diff options
| author | Paul Arthur <paul.arthur@flowerysong.com> | 2012-09-20 12:50:54 -0400 |
|---|---|---|
| committer | Paul Arthur <paul.arthur@flowerysong.com> | 2012-09-20 12:50:54 -0400 |
| commit | 9c09b33e955c345d6c2ec352e6fba572b5784ab5 (patch) | |
| tree | 19f7fbea328ce9bfaeea18bb18f7e86307dedf56 /admin | |
| parent | 2f8656a20c7ba0eb523ecd8987e343f819e22f5a (diff) | |
| download | ampache-9c09b33e955c345d6c2ec352e6fba572b5784ab5.tar.gz ampache-9c09b33e955c345d6c2ec352e6fba572b5784ab5.tar.bz2 ampache-9c09b33e955c345d6c2ec352e6fba572b5784ab5.zip | |
FS#248 - Sending Mail with quotes
Don't run scrub_in on the subject and body; it's not touching the
database or being output back to the browser, and we send plain text
email. Anything malicious that can be done is a phpmailer bug.
Diffstat (limited to 'admin')
| -rw-r--r-- | admin/mail.php | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/admin/mail.php b/admin/mail.php index 595abab7..2f2b90d0 100644 --- a/admin/mail.php +++ b/admin/mail.php @@ -52,8 +52,8 @@ switch ($_REQUEST['action']) { $mailer = new AmpacheMail(); // Set the vars on the object - $mailer->subject = scrub_in($_REQUEST['subject']); - $mailer->message = scrub_in($_REQUEST['message']); + $mailer->subject = $_REQUEST['subject']; + $mailer->message = $_REQUEST['message']; if ($_REQUEST['from'] == 'system') { $mailer->set_default_sender(); |