From bd0551b22076b82a6d49e9f7a2b2e0c90a1b2326 Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Fri, 05 Feb 2016 07:25:27 -0500
Subject: [PATCH] Secure also downloads of addressbook exports, managesieve script exports and Enigma keys exports

---
 program/steps/settings/edit_response.inc |   26 +++++++++++++-------------
 1 files changed, 13 insertions(+), 13 deletions(-)

diff --git a/program/steps/settings/edit_response.inc b/program/steps/settings/edit_response.inc
index 371d7ec..7f3ac50 100644
--- a/program/steps/settings/edit_response.inc
+++ b/program/steps/settings/edit_response.inc
@@ -1,6 +1,6 @@
 <?php
 
-/*
+/**
  +-----------------------------------------------------------------------+
  | program/steps/settings/edit_response.inc                              |
  |                                                                       |
@@ -35,7 +35,7 @@
 // save response
 if ($RCMAIL->action == 'save-response' && isset($_POST['_name']) && !$RESPONSE_RECORD['static']) {
     $name = trim(rcube_utils::get_input_value('_name', rcube_utils::INPUT_POST));
-    $text = trim(rcube_utils::get_input_value('_text', rcube_utils::INPUT_POST));
+    $text = trim(rcube_utils::get_input_value('_text', rcube_utils::INPUT_POST, true));
 
     if (!empty($name) && !empty($text)) {
         $dupes = 0;
@@ -70,10 +70,16 @@
     }
 }
 
+$OUTPUT->set_env('readonly', !empty($RESPONSE_RECORD['static']));
+$OUTPUT->add_handler('responseform', 'rcube_response_form');
+$OUTPUT->set_pagetitle($RCMAIL->gettext($RCMAIL->action == 'add-response' ? 'addresponse' : 'editresponse'));
+
+$OUTPUT->send('responseedit');
+
 
 function rcube_response_form($attrib)
 {
-    global $RCMAIL, $OUTPUT, $RESPONSE_RECORD;
+    global $RCMAIL, $RESPONSE_RECORD;
 
     // Set form tags and hidden fields
     $disabled = !empty($RESPONSE_RECORD['static']);
@@ -85,23 +91,17 @@
     $out = "$form_start\n";
 
     $table = new html_table(array('cols' => 2));
-    $label = $RCMAIL->gettext('responsename');
 
     $table->add('title', html::label('ffname', rcube::Q($RCMAIL->gettext('responsename'))));
-    $table->add(null, rcube_output::get_edit_field('name', $RESPONSE_RECORD['name'], array('id' => 'ffname', 'size' => $attrib['size'], 'disabled' => $disabled), 'text'));
+    $table->add(null, rcube_output::get_edit_field('name', $RESPONSE_RECORD['name'],
+        array('id' => 'ffname', 'size' => $attrib['size'], 'disabled' => $disabled), 'text'));
 
     $table->add('title', html::label('fftext', rcube::Q($RCMAIL->gettext('responsetext'))));
-    $table->add(null, rcube_output::get_edit_field('text', $RESPONSE_RECORD['text'], array('id' => 'fftext', 'size' => $attrib['textareacols'], 'rows' => $attrib['textarearows'], 'disabled' => $disabled), 'textarea'));
+    $table->add(null, rcube_output::get_edit_field('text', $RESPONSE_RECORD['text'],
+        array('id' => 'fftext', 'size' => $attrib['textareacols'], 'rows' => $attrib['textarearows'], 'disabled' => $disabled), 'textarea'));
 
     $out .= $table->show($attrib);
     $out .= $form_end;
 
     return $out;
 }
-
-$OUTPUT->set_env('readonly', !empty($RESPONSE_RECORD['static']));
-$OUTPUT->add_handler('responseform', 'rcube_response_form');
-$OUTPUT->set_pagetitle($RCMAIL->gettext($RCMAIL->action == 'add-response' ? 'savenewresponse' : 'editresponse'));
-
-$OUTPUT->send('responseedit');
-

--
Gitblit v1.9.1