From 174978ac3e9ae9624b1b1ebf4c69153a4fdb2237 Mon Sep 17 00:00:00 2001 From: Daniel Winzen Date: Tue, 12 Sep 2023 19:48:23 +0200 Subject: [PATCH] Escape translations --- common_config.php | 6 +- www/admin.php | 386 ++++++++++++++++++++--------------------- www/index.php | 46 ++--- www/manage_account.php | 130 +++++++------- www/register.php | 38 ++-- 5 files changed, 300 insertions(+), 306 deletions(-) diff --git a/common_config.php b/common_config.php index c1fd542..0bb5811 100644 --- a/common_config.php +++ b/common_config.php @@ -256,7 +256,7 @@ function validate_email_list( array $targets, string &$msg = '' ): string if ( $validator->isValid( $email, new NoRFCWarningsValidation() ) ) { $alias_goto .= ",$email"; } else { - $msg .= ''; + $msg .= ''; } } return ltrim( $alias_goto, ',' ); @@ -282,7 +282,7 @@ function check_domain_access( string &$email, string &$msg = '' ): bool $managed_domains [] = $tmp[ 'domain' ]; } if ( ! in_array( $domain, $managed_domains, true ) ) { - $msg .= ''; + $msg .= ''; return false; } } @@ -293,7 +293,7 @@ function check_email_valid( string $email, string &$msg = '' ): bool { $validator = new EmailValidator(); if ( ! $validator->isValid( $email, new NoRFCWarningsValidation() ) ) { - $msg .= ''; + $msg .= ''; return false; } return true; diff --git a/www/admin.php b/www/admin.php index 9784cf1..f7c989e 100644 --- a/www/admin.php +++ b/www/admin.php @@ -18,7 +18,7 @@ if ( ! empty( $_SESSION[ 'email_admin_user' ] ) ) { $_SESSION = []; session_regenerate_id( true ); $_SESSION[ 'csrf_token' ] = sha1( uniqid() ); - $msg .= ''; + $msg .= ''; } } if ( $_SERVER[ 'REQUEST_METHOD' ] === 'POST' ) { @@ -30,17 +30,17 @@ if ( $_SERVER[ 'REQUEST_METHOD' ] === 'POST' ) { $_SESSION = []; session_regenerate_id( true ); $_SESSION[ 'csrf_token' ] = sha1( uniqid() ); - $msg .= ''; + $msg .= ''; } elseif ( $_POST[ 'action' ] === 'login' ) { if ( empty( $_POST[ 'user' ] ) ) { $ok = false; - $msg .= ''; + $msg .= ''; } $stmt = $db->prepare( 'SELECT username, password, password_hash_type, superadmin FROM admin WHERE username = ? AND active = 1;' ); $stmt->execute( [ $_POST[ 'user' ] ] ); if ( $tmp = $stmt->fetch( PDO::FETCH_ASSOC ) ) { if ( empty( $_POST[ 'pwd' ] ) || ! password_verify( $_POST[ 'pwd' ], $tmp[ 'password' ] ) ) { - $msg .= ''; + $msg .= ''; } else { $_SESSION[ 'email_admin_user' ] = $tmp[ 'username' ]; $_SESSION[ 'email_admin_superadmin' ] = (bool) $tmp[ 'superadmin' ]; @@ -52,7 +52,7 @@ if ( $_SERVER[ 'REQUEST_METHOD' ] === 'POST' ) { } } } else { - $msg .= ''; + $msg .= ''; } } elseif ( ! empty( $_SESSION[ 'email_admin_user' ] ) ) { if ( $_POST[ 'action' ] === 'update_alias' ) { @@ -69,72 +69,72 @@ if ( $_SERVER[ 'REQUEST_METHOD' ] === 'POST' ) { $stmt->execute( [ $alias_goto, $_SESSION[ 'email_admin_user' ] ] ); } elseif ( $_POST[ 'action' ] === 'delete_admin' && ! empty( $_POST[ 'admin' ] ) && $_SESSION[ 'email_admin_superadmin' ] ) { - $msg .= ''; + $msg .= ''; $msg .= '
'; $msg .= ''; - $msg .= '
'; + $msg .= ''; } elseif ( $_POST[ 'action' ] === 'delete_domain' && ! empty( $_POST[ 'domain' ] ) && $_SESSION[ 'email_admin_superadmin' ] ) { - $msg .= ''; + $msg .= ''; $msg .= '
'; $msg .= ''; - $msg .= '
'; + $msg .= ''; } elseif ( $_POST[ 'action' ] === 'delete_alias_domain' && ! empty( $_POST[ 'alias_domain' ] ) && $_SESSION[ 'email_admin_superadmin' ] ) { - $msg .= ''; + $msg .= ''; $msg .= '
'; $msg .= ''; - $msg .= '
'; + $msg .= ''; } elseif ( $_POST[ 'action' ] === 'delete_alias' && ! empty( $_POST[ 'alias' ] ) ) { - $msg .= ''; + $msg .= ''; $msg .= '
'; $msg .= ''; - $msg .= '
'; + $msg .= ''; } elseif ( $_POST[ 'action' ] === 'delete_mailbox' && ! empty( $_POST[ 'user' ] ) ) { - $msg .= ''; + $msg .= ''; $msg .= '
'; $msg .= ''; - $msg .= '
'; + $msg .= ''; } elseif ( $_POST[ 'action' ] === 'delete_admin2' && ! empty( $_POST[ 'admin' ] ) && $_SESSION[ 'email_admin_superadmin' ] ) { if ( $_SESSION[ 'email_admin_user' ] === $_POST[ 'admin' ] ) { - $msg .= ''; + $msg .= ''; } else { $stmt = $db->prepare( 'DELETE FROM admin WHERE username = ?;' ); $stmt->execute( [ $_POST[ 'admin' ] ] ); - $msg .= ''; + $msg .= ''; } } elseif ( $_POST[ 'action' ] === 'delete_domain2' && ! empty( $_POST[ 'domain' ] ) && $_SESSION[ 'email_admin_superadmin' ] ) { $stmt = $db->prepare( 'UPDATE domain SET active = -1 WHERE domain = ?;' ); $stmt->execute( [ $_POST[ 'domain' ] ] ); - $msg .= ''; + $msg .= ''; } elseif ( $_POST[ 'action' ] === 'delete_alias_domain2' && ! empty( $_POST[ 'alias_domain' ] ) && $_SESSION[ 'email_admin_superadmin' ] ) { $stmt = $db->prepare( 'DELETE FROM alias_domain WHERE alias_domain = ?;' ); $stmt->execute( [ $_POST[ 'alias_domain' ] ] ); - $msg .= ''; + $msg .= ''; } elseif ( $_POST[ 'action' ] === 'delete_alias2' && ! empty( $_POST[ 'alias' ] ) ) { if ( check_domain_access( $_POST[ 'alias' ], $msg ) ) { $stmt = $db->prepare( 'DELETE FROM alias WHERE address = ?;' ); $stmt->execute( [ $_POST[ 'alias' ] ] ); - $msg .= ''; + $msg .= ''; } } elseif ( $_POST[ 'action' ] === 'delete_mailbox2' && ! empty( $_POST[ 'user' ] ) ) { if ( check_domain_access( $_POST[ 'user' ], $msg ) ) { $stmt = $db->prepare( 'UPDATE mailbox SET active = -2 WHERE username = ?;' ); $stmt->execute( [ $_POST[ 'user' ] ] ); - $msg .= ''; + $msg .= ''; } } elseif ( $_POST[ 'action' ] === 'save_edit_admin' && ! empty( $_POST[ 'admin' ] ) && ( $_SESSION[ 'email_admin_superadmin' ] || $_POST[ 'admin' ] === $_SESSION[ 'email_admin_user' ] ) ) { $stmt = $db->prepare( 'SELECT null FROM admin WHERE username = ?;' ); $stmt->execute( [ $_POST[ 'admin' ] ] ); if ( ! $stmt->fetch() ) { - $msg .= ''; + $msg .= ''; } else { if ( ! empty( $_POST[ 'pass_update' ] ) ) { if ( empty( $_POST[ 'pass_update2' ] ) || $_POST[ 'pass_update' ] !== $_POST[ 'pass_update2' ] ) { - $msg .= ''; + $msg .= ''; } else { $hash = password_hash( $_POST[ 'pass_update' ], PASSWORD_ARGON2ID ); $stmt = $db->prepare( 'UPDATE admin SET password_hash_type = "{ARGON2ID}", password = ?, modified = NOW() WHERE username = ?;' ); $stmt->execute( [ $hash, $_POST[ 'admin' ] ] ); - $msg .= ''; + $msg .= ''; } } if ( $_SESSION[ 'email_admin_superadmin' ] ) { @@ -163,52 +163,52 @@ if ( $_SERVER[ 'REQUEST_METHOD' ] === 'POST' ) { } } } - $msg .= ''; + $msg .= ''; } } elseif ( $_POST[ 'action' ] === 'save_new_admin' && ! empty( $_POST[ 'admin' ] ) && $_SESSION[ 'email_admin_superadmin' ] ) { $stmt = $db->prepare( 'SELECT null FROM admin WHERE username = ?;' ); $stmt->execute( [ $_POST[ 'admin' ] ] ); if ( $stmt->fetch() ) { - $msg .= ''; + $msg .= ''; } else { if ( empty( $_POST[ 'pass_update2' ] ) || $_POST[ 'pass_update' ] !== $_POST[ 'pass_update2' ] ) { - $msg .= ''; + $msg .= ''; } else { $hash = password_hash( $_POST[ 'pass_update' ], PASSWORD_ARGON2ID ); $active = isset( $_POST[ 'active' ] ) ? 1 : 0; $superadmin = isset( $_POST[ 'superadmin' ] ) ? 1 : 0; $stmt = $db->prepare( 'INSERT INTO admin (password_hash_type, password, superadmin, active, username, created, modified) VALUES ("{ARGON2ID}", ?, ?, ?, ?, NOW(), NOW());' ); $stmt->execute( [ $hash, $superadmin, $active, $_POST[ 'admin' ] ] ); - $msg .= ''; + $msg .= ''; } } } elseif ( $_POST[ 'action' ] === 'save_edit_domain' && ! empty( $_POST[ 'domain' ] ) && $_SESSION[ 'email_admin_superadmin' ] ) { $stmt = $db->prepare( 'SELECT null FROM domain WHERE domain = ?;' ); $stmt->execute( [ $_POST[ 'domain' ] ] ); if ( ! $stmt->fetch() ) { - $msg .= ''; + $msg .= ''; } else { $active = isset( $_POST[ 'active' ] ) ? 1 : 0; $stmt = $db->prepare( 'UPDATE domain set active = ?, modified = NOW() WHERE domain = ?;' ); $stmt->execute( [ $active, $_POST[ 'domain' ] ] ); - $msg .= ''; + $msg .= ''; } } elseif ( $_POST[ 'action' ] === 'save_edit_alis_domain' && ! empty( $_POST[ 'alias_domain' ] ) && $_SESSION[ 'email_admin_superadmin' ] ) { $stmt = $db->prepare( 'SELECT null FROM alias_domain WHERE alias_domain = ?;' ); $stmt->execute( [ $_POST[ 'alias_domain' ] ] ); if ( ! $stmt->fetch() ) { - $msg .= ''; + $msg .= ''; } else { $active = isset( $_POST[ 'active' ] ) ? 1 : 0; $stmt = $db->prepare( 'UPDATE alias_domain set active = ?, modified = NOW() WHERE alias_domain = ?;' ); $stmt->execute( [ $active, $_POST[ 'alias_domain' ] ] ); - $msg .= ''; + $msg .= ''; } } elseif ( $_POST[ 'action' ] === 'save_new_domain' && ! empty( $_POST[ 'domain' ] ) && $_SESSION[ 'email_admin_superadmin' ] ) { $stmt = $db->prepare( 'SELECT null FROM domain WHERE domain = ? UNION SELECT null FROM alias_domain WHERE alias_domain = ?;' ); $stmt->execute( [ $_POST[ 'domain' ], $_POST[ 'domain' ] ] ); if ( $stmt->fetch() ) { - $msg .= ''; + $msg .= ''; } else { $ascii_domain = idn_to_ascii($_POST['domain'], IDNA_NONTRANSITIONAL_TO_ASCII); $utf8_domain = idn_to_utf8($_POST['domain'], IDNA_NONTRANSITIONAL_TO_UNICODE); @@ -219,13 +219,13 @@ if ( $_SERVER[ 'REQUEST_METHOD' ] === 'POST' ) { $stmt = $db->prepare( 'INSERT INTO alias_domain (active, alias_domain, target_domain, created, modified) VALUES (1, ?, ?, NOW(), NOW());' ); $stmt->execute( [ $ascii_domain, $utf8_domain ] ); } - $msg .= ''; + $msg .= ''; } } elseif ( $_POST[ 'action' ] === 'save_new_alias_domain' && ! empty( $_POST[ 'alias_domain' ] ) && $_SESSION[ 'email_admin_superadmin' ] ) { $stmt = $db->prepare( 'SELECT null FROM domain WHERE domain = ? UNION SELECT null FROM alias_domain WHERE alias_domain = ?;' ); $stmt->execute( [ $_POST[ 'alias_domain' ], $_POST[ 'alias_domain' ] ] ); if ( $stmt->fetch() ) { - $msg .= ''; + $msg .= ''; } else { $ascii_domain = idn_to_ascii($_POST['alias_domain'], IDNA_NONTRANSITIONAL_TO_ASCII); $utf8_domain = idn_to_utf8($_POST['alias_domain'], IDNA_NONTRANSITIONAL_TO_UNICODE); @@ -236,7 +236,7 @@ if ( $_SERVER[ 'REQUEST_METHOD' ] === 'POST' ) { $stmt = $db->prepare( 'INSERT INTO alias_domain (active, alias_domain, target_domain, created, modified) VALUES (?, ?, ?, NOW(), NOW());' ); $stmt->execute( [ $active, $ascii_domain, $_POST[ 'target_domain' ] ] ); } - $msg .= ''; + $msg .= ''; } } elseif ( $_POST[ 'action' ] === 'save_new_alias' && ! empty( $_POST[ 'alias' ] ) && ! empty( $_POST[ 'target' ] ) ) { $ok = check_email_valid( $_POST[ 'alias' ], $msg ); @@ -249,7 +249,7 @@ if ( $_SERVER[ 'REQUEST_METHOD' ] === 'POST' ) { $stmt = $db->prepare( 'SELECT null FROM alias WHERE address = ?;' ); $stmt->execute( [ $_POST[ 'alias' ] ] ); if ( $stmt->fetch() ) { - $msg .= ''; + $msg .= ''; } else { $parser = new EmailParser( new EmailLexer() ); $parser->parse( $_POST[ 'alias' ] ); @@ -258,7 +258,7 @@ if ( $_SERVER[ 'REQUEST_METHOD' ] === 'POST' ) { $enforce_tls_in = isset( $_POST[ 'enforce_tls_in' ] ) ? 1 : 0; $stmt = $db->prepare( 'INSERT INTO alias (goto, address, domain, active, created, modified, enforce_tls_in) VALUES (?, ?, ?, ?, NOW(), NOW(), ?);' ); $stmt->execute( [ $alias_goto, $_POST[ 'alias' ], $domain, $active, $enforce_tls_in ] ); - $msg .= ''; + $msg .= ''; } } } elseif ( $_POST[ 'action' ] === 'save_edit_alias' && ! empty( $_POST[ 'alias' ] ) && ! empty( $_POST[ 'target' ] ) ) { @@ -273,7 +273,7 @@ if ( $_SERVER[ 'REQUEST_METHOD' ] === 'POST' ) { $enforce_tls_in = isset( $_POST[ 'enforce_tls_in' ] ) ? 1 : 0; $stmt = $db->prepare( 'UPDATE alias SET goto = ?, active = ?, enforce_tls_in = ?, modified = NOW() WHERE address = ?;' ); $stmt->execute( [ $alias_goto, $active, $enforce_tls_in, $_POST[ 'alias' ] ] ); - $msg .= ''; + $msg .= ''; } } elseif ( $_POST[ 'action' ] === 'save_edit_mailbox' && ! empty( $_POST[ 'user' ] ) ) { $ok = check_email_valid( $_POST[ 'user' ], $msg ); @@ -295,7 +295,7 @@ if ( $_SERVER[ 'REQUEST_METHOD' ] === 'POST' ) { $stmt->execute( [ $alias_goto, ( isset( $_POST[ 'enforce_tls_in' ] ) ? 1 : 0 ), ( isset( $_POST[ 'active' ] ) ? 1 : 0 ), $_POST[ 'user' ] ] ); $stmt = $db->prepare( 'UPDATE mailbox SET enforce_tls_in = ?, enforce_tls_out = ?, active = ?, quota = ?, modified = NOW() WHERE username = ?;' ); $stmt->execute( [ ( isset( $_POST[ 'enforce_tls_in' ] ) ? 1 : 0 ), ( isset( $_POST[ 'enforce_tls_out' ] ) ? 1 : 0 ), ( isset( $_POST[ 'active' ] ) ? 1 : 0 ), $quota, $_POST[ 'user' ] ] ); - $msg .= ''; + $msg .= ''; } } elseif ( $_POST[ 'action' ] === 'save_new_mailbox' && ! empty( $_POST[ 'user' ] ) ) { $email = $_POST[ 'user' ]; @@ -308,7 +308,7 @@ if ( $_SERVER[ 'REQUEST_METHOD' ] === 'POST' ) { $stmt->execute( [ $email, $email ] ); if ( $stmt->fetch() ) { $ok = false; - $msg .= ''; + $msg .= ''; } if ( $ok ) { $parser = new EmailParser( new EmailLexer() ); @@ -330,7 +330,7 @@ if ( $_SERVER[ 'REQUEST_METHOD' ] === 'POST' ) { $stmt->execute( [ $email, $alias_goto, $domain, ( isset( $_POST[ 'enforce_tls_in' ] ) ? 1 : 0 ), ( isset( $_POST[ 'active' ] ) ? 1 : 0 ) ] ); $stmt = $db->prepare( 'INSERT INTO mailbox (username, password, quota, local_part, domain, created, modified, password_hash_type, openpgpkey_wkd, enforce_tls_in, enforce_tls_out, active) VALUES(?, ?, ?, ?, ?, NOW(), NOW(), ?, ?, ?, ?, ?);' ); $stmt->execute( [ $email, $hash, $quota, $user, $domain, '{ARGON2ID}', z_base32_encode( hash( 'sha1', mb_strtolower( $user ), true ) ), ( isset( $_POST[ 'enforce_tls_in' ] ) ? 1 : 0 ), ( isset( $_POST[ 'enforce_tls_out' ] ) ? 1 : 0 ), ( isset( $_POST[ 'active' ] ) ? 1 : 0 ) ] ); - $msg .= ''; + $msg .= ''; } } } elseif ( $_POST[ 'action' ] === 'save_password_mailbox' && ! empty( $_POST[ 'user' ] ) ) { @@ -340,12 +340,12 @@ if ( $_SERVER[ 'REQUEST_METHOD' ] === 'POST' ) { } if ( $ok ) { if ( empty( $_POST[ 'pass_update' ] ) || empty( $_POST[ 'pass_update2' ] ) || $_POST[ 'pass_update' ] !== $_POST[ 'pass_update2' ] ) { - $msg .= ''; + $msg .= ''; } else { $hash = password_hash( $_POST[ 'pass_update' ], PASSWORD_ARGON2ID ); $stmt = $db->prepare( 'UPDATE mailbox SET password_hash_type = "{ARGON2ID}", password = ? WHERE username = ?;' ); $stmt->execute( [ $hash, $_POST[ 'user' ] ] ); - $msg .= ''; + $msg .= ''; } } } elseif ( $_POST[ 'action' ] === 'disable_tfa_mailbox' && ! empty( $_POST[ 'user' ] ) ) { @@ -356,7 +356,7 @@ if ( $_SERVER[ 'REQUEST_METHOD' ] === 'POST' ) { if ( $ok ) { $stmt = $db->prepare( 'UPDATE mailbox SET tfa = 0 WHERE username = ?;' ); $stmt->execute( [ $_POST[ 'user' ] ] ); - $msg .= ''; + $msg .= ''; } } } @@ -366,37 +366,37 @@ if ( $_SERVER[ 'REQUEST_METHOD' ] === 'POST' ) { - <?php echo _('E-Mail and XMPP - Admin management'); ?> + <?php echo htmlspecialchars(_('E-Mail and XMPP - Admin management')); ?> - + - - + + - + -

+

-

| - | + | | | | | | | | | | | |

$msg

"; @@ -404,22 +404,22 @@ if ( $_SERVER[ 'REQUEST_METHOD' ] === 'POST' ) {
-
+
-
+
- +

@@ -464,26 +464,23 @@ function send_manage_admins(): void $db = get_db_instance(); $stmt = $db->query( 'SELECT username, modified, active FROM admin;' ); ?> -

+

-
-
-
-
+
+
+
+
fetch( PDO::FETCH_ASSOC ) ) { - $active = 'Disabled'; - if ( $tmp[ 'active' ] === 1 ) { - $active = 'Active'; - } - echo '
' . htmlspecialchars( $tmp[ 'username' ] ) . '
' . $active . '
' . $tmp[ 'modified' ] . '
'; + $active = $tmp[ 'active' ] === 1 ? _('Active') : _('Disabled'); + echo '
' . htmlspecialchars( $tmp[ 'username' ] ) . '
' . htmlspecialchars($active) . '
' . $tmp[ 'modified' ] . '
'; } ?>
-

+

execute( [ $admin ] ); if ( $admin = $stmt->fetch( PDO::FETCH_ASSOC ) ) { ?> -

+

-
+
-
+
+ value="1">
-
+
+ value="1">
-
+ disabled>
+
+ disabled>
-
+
-
+
-
+
-
+
-
-
+
+
-
+
- +
@@ -615,30 +612,30 @@ function send_manage_domains(): void $stmt = $db->query( 'SELECT domain, modified, active FROM domain;' ); if ( $_SESSION[ 'email_admin_superadmin' ] ) { ?> -

+

-
-
-
-
+
+
+
+
fetch( PDO::FETCH_ASSOC ) ) { - $active = 'Disabled'; + $active = _('Disabled'); if ( $tmp[ 'active' ] === 1 ) { - $active = 'Active'; + $active = _('Active'); } elseif ( $tmp[ 'active' ] === -1 ) { - $active = 'Deleting'; + $active = _('Deleting'); } - echo '
' . htmlspecialchars( $tmp[ 'domain' ] ) . '
' . $active . '
' . $tmp[ 'modified' ] . '
'; + echo '
' . htmlspecialchars( $tmp[ 'domain' ] ) . '
' . htmlspecialchars($active) . '
' . $tmp[ 'modified' ] . '
'; } ?>
-

+

-

+

-
+
-
+
- +
@@ -672,29 +669,29 @@ function send_edit_domain(): void $stmt->execute( [ $_POST[ 'domain' ] ] ); if ( $admin = $stmt->fetch( PDO::FETCH_ASSOC ) ) { ?> -

+

+ value="1">
- +
- +
'._('Oops, this admin doesn\'t seem to exist.').'

'; + echo '

'.htmlspecialchars(_('Oops, this admin doesn\'t seem to exist.')).'

'; } } @@ -704,29 +701,26 @@ function send_manage_alias_domains(): void $stmt = $db->query( 'SELECT alias_domain, target_domain, modified, active FROM alias_domain;' ); if ( $_SESSION[ 'email_admin_superadmin' ] ) { ?> -

+

-
-
-
-
-
+
+
+
+
+
fetch( PDO::FETCH_ASSOC ) ) { - $active = 'Disabled'; - if ( $tmp[ 'active' ] === 1 ) { - $active = 'Active'; - } - echo '
' . htmlspecialchars( $tmp[ 'alias_domain' ] ) . '
' . htmlspecialchars( $tmp[ 'target_domain' ] ) . '
' . $active . '
' . $tmp[ 'modified' ] . '
'; + $active = $tmp[ 'active' ] === 1 ? _('Active') : _('Disabled'); + echo '
' . htmlspecialchars( $tmp[ 'alias_domain' ] ) . '
' . htmlspecialchars( $tmp[ 'target_domain' ] ) . '
' . htmlspecialchars($active) . '
' . $tmp[ 'modified' ] . '
'; } ?>
-

+

-

+

-
+
-
+
-
+
- +
@@ -764,35 +758,35 @@ function send_edit_alias_domain(): void $stmt->execute( [ $_POST[ 'alias_domain' ] ] ); if ( $alias = $stmt->fetch( PDO::FETCH_ASSOC ) ) { ?> -

+

-
+
+ value="1">
- +
- +
'._('Oops, this alias domain doesn\'t seem to exist.').'

'; + echo '

'.htmlspecialchars(_('Oops, this alias domain doesn\'t seem to exist.')).'

'; } } @@ -802,54 +796,54 @@ function send_manage_aliases(): void $stmt = $db->prepare( 'SELECT a.address, a.goto, a.modified, a.active FROM alias AS a LEFT JOIN mailbox AS m ON (m.username=a.address AND m.active=1) WHERE a.domain IN (SELECT domain FROM domain_admins WHERE username = ?) AND isnull(m.username) limit 200;' ); $stmt->execute( [ $_SESSION[ 'email_admin_user' ] ] ); ?> -

+

-
-
-
-
-
+
+
+
+
+
fetch( PDO::FETCH_ASSOC ) ) { - $active = 'Disabled'; + $active = _('Disabled'); if ( $tmp[ 'active' ] === 1 ) { - $active = 'Active'; + $active = _('Active'); } - echo '
' . htmlspecialchars( $tmp[ 'address' ] ) . '
' . htmlspecialchars( $tmp[ 'goto' ] ) . '
' . $active . '
' . $tmp[ 'modified' ] . '
'; + echo '
' . htmlspecialchars( $tmp[ 'address' ] ) . '
' . htmlspecialchars( $tmp[ 'goto' ] ) . '
' . htmlspecialchars($active) . '
' . $tmp[ 'modified' ] . '
'; } ?>
-

+

-

+

-
+
-
+
-
+
-
+
- +
@@ -863,39 +857,39 @@ function send_edit_alias(): void $stmt->execute( [ $_POST[ 'alias' ] ] ); if ( $alias = $stmt->fetch( PDO::FETCH_ASSOC ) ) { ?> -

+

-
+
+ value="1">
+ value="1">
- +
- +
'._('Oops, this alias doesn\'t seem to exist.').'

'; + echo '

'.htmlspecialchars(_('Oops, this alias doesn\'t seem to exist.')).'

'; } } @@ -905,73 +899,73 @@ function send_manage_mailboxes(): void $stmt = $db->prepare( 'SELECT username, modified, active FROM mailbox WHERE domain IN (SELECT domain FROM domain_admins WHERE username = ?) limit 200;' ); $stmt->execute( [ $_SESSION[ 'email_admin_user' ] ] ); ?> -

+

-
-
-
-
+
+
+
+
fetch( PDO::FETCH_ASSOC ) ) { $active = 'Disabled'; if ( $tmp[ 'active' ] === 1 ) { - $active = 'Active'; + $active = _('Active'); } elseif ( $tmp[ 'active' ] === -1 ) { - $active = 'Disabling'; + $active = _('Disabling'); } elseif ( $tmp[ 'active' ] === -2 ) { - $active = 'Deleting'; + $active = _('Deleting'); } - echo '
' . htmlspecialchars( $tmp[ 'username' ] ) . '
' . $active . '
' . $tmp[ 'modified' ] . '
'; + echo '
' . htmlspecialchars( $tmp[ 'username' ] ) . '
' . htmlspecialchars($active) . '
' . $tmp[ 'modified' ] . '
'; } ?>
-

+

-

+

-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
- +
@@ -987,79 +981,79 @@ function send_edit_mailbox(): void $aliases = explode( ',', $email[ 'goto' ] ); $aliases_to = implode( "\n", array_diff( $aliases, [ $_REQUEST[ 'user' ] ] ) ); ?> -

+

-
+
-
+
>
+ value="1">
+ value="1">
+ value="1">
- +
-

+

-
+
-
+
- +
-

+

- +
- +
'._('Oops, this mailbox doesn\'t seem to exist.').'

'; + echo '

'.htmlspecialchars(_('Oops, this mailbox doesn\'t seem to exist.')).'

'; } } diff --git a/www/index.php b/www/index.php index 435a951..6a72a93 100644 --- a/www/index.php +++ b/www/index.php @@ -3,41 +3,41 @@ include_once('../common_config.php'); global $language, $dir, $locale; ?> -<?php echo _('E-Mail and XMPP'); ?> +<?php echo htmlspecialchars(_('E-Mail and XMPP')); ?> - + - - + + - +
-

| | | | |

-

-

-

contact me. Your E-Mail address will be %2$s'), CONTACT_URL, CLEARNET_SERVER); ?>

-

download GnuPG or similar software for it. Once you have generated your PGP key, you can add it to your account to make use of WKD automatic discovery for mail clients.'); ?>

-

SquirrelMail is a very old mail client which works without any JavaScript and is thus the most popular mail client among darknet users. However, it hasn\'t been under development for many years and does not support all features that mail has to offer. You may see strange attachments that should have been inlined in your email, such as PGP/MIME encrypted email messages. A more modern client is SnappyMail, which also supports PGP encryption within your browser and is more similar to what you may be used to from other mail services. SnappyMail requires JavaScript though, so SquirrelMail is for you if you do not trust executing JavaScript in your browser. Alternatively, you can simply use your favourite desktop mail client and configure it with the settings given below.'); ?>

-

-

+

| | | | |

+

+

+

'.htmlspecialchars(_('contact me')).'', CLEARNET_SERVER); ?>

+

'.htmlspecialchars(_('download GnuPG')).'', ''.htmlspecialchars(_('add it to your account')).''); ?>

+

'.htmlspecialchars(_('SquirrelMail')).'', ''.htmlspecialchars(_('SnappyMail')).''); ?>

+

+

-
-
-
- +
+
+
+

-

-

-


-
-
-

+

+

+


+
+
+

diff --git a/www/manage_account.php b/www/manage_account.php index f01a0cd..837d5af 100644 --- a/www/manage_account.php +++ b/www/manage_account.php @@ -14,7 +14,7 @@ if ( ! empty( $_SESSION[ 'email_user' ] ) ) { $_SESSION = []; session_regenerate_id( true ); $_SESSION[ 'csrf_token' ] = sha1( uniqid() ); - $msg .= ''; + $msg .= ''; } } @@ -27,7 +27,7 @@ if ( $_SERVER[ 'REQUEST_METHOD' ] === 'POST' ) { unset( $_SESSION[ '2fa_code' ] ); unset( $_SESSION[ 'pgp_key' ] ); } else { - $msg .= '

'._('Wrong 2FA code').'

'; + $msg .= '

'.htmlspecialchars(_('Wrong 2FA code')).'

'; } } if ( ! isset( $_SESSION[ '2fa_code' ] ) && isset( $_POST[ 'action' ] ) ) { @@ -35,16 +35,16 @@ if ( $_SERVER[ 'REQUEST_METHOD' ] === 'POST' ) { $_SESSION = []; session_regenerate_id( true ); $_SESSION[ 'csrf_token' ] = sha1( uniqid() ); - $msg .= ''; + $msg .= ''; } elseif ( $_POST[ 'action' ] === 'login' ) { $ok = true; if ( ! check_captcha( $_POST[ 'challenge' ] ?? '', $_POST[ 'captcha' ] ?? '' ) ) { $ok = false; - $msg .= ''; + $msg .= ''; } if ( empty( $_POST[ 'user' ] ) || ! preg_match( '/^([^+]+?)(@([^@]+))?$/i', $_POST[ 'user' ], $match ) ) { $ok = false; - $msg .= ''; + $msg .= ''; } if ( $ok ) { $db = get_db_instance(); @@ -60,7 +60,7 @@ if ( $_SERVER[ 'REQUEST_METHOD' ] === 'POST' ) { if ( $tmp = $stmt->fetch( PDO::FETCH_ASSOC ) ) { if ( empty( $_POST[ 'pwd' ] ) || ! password_verify( $_POST[ 'pwd' ], $tmp[ 'password' ] ) ) { $ok = false; - $msg .= ''; + $msg .= ''; } else { $_SESSION[ 'email_user' ] = $tmp[ 'username' ]; $stmt = $db->prepare( 'UPDATE mailbox SET last_login = ? WHERE username = ? AND active = 1;' ); @@ -78,7 +78,7 @@ if ( $_SERVER[ 'REQUEST_METHOD' ] === 'POST' ) { } } } else { - $msg .= ''; + $msg .= ''; } } } elseif ( ! empty( $_SESSION[ 'email_user' ] ) && $_POST[ 'action' ] === 'update_settings' ) { @@ -97,21 +97,21 @@ if ( $_SERVER[ 'REQUEST_METHOD' ] === 'POST' ) { $stmt->execute( [ ( isset( $_POST[ 'enforce_tls_in' ] ) ? 1 : 0 ), ( isset( $_POST[ 'enforce_tls_out' ] ) ? 1 : 0 ), $_SESSION[ 'email_user' ] ] ); } elseif ( ! empty( $_SESSION[ 'email_user' ] ) && $_POST[ 'action' ] === 'update_password' ) { if ( empty( $_POST[ 'pass_update' ] ) || empty( $_POST[ 'pass_update2' ] ) || $_POST[ 'pass_update' ] !== $_POST[ 'pass_update2' ] ) { - $msg .= ''; + $msg .= ''; } else { $hash = password_hash( $_POST[ 'pass_update' ], PASSWORD_ARGON2ID ); $stmt = $db->prepare( 'UPDATE mailbox SET password_hash_type = "{ARGON2ID}", password = ? WHERE username = ? AND active = 1;' ); $stmt->execute( [ $hash, $_SESSION[ 'email_user' ] ] ); - $msg .= ''; + $msg .= ''; } } elseif ( ! empty( $_SESSION[ 'email_user' ] ) && $_POST[ 'action' ] === 'delete_account' ) { - $msg .= ''; + $msg .= ''; $msg .= '
'; - $msg .= '
'; + $msg .= ''; } elseif ( ! empty( $_SESSION[ 'email_user' ] ) && $_POST[ 'action' ] === 'disable_account' ) { - $msg .= ''; + $msg .= ''; $msg .= '
'; - $msg .= '
'; + $msg .= ''; } elseif ( ! empty( $_SESSION[ 'email_user' ] ) && $_POST[ 'action' ] === 'delete_account2' ) { $stmt = $db->prepare( 'DELETE FROM alias WHERE address = ?;' ); $stmt->execute( [ $_SESSION[ 'email_user' ] ] ); @@ -120,7 +120,7 @@ if ( $_SERVER[ 'REQUEST_METHOD' ] === 'POST' ) { $_SESSION = []; session_regenerate_id( true ); $_SESSION[ 'csrf_token' ] = sha1( uniqid() ); - $msg .= ''; + $msg .= ''; } elseif ( ! empty( $_SESSION[ 'email_user' ] ) && $_POST[ 'action' ] === 'disable_account2' ) { $stmt = $db->prepare( 'UPDATE alias SET active = 0 WHERE address = ?;' ); $stmt->execute( [ $_SESSION[ 'email_user' ] ] ); @@ -129,11 +129,11 @@ if ( $_SERVER[ 'REQUEST_METHOD' ] === 'POST' ) { $_SESSION = []; session_regenerate_id( true ); $_SESSION[ 'csrf_token' ] = sha1( uniqid() ); - $msg .= ''; + $msg .= ''; } elseif ( isset( $_POST[ 'pgp_key' ] ) && ! empty( $_SESSION[ 'email_user' ] ) && $_POST[ 'action' ] === 'update_pgp_key' ) { $pgp_key = trim( $_POST[ 'pgp_key' ] ); if ( empty( $pgp_key ) ) { - $msg .= '

'._('Successfully removed the key').'

'; + $msg .= '

'.htmlspecialchars(_('Successfully removed the key')).'

'; $stmt = $db->prepare( 'UPDATE mailbox SET pgp_key = "", tfa = 0, pgp_verified = 0 WHERE username = ?;' ); $stmt->execute( [ $_SESSION[ 'email_user' ] ] ); } else { @@ -142,7 +142,7 @@ if ( $_SERVER[ 'REQUEST_METHOD' ] === 'POST' ) { gnupg_setarmor( $gpg, 1 ); $imported_key = gnupg_import( $gpg, $pgp_key ); if ( ! $imported_key ) { - $msg .= '

'._('There was an error importing the key').'

'; + $msg .= '

'.htmlspecialchars(_('There was an error importing the key')).'

'; } else { $has_this_email = false; $key_info = gnupg_keyinfo( $gpg, $imported_key[ 'fingerprint' ] ); @@ -155,21 +155,21 @@ if ( $_SERVER[ 'REQUEST_METHOD' ] === 'POST' ) { } } if ( $has_this_email ) { - $msg .= '

'._('Successfully imported the key').'

'; + $msg .= '

'.htmlspecialchars(_('Successfully imported the key')).'

'; $stmt = $db->prepare( 'UPDATE mailbox SET pgp_key = ?, tfa = 0, pgp_verified = 0 WHERE username = ?;' ); $stmt->execute( [ $pgp_key, $_SESSION[ 'email_user' ] ] ); } else { - $msg .= '

' . sprintf( _('Oops, looks like the key is missing this email address as user id. Please add your address "%s" as user ID to your pgp key or create a new key pair.'), htmlspecialchars( $_SESSION[ 'email_user' ] ) ) . '

'; + $msg .= '

' . sprintf( htmlspecialchars(_('Oops, looks like the key is missing this email address as user id. Please add your address "%s" as user ID to your pgp key or create a new key pair.')), htmlspecialchars( $_SESSION[ 'email_user' ] ) ) . '

'; } } } } elseif ( isset( $_POST[ 'enable_2fa_code' ] ) && ! empty( $_SESSION[ 'email_user' ] ) && $_POST[ 'action' ] === 'enable_2fa' ) { if ( $_POST[ 'enable_2fa_code' ] !== $_SESSION[ 'enable_2fa_code' ] ) { - $msg .= '

'._('Sorry, the code was incorrect').'

'; + $msg .= '

'.htmlspecialchars(_('Sorry, the code was incorrect')).'

'; } else { $stmt = $db->prepare( 'UPDATE mailbox SET tfa = 1, pgp_verified = 1 WHERE username = ?;' ); $stmt->execute( [ $_SESSION[ 'email_user' ] ] ); - $msg .= '

'._('Successfully enabled 2FA').'

'; + $msg .= '

'.htmlspecialchars(_('Successfully enabled 2FA')).'

'; } } } @@ -178,21 +178,21 @@ if ( $_SERVER[ 'REQUEST_METHOD' ] === 'POST' ) { - <?php echo _('E-Mail and XMPP - Manage account'); ?> + <?php echo htmlspecialchars(_('E-Mail and XMPP - Manage account')); ?> + content=""> - - + + - +
@@ -213,15 +213,15 @@ foreach ( $key_info as $key ) { } $encrypted = gnupg_encrypt( $gpg, _('To login, please enter the following code to confirm ownership of your key:')."\n\n" . $_SESSION[ '2fa_code' ] . "\n" ); echo $msg; -echo '

'._('To login, please decrypt the following PGP encrypted message and confirm the code:').'

'; +echo '

'.htmlspecialchars(_('To login, please decrypt the following PGP encrypted message and confirm the code:')).'

'; echo "
$encrypted
"; ?>
-
+
- +
@@ -234,36 +234,36 @@ exit; if ( ! empty( $_SESSION[ 'email_user' ] ) ){ ?>
-

| | - + | - + - | | | |

+ | | | |

$msg

"; if ( empty( $_SESSION[ 'email_user' ] ) ) { ?>
-
+
-
+
- +
@@ -280,58 +280,58 @@ if ( empty( $_SESSION[ 'email_user' ] ) ) { ?> $tls_status = $stmt->fetch( PDO::FETCH_ASSOC ); ?>
-

-

-

+

+

+

-
+
-
+
>
-

-

+

+

-
+
>
-
+
>
- +
-

+

-
+
-
+
- +
@@ -342,7 +342,7 @@ if ( empty( $_SESSION[ 'email_user' ] ) ) { ?> $pgp_status = $stmt->fetch( PDO::FETCH_ASSOC ); if ( ! empty( $pgp_status[ 'pgp_key' ] ) ) { if ( $pgp_status[ 'tfa' ] === 1 ) { - echo '

'._('Yay, PGP based 2FA is enabled!').'

'; + echo '

'.htmlspecialchars(_('Yay, PGP based 2FA is enabled!')).'

'; } else { $gpg = gnupg_init(); gnupg_seterrormode( $gpg, GNUPG_ERROR_WARNING ); @@ -352,7 +352,7 @@ if ( empty( $_SESSION[ 'email_user' ] ) ) { ?> $key_info = gnupg_keyinfo( $gpg, $imported_key[ 'fingerprint' ] ); foreach ( $key_info as $key ) { if ( ! $key[ 'can_encrypt' ] ) { - echo '

'._('Sorry, this key can\'t be used to encrypt a message to you. Your key may have expired or has been revoked.').'

'; + echo '

'.htmlspecialchars(_('Sorry, this key can\'t be used to encrypt a message to you. Your key may have expired or has been revoked.')).'

'; } else { foreach ( $key[ 'subkeys' ] as $subkey ) { gnupg_addencryptkey( $gpg, $subkey[ 'fingerprint' ] ); @@ -361,16 +361,16 @@ if ( empty( $_SESSION[ 'email_user' ] ) ) { ?> } $_SESSION[ 'enable_2fa_code' ] = bin2hex( random_bytes( 3 ) ); if ( $encrypted = gnupg_encrypt( $gpg, _('To enable 2FA, please enter the following code to confirm ownership of your key:'). "\n\n$_SESSION[enable_2fa_code]\n" ) ) { - echo '

'._( 'Enable 2FA').'

'; - echo '

'._('To enable 2FA using your PGP key, please decrypt the following PGP encrypted message and confirm the code:').'

'; + echo '

'.htmlspecialchars(_( 'Enable 2FA')).'

'; + echo '

'.htmlspecialchars(_('To enable 2FA using your PGP key, please decrypt the following PGP encrypted message and confirm the code:')).'

'; echo "
$encrypted
"; ?>
-
+
- +
@@ -381,33 +381,33 @@ if ( empty( $_SESSION[ 'email_user' ] ) ) { ?> } ?> -

+

+ aria-label="">
- +
-

-

+

+

- +
- +
diff --git a/www/register.php b/www/register.php index a561162..b20dd66 100644 --- a/www/register.php +++ b/www/register.php @@ -15,22 +15,22 @@ if ( isset( $_POST[ 'user' ] ) ) { $ok = true; if ( $_SESSION[ 'csrf_token' ] !== $_POST[ 'csrf_token' ] ?? '' ) { $ok = false; - $msg .= ''; + $msg .= ''; } if ( ! check_captcha( $_POST[ 'challenge' ] ?? '', $_POST[ 'captcha' ] ?? '' ) ) { $ok = false; - $msg .= ''; + $msg .= ''; } $db = get_db_instance(); if ( ! preg_match( '/^([^+\/\'"]+?)(@([^@]+))?$/iu', $_POST[ 'user' ], $match ) ) { $ok = false; - $msg .= ''; + $msg .= ''; } $user = mb_strtolower( $match[ 1 ] ?? '' ); $domain = $match[ 3 ] ?? 'danwin1210.de'; if ( $ok && ( empty( $_POST[ 'pwd' ] ) || empty( $_POST[ 'pwd2' ] ) || $_POST[ 'pwd' ] !== $_POST[ 'pwd2' ] ) ) { $ok = false; - $msg .= ''; + $msg .= ''; } elseif ( $ok ) { $stmt = $db->prepare( 'SELECT target_domain FROM alias_domain WHERE alias_domain = ? AND active=1;' ); $stmt->execute( [ $domain ] ); @@ -41,15 +41,15 @@ if ( isset( $_POST[ 'user' ] ) ) { $stmt->execute( [ $domain ] ); if ( ! $stmt->fetch() ) { $ok = false; - $msg .= ''; + $msg .= ''; } else { $validator = new EmailValidator(); if ( ! $validator->isValid( "$user@$domain", new NoRFCWarningsValidation() ) ) { $ok = false; - $msg .= ''; + $msg .= ''; } elseif(in_array($user, RESERVED_USERNAMES, true)){ $ok = false; - $msg .= ''; + $msg .= ''; } } @@ -67,7 +67,7 @@ if ( isset( $_POST[ 'user' ] ) ) { $stmt->execute( [ "$user@$domain", "$user@$domain", $domain ] ); $stmt = $db->prepare( 'INSERT INTO mailbox (username, password, quota, local_part, domain, created, modified, password_hash_type, openpgpkey_wkd) VALUES(?, ?, 51200000, ?, ?, NOW(), NOW(), ?, ?);' ); $stmt->execute( [ "$user@$domain", $hash, $user, $domain, '{ARGON2ID}', z_base32_encode( hash( 'sha1', mb_strtolower( $user ), true ) ) ] ); - $msg .= ''; + $msg .= ''; } } } @@ -75,50 +75,50 @@ if ( isset( $_POST[ 'user' ] ) ) { - <?php echo _('E-Mail and XMPP - Register'); ?> + <?php echo htmlspecialchars(_('E-Mail and XMPP - Register')); ?> - + - - + + - +
-

| | | | | +

| | | | |

$msg

"; ?>
-
+
-
+
-
+
-
+
- +