Fix mail format + add token in form BT#15596

6 years ago · 3a6e1f17ff
parent f754b4f022
commit 3a6e1f17ff
1 changed files with 44 additions and 31 deletions
--- a/main/inc/email_editor.php
+++ b/main/inc/email_editor.php
@ -68,39 +68,52 @@ $defaults = [
 $form->setDefaults($defaults);

 if ($form->validate()) {
-    $values = $form->getSubmitValues();
-    $text = Security::remove_XSS($values['email_text'])."\n\n---\n".get_lang('EmailSentFromLMS').' '.api_get_path(WEB_PATH);
-    $email_administrator = Security::remove_XSS($values['dest']);
-    $title = Security::remove_XSS($values['email_title']);
-    if (!empty($_user['mail'])) {
-        api_mail_html(
-            '',
-            $email_administrator,
-            $title,
-            $text,
-            api_get_person_name($_user['firstname'], $_user['lastname']),
-            '',
-            [
-                'reply_to' => [
-                    'mail' => $_user['mail'],
-                    'name' => api_get_person_name($_user['firstname'], $_user['lastname']),
-                ],
-            ]
-        );
-    } else {
-        api_mail_html(
-            '',
-            $email_administrator,
-            $title,
-            $text,
-            get_lang('Anonymous')
-        );
+    $check = Security::check_token();
+    Security::clear_token();
+    if ($check) {
+        Security::clear_token();
+        $values = $form->getSubmitValues();
+        $text = nl2br($values['email_text']).'<br /><br /><br />'.get_lang('EmailSentFromLMS').' '.api_get_path(
+                WEB_PATH
+            );
+        $email_administrator = $values['dest'];
+        $title = $values['email_title'];
+
+        if (!empty($_user['mail'])) {
+            api_mail_html(
+                '',
+                $email_administrator,
+                $title,
+                $text,
+                api_get_person_name($_user['firstname'], $_user['lastname']),
+                $_user['mail'],
+                [
+                    'reply_to' => [
+                        'mail' => $_user['mail'],
+                        'name' => api_get_person_name($_user['firstname'], $_user['lastname']),
+                    ],
+                ]
+            );
+        } else {
+            api_mail_html(
+                '',
+                $email_administrator,
+                $title,
+                $text,
+                get_lang('Anonymous')
+            );
+        }
+
+        Display::addFlash(Display::return_message(get_lang('MessageSent')));
+        $orig = Session::read('origin_url');
+        Session::erase('origin_url');
+        header('Location:'.$orig);
+        exit;
    }
-    $orig = Session::read('origin_url');
-    Session::erase('origin_url');
-    header('Location:'.$orig);
-    exit;
 }
+
+$form->addHidden('sec_token', Security::get_token());
+
 Display::display_header(get_lang('SendEmail'));
 $form->display();
 Display::display_footer();