From c81a4c421b03c456e0e7c4e244885d11397dc0ba Mon Sep 17 00:00:00 2001
From: Ilia Ross <ilia@ross.gdn>
Date: Wed, 9 Aug 2023 17:12:16 +0300
Subject: [PATCH] Fix to address XSS issues `#1`

---
 mailbox/list_folders.cgi  | 7 ++++++-
 mailbox/list_ifolders.cgi | 4 ++++
 mailbox/view_mail.cgi     | 6 +++---
 mailbox/webmin_menu.pl    | 2 +-
 4 files changed, 14 insertions(+), 5 deletions(-)

diff --git a/mailbox/list_folders.cgi b/mailbox/list_folders.cgi
index d891ee7e..0e41762e 100755
--- a/mailbox/list_folders.cgi
+++ b/mailbox/list_folders.cgi
@@ -28,18 +28,23 @@ print &ui_hidden_end("instr");
 print &ui_form_start("delete_folders.cgi", "post");
 my @tds = ( "width=5" );
 my @folders = &list_folders_sorted();
+foreach my $folder (@folders) {
+	$folder->{'file'} = &html_escape($folder->{'file'})
+		if ($folder->{'file'});
+	}
 print &ui_columns_start([ "",
 			  $text{'folders_name'},
 			  $text{'folders_path'},
 			  $text{'folders_type'},
 			  $text{'folders_size'},
 			  $text{'folders_action'} ], undef, 0, \@tds);
+			#   var_dump(\@folders);
 foreach my $f (@folders) {
 	my @cols;
 	my $deletable = 0;
 	if ($f->{'inbox'} || $f->{'drafts'} || $f->{'spam'}) {
 		# Inbox, drafs or spam folder which cannot be edited
-		push(@cols, $f->{'name'});
+		push(@cols, &html_escape($f->{'name'}));
 		}
 	elsif ($f->{'type'} == 2) {
 		# Link for editing POP3 folder
diff --git a/mailbox/list_ifolders.cgi b/mailbox/list_ifolders.cgi
index 807e398c..9f3e92b9 100755
--- a/mailbox/list_ifolders.cgi
+++ b/mailbox/list_ifolders.cgi
@@ -12,6 +12,10 @@ require './mailbox-lib.pl';
 print &ui_form_start("delete_folders.cgi", "post");
 my @tds = ( "width=5" );
 my @folders = &list_folders_sorted();
+foreach my $folder (@folders) {
+	$folder->{'file'} = &html_escape($folder->{'file'})
+		if ($folder->{'file'});
+	}
 my @adders = ( "<a href='edit_ifolder.cgi?new=1'>$text{'folders_addimap'}</a>",
 	    "<a href='edit_comp.cgi?new=1'>$text{'folders_addcomp'}</a>",
 	    "<a href='edit_virt.cgi?new=1'>$text{'folders_addvirt'}</a>" );
diff --git a/mailbox/view_mail.cgi b/mailbox/view_mail.cgi
index 819e71bd..35dd3d61 100755
--- a/mailbox/view_mail.cgi
+++ b/mailbox/view_mail.cgi
@@ -521,15 +521,15 @@ if (!@sub) {
 	if ($mail->{'sortidx'} != 0) {
 		my $mailprv = $beside[$prv];
 		$left = "view_mail.cgi?id=".&urlize($mailprv->{'id'}).
-			"&folder=$in{'folder'}&start=$in{'start'}";
+			"&folder=@{[&urlize($in{'folder'})]}&start=$in{'start'}";
 		}
 	if ($mail->{'sortidx'} < $c-1) {
 		my $mailnxt = $beside[$nxt];
 		$right = "view_mail.cgi?id=".&urlize($mailnxt->{'id'}).
-		      	 "&folder=$in{'folder'}&start=$in{'start'}";
+		      	 "&folder=@{[&urlize($in{'folder'})]}&start=$in{'start'}";
 		}
 	print &ui_page_flipper(&text('view_desc', $mail->{'sortidx'}+1,
-				     $folder->{'name'}),
+				     &html_escape($folder->{'name'})),
 			       undef, undef, $left, $right);
 	}
 else {
diff --git a/mailbox/webmin_menu.pl b/mailbox/webmin_menu.pl
index d1693106..2a1fd9d0 100644
--- a/mailbox/webmin_menu.pl
+++ b/mailbox/webmin_menu.pl
@@ -51,7 +51,7 @@ sub list_webmin_menu
 		my $item = { 'type' => 'item',
 			     'id' => 'folder_'.$fid,
 			     'folder' => 1,
-			     'desc' => $f->{'name'},
+			     'desc' => &html_escape($f->{'name'}),
 			     'link' => '/'.$module_name.
 				       '/index.cgi?id='.&urlize($fid) };
 		if ($f->{'type'} == 6 &&