Escape variables in mail module

Jamie Snape · Jamie Snape · commit d249394a37ba · 2014-12-08T09:20:02.000-05:00
diff --git a/modules/mail/Notification.php b/modules/mail/Notification.php
@@ -80,30 +80,30 @@ protected function handleSendMailMessage($params)
         }
 
         $mail = new Midas_Mail();
-        $mail->setFrom($this->Setting->getValueByName(MAIL_FROM_ADDRESS_KEY, $this->moduleName));
+        $mail->setFrom(htmlspecialchars($this->Setting->getValueByName(MAIL_FROM_ADDRESS_KEY, $this->moduleName), ENT_QUOTES, 'UTF-8'));
 
         if (isset($params['bcc'])) {
-            $mail->addBcc($params['bcc']);
+            $mail->addBcc(htmlspecialchars($params['bcc'], ENT_QUOTES, 'UTF-8'));
         }
 
         if (isset($params['cc'])) {
-            $mail->addCc($params['cc']);
+            $mail->addCc(htmlspecialchars($params['cc'], ENT_QUOTES, 'UTF-8'));
         }
 
         if (isset($params['html'])) {
             $mail->setBodyHtml($params['html']);
         }
 
         if (isset($params['subject'])) {
-            $mail->setSubject($params['subject']);
+            $mail->setSubject(htmlspecialchars($params['subject'], ENT_QUOTES, 'UTF-8'));
         }
 
         if (isset($params['text'])) {
-            $mail->setBodyText($params['text']);
+            $mail->setBodyText(htmlspecialchars($params['text'], ENT_QUOTES, 'UTF-8'));
         }
 
         if (isset($params['to'])) {
-            $mail->addTo($params['to']);
+            $mail->addTo(htmlspecialchars($params['to'], ENT_QUOTES, 'UTF-8'));
         }
 
         try {

Original file line number	Diff line number	Diff line change
`@@ -80,30 +80,30 @@ protected function handleSendMailMessage($params)`
`80`	`80`	`}`
`81`	`81`
`82`	`82`	`$mail = new Midas_Mail();`
`83`		`- $mail->setFrom($this->Setting->getValueByName(MAIL_FROM_ADDRESS_KEY, $this->moduleName));`
	`83`	`+ $mail->setFrom(htmlspecialchars($this->Setting->getValueByName(MAIL_FROM_ADDRESS_KEY, $this->moduleName), ENT_QUOTES, 'UTF-8'));`
`84`	`84`
`85`	`85`	`if (isset($params['bcc'])) {`
`86`		`- $mail->addBcc($params['bcc']);`
	`86`	`+ $mail->addBcc(htmlspecialchars($params['bcc'], ENT_QUOTES, 'UTF-8'));`
`87`	`87`	`}`
`88`	`88`
`89`	`89`	`if (isset($params['cc'])) {`
`90`		`- $mail->addCc($params['cc']);`
	`90`	`+ $mail->addCc(htmlspecialchars($params['cc'], ENT_QUOTES, 'UTF-8'));`
`91`	`91`	`}`
`92`	`92`
`93`	`93`	`if (isset($params['html'])) {`
`94`	`94`	`$mail->setBodyHtml($params['html']);`
`95`	`95`	`}`
`96`	`96`
`97`	`97`	`if (isset($params['subject'])) {`
`98`		`- $mail->setSubject($params['subject']);`
	`98`	`+ $mail->setSubject(htmlspecialchars($params['subject'], ENT_QUOTES, 'UTF-8'));`
`99`	`99`	`}`
`100`	`100`
`101`	`101`	`if (isset($params['text'])) {`
`102`		`- $mail->setBodyText($params['text']);`
	`102`	`+ $mail->setBodyText(htmlspecialchars($params['text'], ENT_QUOTES, 'UTF-8'));`
`103`	`103`	`}`
`104`	`104`
`105`	`105`	`if (isset($params['to'])) {`
`106`		`- $mail->addTo($params['to']);`
	`106`	`+ $mail->addTo(htmlspecialchars($params['to'], ENT_QUOTES, 'UTF-8'));`
`107`	`107`	`}`
`108`	`108`
`109`	`109`	`try {`