/** * Setter * * @param string $name Property name * @param mixed $value Property value * * @return void */ public function set($name, $value) { if (in_array($name, array('to', 'from'), true)) { /** * Prevent the attack works by placing a newline character * (represented by \n in the following example) in the field * that asks for the user's e-mail address. * For instance, they might put: * joe@example.com\nCC: victim1@example.com,victim2@example.com */ $value = str_replace('\\t', "\t", $value); $value = str_replace("\t", '', $value); $value = str_replace('\\r', "\r", $value); $value = str_replace("\r", '', $value); $value = str_replace('\\n', "\n", $value); $value = explode("\n", $value); $value = $value[0]; } parent::set($name, $value); }