?php echo htmlspecialchars(_('Logout')); ?></button>
<?php } else { ?>
- | <?php echo _('Manage account');
- } ?> | <a href="<?php echo ROOT_URL; ?>squirrelmail/src/login.php" target="_blank"><?php echo _('SquirrelMail'); ?></a> | <a href="<?php echo ROOT_URL; ?>snappymail/" target="_blank"><?php echo _('SnappyMail'); ?></a> | <a href="<?php echo WEB_XMPP_URL; ?>" target="_blank" rel="noopener"><?php echo _('Web-XMPP'); ?></a></p>
+ | <?php echo htmlspecialchars(_('Manage account'));
+ } ?> | <a href="<?php echo ROOT_URL; ?>squirrelmail/src/login.php" target="_blank"><?php echo htmlspecialchars(_('SquirrelMail')); ?></a> | <a href="<?php echo ROOT_URL; ?>snappymail/" target="_blank"><?php echo htmlspecialchars(_('SnappyMail')); ?></a> | <a href="<?php echo WEB_XMPP_URL; ?>" target="_blank" rel="noopener"><?php echo htmlspecialchars(_('Web-XMPP')); ?></a></p>
<?php if ( ! empty( $_SESSION[ 'email_user' ] ) ){ ?></form><?php }
echo "<p>$msg</p>";
if ( empty( $_SESSION[ 'email_user' ] ) ) { ?>
<form class="form_limit" action="manage_account.php" method="post">
<input type="hidden" name="csrf_token" value="<?php echo $_SESSION[ 'csrf_token' ]; ?>">
<div class="row">
- <div class="col"><label for="user"><?php echo _('Username'); ?></label></div>
+ <div class="col"><label for="user"><?php echo htmlspecialchars(_('Username')); ?></label></div>
<div class="col"><input type="text" name="user" id="user" autocomplete="username" required
value="<?php echo htmlspecialchars( $_POST[ 'user' ] ?? '' ); ?>"></div>
</div>
<div class="row">
- <div class="col"><label for="pwd"><?php echo _('Password'); ?></label></div>
+ <div class="col"><label for="pwd"><?php echo htmlspecialchars(_('Password')); ?></label></div>
<div class="col"><input type="password" name="pwd" id="pwd" autocomplete="new-password" required></div>
</div>
<?php send_captcha(); ?>
<div class="row">
<div class="col">
- <button name="action" value="login" type="submit"><?php echo _('Login'); ?></button>
+ <button name="action" value="login" type="submit"><?php echo htmlspecialchars(_('Login')); ?></button>
</div>
</div>
</form>
@@ -280,58 +280,58 @@ if ( empty( $_SESSION[ 'email_user' ] ) ) { ?>
$tls_status = $stmt->fetch( PDO::FETCH_ASSOC );
?>
<form class="form_limit" action="manage_account.php" method="post">
- <h2><?php echo _('Settings'); ?></h2>
- <h3><?php echo _('Delivery'); ?></h3>
- <p><?php echo _('Change how your mail is delivered. You can add forwarding addresses one per line, or comma seperated. When you disable the "keep a local copy" checkbox, your mail will only be sent to your forwarding addresses.'); ?></p>
+ <h2><?php echo htmlspecialchars(_('Settings')); ?></h2>
+ <h3><?php echo htmlspecialchars(_('Delivery')); ?></h3>
+ <p><?php echo htmlspecialchars(_('Change how your mail is delivered. You can add forwarding addresses one per line, or comma seperated. When you disable the "keep a local copy" checkbox, your mail will only be sent to your forwarding addresses.')); ?></p>
<input type="hidden" name="csrf_token" value="<?php echo $_SESSION[ 'csrf_token' ]; ?>">
<div class="row">
- <div class="col"><label for="alias_to"><?php echo _('Forward to'); ?></label></div>
+ <div class="col"><label for="alias_to"><?php echo htmlspecialchars(_('Forward to')); ?></label></div>
<div class="col"><textarea name="alias_to"
id="alias_to"><?php echo htmlspecialchars( $aliases_to ); ?></textarea></div>
</div>
<div class="row">
- <div class="col"><label for="alias_keep_copy"><?php echo _('Keep a local copy'); ?></label></div>
+ <div class="col"><label for="alias_keep_copy"><?php echo htmlspecialchars(_('Keep a local copy')); ?></label></div>
<div class="col"><input type="checkbox" name="alias_keep_copy"
id="alias_keep_copy"<?php echo in_array( $_SESSION[ 'email_user' ], $aliases, true ) ? ' checked' : ''; ?>>
</div>
</div>
- <h3><?php echo _('Encryption'); ?></h3>
- <p><?php echo _('If you are having issues sending or receiving mails with some other provider, you can try disabling forced encryption here. But be aware, that this makes it possible for 3rd parties on the network to read your emails. Make sure to ask your correspondent to demand encryption support from their provider for a safer internet.'); ?></p>
+ <h3><?php echo htmlspecialchars(_('Encryption')); ?></h3>
+ <p><?php echo htmlspecialchars(_('If you are having issues sending or receiving mails with some other provider, you can try disabling forced encryption here. But be aware, that this makes it possible for 3rd parties on the network to read your emails. Make sure to ask your correspondent to demand encryption support from their provider for a safer internet.')); ?></p>
<div class="row">
- <div class="col"><label for="enforce_tls_in"><?php echo _('Enforce encryption for incoming mail'); ?></label></div>
+ <div class="col"><label for="enforce_tls_in"><?php echo htmlspecialchars(_('Enforce encryption for incoming mail')); ?></label></div>
<div class="col"><input type="checkbox" name="enforce_tls_in"
id="enforce_tls_in"<?php echo ! empty( $tls_status[ 'enforce_tls_in' ] ) ? ' checked' : ''; ?>>
</div>
</div>
<div class="row">
- <div class="col"><label for="enforce_tls_out"><?php echo _('Enforce encryption for outgoing mail'); ?></label></div>
+ <div class="col"><label for="enforce_tls_out"><?php echo htmlspecialchars(_('Enforce encryption for outgoing mail')); ?></label></div>
<div class="col"><input type="checkbox" name="enforce_tls_out"
id="enforce_tls_out"<?php echo ! empty( $tls_status[ 'enforce_tls_out' ] ) ? ' checked' : ''; ?>>
</div>
</div>
<div class="row">
<div class="col">
- <button name="action" value="update_settings" type="submit"><?php echo _('Update settings'); ?></button>
+ <button name="action" value="update_settings" type="submit"><?php echo htmlspecialchars(_('Update settings')); ?></button>
</div>
</div>
</form>
- <h2><?php echo _('Change password'); ?></h2>
+ <h2><?php echo htmlspecialchars(_('Change password')); ?></h2>
<form class="form_limit" action="manage_account.php" method="post">
<input type="hidden" name="csrf_token" value="<?php echo $_SESSION[ 'csrf_token' ]; ?>">
<div class="row">
- <div class="col"><label for="pass_update"><?php echo _('Password'); ?></label></div>
+ <div class="col"><label for="pass_update"><?php echo htmlspecialchars(_('Password')); ?></label></div>
<div class="col"><input type="password" name="pass_update" id="pass_update" autocomplete="new-password"
required></div>
</div>
<div class="row">
- <div class="col"><label for="pass_update2"><?php echo _('Password again'); ?></label></div>
+ <div class="col"><label for="pass_update2"><?php echo htmlspecialchars(_('Password again')); ?></label></div>
<div class="col"><input type="password" name="pass_update2" id="pass_update2" autocomplete="new-password"
required></div>
</div>
<div class="row">
<div class="col">
- <button name="action" value="update_password" type="submit"><?php echo _('Change password'); ?></button>
+ <button name="action" value="update_password" type="submit"><?php echo htmlspecialchars(_('Change password')); ?></button>
</div>
</div>
</form>
@@ -342,7 +342,7 @@ if ( empty( $_SESSION[ 'email_user' ] ) ) { ?>
$pgp_status = $stmt->fetch( PDO::FETCH_ASSOC );
if ( ! empty( $pgp_status[ 'pgp_key' ] ) ) {
if ( $pgp_status[ 'tfa' ] === 1 ) {
- echo '<p class="green">'._('Yay, PGP based 2FA is enabled!').'</p>';
+ echo '<p class="green">'.htmlspecialchars(_('Yay, PGP based 2FA is enabled!')).'</p>';
} else {
$gpg = gnupg_init();
gnupg_seterrormode( $gpg, GNUPG_ERROR_WARNING );
@@ -352,7 +352,7 @@ if ( empty( $_SESSION[ 'email_user' ] ) ) { ?>
$key_info = gnupg_keyinfo( $gpg, $imported_key[ 'fingerprint' ] );
foreach ( $key_info as $key ) {
if ( ! $key[ 'can_encrypt' ] ) {
- echo '<p>'._('Sorry, this key can\'t be used to encrypt a message to you. Your key may have expired or has been revoked.').'</p>';
+ echo '<p>'.htmlspecialchars(_('Sorry, this key can\'t be used to encrypt a message to you. Your key may have expired or has been revoked.')).'</p>';
} else {
foreach ( $key[ 'subkeys' ] as $subkey ) {
gnupg_addencryptkey( $gpg, $subkey[ 'fingerprint' ] );
@@ -361,16 +361,16 @@ if ( empty( $_SESSION[ 'email_user' ] ) ) { ?>
}
$_SESSION[ 'enable_2fa_code' ] = bin2hex( random_bytes( 3 ) );
if ( $encrypted = gnupg_encrypt( $gpg, _('To enable 2FA, please enter the following code to confirm ownership of your key:'). "\n\n$_SESSION[enable_2fa_code]\n" ) ) {
- echo '<h2>'._( 'Enable 2FA').'</h2>';
- echo '<p>'._('To enable 2FA using your PGP key, please decrypt the following PGP encrypted message and confirm the code:').'</p>';
+ echo '<h2>'.htmlspecialchars(_( 'Enable 2FA')).'</h2>';
+ echo '<p>'.htmlspecialchars(_('To enable 2FA using your PGP key, please decrypt the following PGP encrypted message and confirm the code:')).'</p>';
echo "<pre>$encrypted</pre>";
?>
<form class="form_limit" action="manage_account.php" method="post">
<input type="hidden" name="csrf_token" value="<?php echo $_SESSION[ 'csrf_token' ]; ?>">
<div class="row">
- <div class="col"><input type="text" name="enable_2fa_code" aria-label="<?php echo _('2FA code'); ?>"></div>
+ <div class="col"><input type="text" name="enable_2fa_code" aria-label="<?php echo htmlspecialchars(_('2FA code')); ?>"></div>
<div>
- <button type="submit" name="action" value="enable_2fa"><?php echo _('Confirm'); ?></button>
+ <button type="submit" name="action" value="enable_2fa"><?php echo htmlspecialchars(_('Confirm')); ?></button>
</div>
</div>
</form>
@@ -381,33 +381,33 @@ if ( empty( $_SESSION[ 'email_user' ] ) ) { ?>
}
?>
- <h2><?php echo _('Add PGP key for 2FA and end-to-end encryption'); ?></h2>
+ <h2><?php echo htmlspecialchars(_('Add PGP key for 2FA and end-to-end encryption')); ?></h2>
<form class="form_limit" action="manage_account.php" method="post">
<input type="hidden" name="csrf_token" value="<?php echo $_SESSION[ 'csrf_token' ]; ?>">
<div class="row">
<div class="col"><textarea name="pgp_key" rows="10" cols="50"
- aria-label="<?php echo _('PGP key'); ?>"><?php echo htmlspecialchars( $pgp_status[ 'pgp_key' ] ?? '' ); ?></textarea>
+ aria-label="<?php echo htmlspecialchars(_('PGP key')); ?>"><?php echo htmlspecialchars( $pgp_status[ 'pgp_key' ] ?? '' ); ?></textarea>
</div>
</div>
<div>
<div>
- <button type="submit" name="action" value="update_pgp_key"><?php echo _('Update PGP key'); ?></button>
+ <button type="submit" name="action" value="update_pgp_key"><?php echo htmlspecialchars(_('Update PGP key')); ?></button>
</div>
</div>
</form>
<form class="form_limit" action="manage_account.php" method="post">
- <h2><?php echo _('Disable/Delete account'); ?></h2>
- <p><?php echo _('Warning, this is permanent and cannot be undone. Disabling an account will delete your email data from the server, but leave the account blocked in the database for a year, so no one else can use it. Deleting your account will completely wipe all records of it and it will be available for new registrations again.'); ?></p>
+ <h2><?php echo htmlspecialchars(_('Disable/Delete account')); ?></h2>
+ <p><?php echo htmlspecialchars(_('Warning, this is permanent and cannot be undone. Disabling an account will delete your email data from the server, but leave the account blocked in the database for a year, so no one else can use it. Deleting your account will completely wipe all records of it and it will be available for new registrations again.')); ?></p>
<input type="hidden" name="csrf_token" value="<?php echo $_SESSION[ 'csrf_token' ]; ?>">
<div class="row">
<div class="col">
- <button type="submit" name="action" value="disable_account"><?php echo _('Disable account'); ?></button>
+ <button type="submit" name="action" value="disable_account"><?php echo htmlspecialchars(_('Disable account')); ?></button>
</div>
</div>
<div class="row">
<div class="col">
- <button type="submit" name="action" value="delete_account"><?php echo _('Delete account'); ?></button>
+ <button type="submit" name="action" value="delete_account"><?php echo htmlspecialchars(_('Delete account')); ?></button>
</div>
</div>
</form>
diff --git a/www/register.php b/www/register.php
index a561162..b20dd66 100644
--- a/www/register.php
+++ b/www/register.php
@@ -15,22 +15,22 @@ if ( isset( $_POST[ 'user' ] ) ) {
$ok = true;
if ( $_SESSION[ 'csrf_token' ] !== $_POST[ 'csrf_token' ] ?? '' ) {
$ok = false;
- $msg .= '<div class="red" role="alert">'._('Invalid CSRF token').'</div>';
+ $msg .= '<div class="red" role="alert">'.htmlspecialchars(_('Invalid CSRF token')).'</div>';
}
if ( ! check_captcha( $_POST[ 'challenge' ] ?? '', $_POST[ 'captcha' ] ?? '' ) ) {
$ok = false;
- $msg .= '<div class="red" role="alert">'._('Invalid captcha').'</div>';
+ $msg .= '<div class="red" role="alert">'.htmlspecialchars(_('Invalid captcha')).'</div>';
}
$db = get_db_instance();
if ( ! preg_match( '/^([^+\/\'"]+?)(@([^@]+))?$/iu', $_POST[ 'user' ], $match ) ) {
$ok = false;
- $msg .= '<div class="red" role="alert">'._('Invalid username. It may not contain a +, \', " or /.').'</div>';
+ $msg .= '<div class="red" role="alert">'.htmlspecialchars(_('Invalid username. It may not contain a +, \', " or /.')).'</div>';
}
$user = mb_strtolower( $match[ 1 ] ?? '' );
$domain = $match[ 3 ] ?? 'danwin1210.de';
if ( $ok && ( empty( $_POST[ 'pwd' ] ) || empty( $_POST[ 'pwd2' ] ) || $_POST[ 'pwd' ] !== $_POST[ 'pwd2' ] ) ) {
$ok = false;
- $msg .= '<div class="red" role="alert">'._('Passwords empty or don\'t match').'</div>';
+ $msg .= '<div class="red" role="alert">'.htmlspecialchars(_('Passwords empty or don\'t match')).'</div>';
} elseif ( $ok ) {
$stmt = $db->prepare( 'SELECT target_domain FROM alias_domain WHERE alias_domain = ? AND active=1;' );
$stmt->execute( [ $domain ] );
@@ -41,15 +41,15 @@ if ( isset( $_POST[ 'user' ] ) ) {
$stmt->execute( [ $domain ] );
if ( ! $stmt->fetch() ) {
$ok = false;
- $msg .= '<div class="red" role="alert">'._('The domain you specified is not allowed').'</div>';
+ $msg .= '<div class="red" role="alert">'.htmlspecialchars(_('The domain you specified is not allowed')).'</div>';
} else {
$validator = new EmailValidator();
if ( ! $validator->isValid( "$user@$domain", new NoRFCWarningsValidation() ) ) {
$ok = false;
- $msg .= '<div class="red" role="alert">'._('The email address you specified is not valid').'</div>';
+ $msg .= '<div class="red" role="alert">'.htmlspecialchars(_('The email address you specified is not valid')).'</div>';
} elseif(in_array($user, RESERVED_USERNAMES, true)){
$ok = false;
- $msg .= '<div class="red" role="alert">'._('The username you specified is reserved').'</div>';
+ $msg .= '<div class="red" role="alert">'.htmlspecialchars(_('The username you specified is reserved')).'</div>';
}
}
@@ -67,7 +67,7 @@ if ( isset( $_POST[ 'user' ] ) ) {
$stmt->execute( [ "$user@$domain", "$user@$domain", $domain ] );
$stmt = $db->prepare( 'INSERT INTO mailbox (username, password, quota, local_part, domain, created, modified, password_hash_type, openpgpkey_wkd) VALUES(?, ?, 51200000, ?, ?, NOW(), NOW(), ?, ?);' );
$stmt->execute( [ "$user@$domain", $hash, $user, $domain, '{ARGON2ID}', z_base32_encode( hash( 'sha1', mb_strtolower( $user ), true ) ) ] );
- $msg .= '<div class="green" role="alert">'._('Successfully created new mailbox!').'</div>';
+ $msg .= '<div class="green" role="alert">'.htmlspecialchars(_('Successfully created new mailbox!')).'</div>';
}
}
}
@@ -75,50 +75,50 @@ if ( isset( $_POST[ 'user' ] ) ) {
<!DOCTYPE html>
<html lang="<?php echo $language; ?>" dir="<?php echo $dir; ?>">
<head>
- <title><?php echo _('E-Mail and XMPP - Register'); ?></title>
+ <title><?php echo htmlspecialchars(_('E-Mail and XMPP - Register')); ?></title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="author" content="Daniel Winzen">
<meta name="viewport" content="width=device-width, initial-scale=1">
- <meta name="description" content="<?php echo _('Register for a free and anonymous E-Mail address and an XMPP/Jabber account'); ?>">
+ <meta name="description" content="<?php echo htmlspecialchars(_('Register for a free and anonymous E-Mail address and an XMPP/Jabber account')); ?>">
<link rel="canonical" href="<?php echo CANONICAL_URL; ?>register.php">
<link rel="alternate" href="<?php echo CANONICAL_URL; ?>register.php" hreflang="x-default">
<?php alt_links(); ?>
<meta property="og:type" content="website">
- <meta property="og:title" content="<?php echo _('E-Mail and XMPP - Register'); ?>">
- <meta property="og:description" content="<?php echo _('Register for a free and anonymous E-Mail address and an XMPP/Jabber account'); ?>">
+ <meta property="og:title" content="<?php echo htmlspecialchars(_('E-Mail and XMPP - Register')); ?>">
+ <meta property="og:description" content="<?php echo htmlspecialchars(_('Register for a free and anonymous E-Mail address and an XMPP/Jabber account')); ?>">
<meta property="og:url" content="<?php echo CANONICAL_URL; ?>register.php">
<meta property="og:locale" content="<?php echo $locale; ?>">
- <script type="application/ld+json">{"@context":"https://schema.org","@type":"WebPage","name":"<?php echo _('E-Mail and XMPP - Register'); ?>", "description": "<?php echo _('Register for a free and anonymous E-Mail address and an XMPP/Jabber account'); ?>"}</script>
+ <script type="application/ld+json">{"@context":"https://schema.org","@type":"WebPage","name":"<?php echo htmlspecialchars(_('E-Mail and XMPP - Register')); ?>", "description": "<?php echo htmlspecialchars(_('Register for a free and anonymous E-Mail address and an XMPP/Jabber account')); ?>"}</script>
</head>
<body>
<main>
-<p><a href="<?php echo ROOT_URL; ?>"><?php echo _('Info'); ?></a> | <?php echo _('Register'); ?> | <a href="<?php echo ROOT_URL; ?>manage_account.php"><?php echo _('Manage account'); ?></a> | <a href="<?php echo ROOT_URL; ?>squirrelmail/src/login.php" target="_blank"><?php echo _('SquirrelMail'); ?></a> | <a href="<?php echo ROOT_URL; ?>snappymail/" target="_blank"><?php echo _('SnappyMail'); ?></a> | <a href="<?php echo WEB_XMPP_URL; ?>" target="_blank" rel="noopener"><?php echo _('Web-XMPP'); ?></a>
+<p><a href="<?php echo ROOT_URL; ?>"><?php echo htmlspecialchars(_('Info')); ?></a> | <?php echo htmlspecialchars(_('Register')); ?> | <a href="<?php echo ROOT_URL; ?>manage_account.php"><?php echo htmlspecialchars(_('Manage account')); ?></a> | <a href="<?php echo ROOT_URL; ?>squirrelmail/src/login.php" target="_blank"><?php echo htmlspecialchars(_('SquirrelMail')); ?></a> | <a href="<?php echo ROOT_URL; ?>snappymail/" target="_blank"><?php echo htmlspecialchars(_('SnappyMail')); ?></a> | <a href="<?php echo WEB_XMPP_URL; ?>" target="_blank" rel="noopener"><?php echo htmlspecialchars(_('Web-XMPP')); ?></a>
</p>
<?php echo "<p>$msg</p>"; ?>
<form class="form_limit" action="register.php" method="post"><input type="hidden" name="csrf_token"
value="<?php echo $_SESSION[ 'csrf_token' ] ?>">
<div class="row">
- <div class="col"><label for="user"><?php echo _('Username'); ?></label></div>
+ <div class="col"><label for="user"><?php echo htmlspecialchars(_('Username')); ?></label></div>
<div class="col"><input type="text" name="user" id="user" autocomplete="username" required
value="<?php echo htmlspecialchars( $_POST[ 'user' ] ?? '' ); ?>"></div>
</div>
<div class="row">
- <div class="col"><label for="pwd"><?php echo _('Password'); ?></label></div>
+ <div class="col"><label for="pwd"><?php echo htmlspecialchars(_('Password')); ?></label></div>
<div class="col"><input type="password" name="pwd" id="pwd" autocomplete="new-password" required></div>
</div>
<div class="row">
- <div class="col"><label for="pwd2"><?php echo _('Password again'); ?></label></div>
+ <div class="col"><label for="pwd2"><?php echo htmlspecialchars(_('Password again')); ?></label></div>
<div class="col"><input type="password" name="pwd2" id="pwd2" autocomplete="new-password" required></div>
</div>
<div class="row">
- <div class="col"><label for="accept_privacy"><?php printf(_('I have read and agreed to the <a href="%s" target="_blank">Privacy Policy</a>'), PRIVACY_POLICY_URL); ?></label>
+ <div class="col"><label for="accept_privacy"><?php printf(htmlspecialchars(_('I have read and agreed to the %s')), '<a href="'.PRIVACY_POLICY_URL.'" target="_blank">'.htmlspecialchars(_('Privacy Policy')).'</a>'); ?></label>
</div>
<div class="col"><input type="checkbox" id="accept_privacy" name="accept_privacy" required></div>
</div>
<?php send_captcha(); ?>
<div class="row">
<div class="col">
- <button type="submit"><?php echo _('Register'); ?></button>
+ <button type="submit"><?php echo htmlspecialchars(_('Register')); ?></button>
</div>
</div>
</form>