Fix XSS vulnerability reported by ptsecurity.com (attacker tries to s…

…end mail to an administrator

on a server that does not have a mail server configured).

install/forum_data/src/iemail.inc.t

@@ -1,6 +1,6 @@
 <?php
 /**
-* copyright            : (C) 2001-2021 Advanced Internet Designs Inc.
+* copyright            : (C) 2001-2022 Advanced Internet Designs Inc.
 * email                : forum@prohost.org
 * $Id$
 *
@@ -38,6 +38,13 @@ function validate_email($email)
 
 function encode_subject($text)
 {
+	/* HTML entities check. */
+	if (strpos($subj, '&') !== false) {
+		$subj = html_entity_decode($subj);
+	}
+
+	$text = htmlspecialchars($text);  // Prevent XSS like <img src="1" onerror="alert()">
+
 	if (preg_match('![\x7f-\xff]!', $text)) {
 		$text = '=?{TEMPLATE: iemail_CHARSET}?B?'. base64_encode($text) .'?=';
 	}
@@ -51,11 +58,6 @@ function send_email($from, $to, $subj, $body, $header='', $munge_newlines=1)
 		return 0;
 	}
 
-	/* HTML entities check. */
-	if (strpos($subj, '&') !== false) {
-		$subj = html_entity_decode($subj);
-	}
-
 	if ($header) {
 		$header = "\n" . str_replace("\r", '', $header);
 	}
@@ -66,11 +68,11 @@ function send_email($from, $to, $subj, $body, $header='', $munge_newlines=1)
 	$addronly = preg_replace('/.*</', '<', $from);	// RFC 2822 Return-Path: <...>
 	$header = 'From: '. $from ."\nReturn-Path: ". $addronly ."\nUser-Agent: FUDforum/". $GLOBALS['FORUM_VERSION'] . $extra_header . $header;
 
+	$subj = encode_subject($subj);
 	$body = str_replace("\r", '', $body);
 	if ($munge_newlines) {
 		$body = str_replace('\n', "\n", $body);
 	}
-	$subj = encode_subject($subj);
 
 	// Call PRE mail plugins.
 	if (defined('plugins')) {
@@ -90,7 +92,7 @@ function send_email($from, $to, $subj, $body, $header='', $munge_newlines=1)
 		}
 		$smtp = new fud_smtp;
 		$smtp->msg = str_replace(array('\n', "\n."), array("\n", "\n.."), $body);
-		$smtp->subject = encode_subject($subj);
+		$smtp->subject = $subj;
 		$smtp->to = $to;
 		$smtp->from = $from;
 		$smtp->headers = $header;