/**
* Recursively strip slashes from the values of an array.
* @param array array the array to strip, passed by reference
* @return void
*/
function sqstripslashes(&$array)
{
if (count($array) > 0) {
foreach ($array as $index => $value) {
if (is_array($array[$index])) {
sqstripslashes($array[$index]);
} else {
$array[$index] = stripslashes($value);
}
}
}
}
require SM_PATH . 'functions/plugin.php';
require SM_PATH . 'include/languages.php';
require SM_PATH . 'class/template/Template.class.php';
require SM_PATH . 'class/error.class.php';
/**
* If magic_quotes_runtime is on, SquirrelMail breaks in new and creative ways.
* Force magic_quotes_runtime off.
* tassium@squirrelmail.org - I put it here in the hopes that all SM code includes this.
* If there's a better place, please let me know.
*/
ini_set('magic_quotes_runtime', '0');
/* if running with magic_quotes_gpc then strip the slashes
from POST and GET global arrays */
if (function_exists('get_magic_quotes_gpc') && @get_magic_quotes_gpc()) {
sqstripslashes($_GET);
sqstripslashes($_POST);
}
/**
* Strip any tags added to the url from PHP_SELF.
* This fixes hand crafted url XXS expoits for any
* page that uses PHP_SELF as the FORM action
* Update: strip_tags() won't catch something like
* src/right_main.php?sort=0&startMessage=1&mailbox=INBOX&xxx="><script>window.open("http://example.com")</script>
* or
* contrib/decrypt_headers.php/%22%20onmouseover=%22alert(%27hello%20world%27)%22%3E
* because it doesn't bother with broken tags.
* sm_encode_html_special_chars() is the preferred method.
* QUERY_STRING also needs the same treatment since it is
* used in php_self().
* Update again: the encoding of ampersands that occurs
* using sm_encode_html_special_chars() corrupts the query strings