-
@@ -987,79 +981,79 @@ function send_edit_mailbox(): void
$aliases = explode( ',', $email[ 'goto' ] );
$aliases_to = implode( "\n", array_diff( $aliases, [ $_REQUEST[ 'user' ] ] ) );
?>
-
+
-
+
-
+
'._('Oops, this mailbox doesn\'t seem to exist.').'';
+ echo '
'.htmlspecialchars(_('Oops, this mailbox doesn\'t seem to exist.')).'
';
}
}
diff --git a/www/index.php b/www/index.php
index 435a951..6a72a93 100644
--- a/www/index.php
+++ b/www/index.php
@@ -3,41 +3,41 @@ include_once('../common_config.php');
global $language, $dir, $locale;
?>
-
<?php echo _('E-Mail and XMPP'); ?>
+
<?php echo htmlspecialchars(_('E-Mail and XMPP')); ?>
-
+
-
-
+
+
-
+
- |
-
-contact me. Your E-Mail address will be %2$s'), CONTACT_URL, CLEARNET_SERVER); ?>
-download GnuPG or similar software for it. Once you have generated your PGP key, you can add it to your account to make use of WKD automatic discovery for mail clients.'); ?>
-SquirrelMail is a very old mail client which works without any JavaScript and is thus the most popular mail client among darknet users. However, it hasn\'t been under development for many years and does not support all features that mail has to offer. You may see strange attachments that should have been inlined in your email, such as PGP/MIME encrypted email messages. A more modern client is SnappyMail , which also supports PGP encryption within your browser and is more similar to what you may be used to from other mail services. SnappyMail requires JavaScript though, so SquirrelMail is for you if you do not trust executing JavaScript in your browser. Alternatively, you can simply use your favourite desktop mail client and configure it with the settings given below.'); ?>
-
- |
+
+'.htmlspecialchars(_('contact me')).'', CLEARNET_SERVER); ?>
+'.htmlspecialchars(_('download GnuPG')).'', ''.htmlspecialchars(_('add it to your account')).' '); ?>
+'.htmlspecialchars(_('SquirrelMail')).'', ''.htmlspecialchars(_('SnappyMail')).' '); ?>
+
+
-
-
-
+
+
diff --git a/www/manage_account.php b/www/manage_account.php
index f01a0cd..837d5af 100644
--- a/www/manage_account.php
+++ b/www/manage_account.php
@@ -14,7 +14,7 @@ if ( ! empty( $_SESSION[ 'email_user' ] ) ) {
$_SESSION = [];
session_regenerate_id( true );
$_SESSION[ 'csrf_token' ] = sha1( uniqid() );
- $msg .= '
'._('It looks like your user no longer exists!').'
';
+ $msg .= '
'.htmlspecialchars(_('It looks like your user no longer exists!')).'
';
}
}
@@ -27,7 +27,7 @@ if ( $_SERVER[ 'REQUEST_METHOD' ] === 'POST' ) {
unset( $_SESSION[ '2fa_code' ] );
unset( $_SESSION[ 'pgp_key' ] );
} else {
- $msg .= '
'._('Wrong 2FA code').'
';
+ $msg .= '
'.htmlspecialchars(_('Wrong 2FA code')).'
';
}
}
if ( ! isset( $_SESSION[ '2fa_code' ] ) && isset( $_POST[ 'action' ] ) ) {
@@ -35,16 +35,16 @@ if ( $_SERVER[ 'REQUEST_METHOD' ] === 'POST' ) {
$_SESSION = [];
session_regenerate_id( true );
$_SESSION[ 'csrf_token' ] = sha1( uniqid() );
- $msg .= '
'._('Successfully logged out').'
';
+ $msg .= '
'.htmlspecialchars(_('Successfully logged out')).'
';
} elseif ( $_POST[ 'action' ] === 'login' ) {
$ok = true;
if ( ! check_captcha( $_POST[ 'challenge' ] ?? '', $_POST[ 'captcha' ] ?? '' ) ) {
$ok = false;
- $msg .= '
'._('Invalid captcha').'
';
+ $msg .= '
'.htmlspecialchars(_('Invalid captcha')).'
';
}
if ( empty( $_POST[ 'user' ] ) || ! preg_match( '/^([^+]+?)(@([^@]+))?$/i', $_POST[ 'user' ], $match ) ) {
$ok = false;
- $msg .= '
'._('Invalid username').'
';
+ $msg .= '
'.htmlspecialchars(_('Invalid username')).'
';
}
if ( $ok ) {
$db = get_db_instance();
@@ -60,7 +60,7 @@ if ( $_SERVER[ 'REQUEST_METHOD' ] === 'POST' ) {
if ( $tmp = $stmt->fetch( PDO::FETCH_ASSOC ) ) {
if ( empty( $_POST[ 'pwd' ] ) || ! password_verify( $_POST[ 'pwd' ], $tmp[ 'password' ] ) ) {
$ok = false;
- $msg .= '
'._('Incorrect username or password').'
';
+ $msg .= '
'.htmlspecialchars(_('Incorrect username or password')).'
';
} else {
$_SESSION[ 'email_user' ] = $tmp[ 'username' ];
$stmt = $db->prepare( 'UPDATE mailbox SET last_login = ? WHERE username = ? AND active = 1;' );
@@ -78,7 +78,7 @@ if ( $_SERVER[ 'REQUEST_METHOD' ] === 'POST' ) {
}
}
} else {
- $msg .= '
'._('Incorrect username or password').'
';
+ $msg .= '
'.htmlspecialchars(_('Incorrect username or password')).'
';
}
}
} elseif ( ! empty( $_SESSION[ 'email_user' ] ) && $_POST[ 'action' ] === 'update_settings' ) {
@@ -97,21 +97,21 @@ if ( $_SERVER[ 'REQUEST_METHOD' ] === 'POST' ) {
$stmt->execute( [ ( isset( $_POST[ 'enforce_tls_in' ] ) ? 1 : 0 ), ( isset( $_POST[ 'enforce_tls_out' ] ) ? 1 : 0 ), $_SESSION[ 'email_user' ] ] );
} elseif ( ! empty( $_SESSION[ 'email_user' ] ) && $_POST[ 'action' ] === 'update_password' ) {
if ( empty( $_POST[ 'pass_update' ] ) || empty( $_POST[ 'pass_update2' ] ) || $_POST[ 'pass_update' ] !== $_POST[ 'pass_update2' ] ) {
- $msg .= '
'._('Passwords empty or don\'t match').'
';
+ $msg .= '
'.htmlspecialchars(_('Passwords empty or don\'t match')).'
';
} else {
$hash = password_hash( $_POST[ 'pass_update' ], PASSWORD_ARGON2ID );
$stmt = $db->prepare( 'UPDATE mailbox SET password_hash_type = "{ARGON2ID}", password = ? WHERE username = ? AND active = 1;' );
$stmt->execute( [ $hash, $_SESSION[ 'email_user' ] ] );
- $msg .= '
'._('Successfully updated password').'
';
+ $msg .= '
'.htmlspecialchars(_('Successfully updated password')).'
';
}
} elseif ( ! empty( $_SESSION[ 'email_user' ] ) && $_POST[ 'action' ] === 'delete_account' ) {
- $msg .= '
'._('Warning: This will permenently delete your account and all your data. Anyone can immediately register with this user again. It cannot be reversed. Are you absolutely sure?').'
';
+ $msg .= '
'.htmlspecialchars(_('Warning: This will permenently delete your account and all your data. Anyone can immediately register with this user again. It cannot be reversed. Are you absolutely sure?')).'
';
$msg .= '
';
+ $msg .= '
'.htmlspecialchars(_('Yes, I want to permanently delete my account')).' ';
} elseif ( ! empty( $_SESSION[ 'email_user' ] ) && $_POST[ 'action' ] === 'disable_account' ) {
- $msg .= '
'._('Warning: This will disable your account for a year and delete all your data. After a year it is available for registrations again. It cannot be reversed. Are you absolutely sure?').'
';
+ $msg .= '
'.htmlspecialchars(_('Warning: This will disable your account for a year and delete all your data. After a year it is available for registrations again. It cannot be reversed. Are you absolutely sure?')).'
';
$msg .= '
';
+ $msg .= '
'.htmlspecialchars(_('Yes, I want to disable my account')).' ';
} elseif ( ! empty( $_SESSION[ 'email_user' ] ) && $_POST[ 'action' ] === 'delete_account2' ) {
$stmt = $db->prepare( 'DELETE FROM alias WHERE address = ?;' );
$stmt->execute( [ $_SESSION[ 'email_user' ] ] );
@@ -120,7 +120,7 @@ if ( $_SERVER[ 'REQUEST_METHOD' ] === 'POST' ) {
$_SESSION = [];
session_regenerate_id( true );
$_SESSION[ 'csrf_token' ] = sha1( uniqid() );
- $msg .= '
'._('Successfully deleted account').'
';
+ $msg .= '
'.htmlspecialchars(_('Successfully deleted account')).'
';
} elseif ( ! empty( $_SESSION[ 'email_user' ] ) && $_POST[ 'action' ] === 'disable_account2' ) {
$stmt = $db->prepare( 'UPDATE alias SET active = 0 WHERE address = ?;' );
$stmt->execute( [ $_SESSION[ 'email_user' ] ] );
@@ -129,11 +129,11 @@ if ( $_SERVER[ 'REQUEST_METHOD' ] === 'POST' ) {
$_SESSION = [];
session_regenerate_id( true );
$_SESSION[ 'csrf_token' ] = sha1( uniqid() );
- $msg .= '
'._('Successfully disabled account').'
';
+ $msg .= '
'.htmlspecialchars(_('Successfully disabled account')).'
';
} elseif ( isset( $_POST[ 'pgp_key' ] ) && ! empty( $_SESSION[ 'email_user' ] ) && $_POST[ 'action' ] === 'update_pgp_key' ) {
$pgp_key = trim( $_POST[ 'pgp_key' ] );
if ( empty( $pgp_key ) ) {
- $msg .= '
'._('Successfully removed the key').'
';
+ $msg .= '
'.htmlspecialchars(_('Successfully removed the key')).'
';
$stmt = $db->prepare( 'UPDATE mailbox SET pgp_key = "", tfa = 0, pgp_verified = 0 WHERE username = ?;' );
$stmt->execute( [ $_SESSION[ 'email_user' ] ] );
} else {
@@ -142,7 +142,7 @@ if ( $_SERVER[ 'REQUEST_METHOD' ] === 'POST' ) {
gnupg_setarmor( $gpg, 1 );
$imported_key = gnupg_import( $gpg, $pgp_key );
if ( ! $imported_key ) {
- $msg .= '
'._('There was an error importing the key').'
';
+ $msg .= '
'.htmlspecialchars(_('There was an error importing the key')).'
';
} else {
$has_this_email = false;
$key_info = gnupg_keyinfo( $gpg, $imported_key[ 'fingerprint' ] );
@@ -155,21 +155,21 @@ if ( $_SERVER[ 'REQUEST_METHOD' ] === 'POST' ) {
}
}
if ( $has_this_email ) {
- $msg .= '
'._('Successfully imported the key').'
';
+ $msg .= '
'.htmlspecialchars(_('Successfully imported the key')).'
';
$stmt = $db->prepare( 'UPDATE mailbox SET pgp_key = ?, tfa = 0, pgp_verified = 0 WHERE username = ?;' );
$stmt->execute( [ $pgp_key, $_SESSION[ 'email_user' ] ] );
} else {
- $msg .= '
' . sprintf( _('Oops, looks like the key is missing this email address as user id. Please add your address "%s" as user ID to your pgp key or create a new key pair.'), htmlspecialchars( $_SESSION[ 'email_user' ] ) ) . '
';
+ $msg .= '
' . sprintf( htmlspecialchars(_('Oops, looks like the key is missing this email address as user id. Please add your address "%s" as user ID to your pgp key or create a new key pair.')), htmlspecialchars( $_SESSION[ 'email_user' ] ) ) . '
';
}
}
}
} elseif ( isset( $_POST[ 'enable_2fa_code' ] ) && ! empty( $_SESSION[ 'email_user' ] ) && $_POST[ 'action' ] === 'enable_2fa' ) {
if ( $_POST[ 'enable_2fa_code' ] !== $_SESSION[ 'enable_2fa_code' ] ) {
- $msg .= '
'._('Sorry, the code was incorrect').'
';
+ $msg .= '
'.htmlspecialchars(_('Sorry, the code was incorrect')).'
';
} else {
$stmt = $db->prepare( 'UPDATE mailbox SET tfa = 1, pgp_verified = 1 WHERE username = ?;' );
$stmt->execute( [ $_SESSION[ 'email_user' ] ] );
- $msg .= '
'._('Successfully enabled 2FA').'
';
+ $msg .= '
'.htmlspecialchars(_('Successfully enabled 2FA')).'
';
}
}
}
@@ -178,21 +178,21 @@ if ( $_SERVER[ 'REQUEST_METHOD' ] === 'POST' ) {
-
<?php echo _('E-Mail and XMPP - Manage account'); ?>
+
<?php echo htmlspecialchars(_('E-Mail and XMPP - Manage account')); ?>
+ content="">
-
-
+
+
-
+
@@ -213,15 +213,15 @@ foreach ( $key_info as $key ) {
}
$encrypted = gnupg_encrypt( $gpg, _('To login, please enter the following code to confirm ownership of your key:')."\n\n" . $_SESSION[ '2fa_code' ] . "\n" );
echo $msg;
-echo ''._('To login, please decrypt the following PGP encrypted message and confirm the code:').'
';
+echo ''.htmlspecialchars(_('To login, please decrypt the following PGP encrypted message and confirm the code:')).'
';
echo "$encrypted ";
?>
@@ -234,36 +234,36 @@ exit;
if ( ! empty( $_SESSION[ 'email_user' ] ) ){ ?>
$msg";
if ( empty( $_SESSION[ 'email_user' ] ) ) { ?>
@@ -280,58 +280,58 @@ if ( empty( $_SESSION[ 'email_user' ] ) ) { ?>
$tls_status = $stmt->fetch( PDO::FETCH_ASSOC );
?>
- '._('Yay, PGP based 2FA is enabled!').'
';
+ echo ''.htmlspecialchars(_('Yay, PGP based 2FA is enabled!')).'
';
} else {
$gpg = gnupg_init();
gnupg_seterrormode( $gpg, GNUPG_ERROR_WARNING );
@@ -352,7 +352,7 @@ if ( empty( $_SESSION[ 'email_user' ] ) ) { ?>
$key_info = gnupg_keyinfo( $gpg, $imported_key[ 'fingerprint' ] );
foreach ( $key_info as $key ) {
if ( ! $key[ 'can_encrypt' ] ) {
- echo ''._('Sorry, this key can\'t be used to encrypt a message to you. Your key may have expired or has been revoked.').'
';
+ echo ''.htmlspecialchars(_('Sorry, this key can\'t be used to encrypt a message to you. Your key may have expired or has been revoked.')).'
';
} else {
foreach ( $key[ 'subkeys' ] as $subkey ) {
gnupg_addencryptkey( $gpg, $subkey[ 'fingerprint' ] );
@@ -361,16 +361,16 @@ if ( empty( $_SESSION[ 'email_user' ] ) ) { ?>
}
$_SESSION[ 'enable_2fa_code' ] = bin2hex( random_bytes( 3 ) );
if ( $encrypted = gnupg_encrypt( $gpg, _('To enable 2FA, please enter the following code to confirm ownership of your key:'). "\n\n$_SESSION[enable_2fa_code]\n" ) ) {
- echo ''._( 'Enable 2FA').' ';
- echo ''._('To enable 2FA using your PGP key, please decrypt the following PGP encrypted message and confirm the code:').'
';
+ echo ''.htmlspecialchars(_( 'Enable 2FA')).' ';
+ echo ''.htmlspecialchars(_('To enable 2FA using your PGP key, please decrypt the following PGP encrypted message and confirm the code:')).'
';
echo "$encrypted ";
?>
@@ -381,33 +381,33 @@ if ( empty( $_SESSION[ 'email_user' ] ) ) { ?>
}
?>
- '._('Invalid CSRF token').'
';
+ $msg .= ''.htmlspecialchars(_('Invalid CSRF token')).'
';
}
if ( ! check_captcha( $_POST[ 'challenge' ] ?? '', $_POST[ 'captcha' ] ?? '' ) ) {
$ok = false;
- $msg .= ''._('Invalid captcha').'
';
+ $msg .= ''.htmlspecialchars(_('Invalid captcha')).'
';
}
$db = get_db_instance();
if ( ! preg_match( '/^([^+\/\'"]+?)(@([^@]+))?$/iu', $_POST[ 'user' ], $match ) ) {
$ok = false;
- $msg .= ''._('Invalid username. It may not contain a +, \', " or /.').'
';
+ $msg .= ''.htmlspecialchars(_('Invalid username. It may not contain a +, \', " or /.')).'
';
}
$user = mb_strtolower( $match[ 1 ] ?? '' );
$domain = $match[ 3 ] ?? 'danwin1210.de';
if ( $ok && ( empty( $_POST[ 'pwd' ] ) || empty( $_POST[ 'pwd2' ] ) || $_POST[ 'pwd' ] !== $_POST[ 'pwd2' ] ) ) {
$ok = false;
- $msg .= ''._('Passwords empty or don\'t match').'
';
+ $msg .= ''.htmlspecialchars(_('Passwords empty or don\'t match')).'
';
} elseif ( $ok ) {
$stmt = $db->prepare( 'SELECT target_domain FROM alias_domain WHERE alias_domain = ? AND active=1;' );
$stmt->execute( [ $domain ] );
@@ -41,15 +41,15 @@ if ( isset( $_POST[ 'user' ] ) ) {
$stmt->execute( [ $domain ] );
if ( ! $stmt->fetch() ) {
$ok = false;
- $msg .= ''._('The domain you specified is not allowed').'
';
+ $msg .= ''.htmlspecialchars(_('The domain you specified is not allowed')).'
';
} else {
$validator = new EmailValidator();
if ( ! $validator->isValid( "$user@$domain", new NoRFCWarningsValidation() ) ) {
$ok = false;
- $msg .= ''._('The email address you specified is not valid').'
';
+ $msg .= ''.htmlspecialchars(_('The email address you specified is not valid')).'
';
} elseif(in_array($user, RESERVED_USERNAMES, true)){
$ok = false;
- $msg .= ''._('The username you specified is reserved').'
';
+ $msg .= ''.htmlspecialchars(_('The username you specified is reserved')).'
';
}
}
@@ -67,7 +67,7 @@ if ( isset( $_POST[ 'user' ] ) ) {
$stmt->execute( [ "$user@$domain", "$user@$domain", $domain ] );
$stmt = $db->prepare( 'INSERT INTO mailbox (username, password, quota, local_part, domain, created, modified, password_hash_type, openpgpkey_wkd) VALUES(?, ?, 51200000, ?, ?, NOW(), NOW(), ?, ?);' );
$stmt->execute( [ "$user@$domain", $hash, $user, $domain, '{ARGON2ID}', z_base32_encode( hash( 'sha1', mb_strtolower( $user ), true ) ) ] );
- $msg .= ''._('Successfully created new mailbox!').'
';
+ $msg .= ''.htmlspecialchars(_('Successfully created new mailbox!')).'
';
}
}
}
@@ -75,50 +75,50 @@ if ( isset( $_POST[ 'user' ] ) ) {
- <?php echo _('E-Mail and XMPP - Register'); ?>
+ <?php echo htmlspecialchars(_('E-Mail and XMPP - Register')); ?>
-
$msg"; ?>