Encode passwords in emails send (hestiacp#3566)

jaapmarcus · web-flow · commit 5cc024322b68 · 2023-05-12T16:34:06.000+02:00
diff --git a/web/add/db/index.php b/web/add/db/index.php
@@ -182,9 +182,9 @@
 			: $_SESSION["APP_NAME"];
 
 		$mailtext = translate_email($template, [
-			"database" => $user_plain . "_" . $_POST["v_database"],
-			"username" => $user_plain . "_" . $_POST["v_dbuser"],
-			"password" => $_POST["v_password"],
+			"database" => htmlentities($user_plain . "_" . $_POST["v_database"]),
+			"username" => htmlentities($user_plain . "_" . $_POST["v_dbuser"]),
+			"password" => htmlentities($_POST["v_password"]),
 			"dbadmin" => $db_admin_link,
 			"appname" => $_SESSION["APP_NAME"],
 		]);
diff --git a/web/add/mail/index.php b/web/add/mail/index.php
@@ -492,7 +492,7 @@
 		$mailtext = translate_email($template, [
 			"domain" => htmlentities($_POST["v_domain"]),
 			"account" => htmlentities(strtolower($_POST["v_account"])),
-			"password" => $_POST["v_password"],
+			"password" => htmlentities($_POST["v_password"]),
 			"webmail" => $webmail . "." . htmlentities($_POST["v_domain"]),
 			"hostname" => "mail." . htmlentities($_POST["v_domain"]),
 			"appname" => $_SESSION["APP_NAME"],
diff --git a/web/add/user/index.php b/web/add/user/index.php
@@ -209,10 +209,10 @@
 		}
 
 		$mailtext = translate_email($template, [
-			"name" => $name,
-			"user" => $_POST["v_username"],
-			"password" => $_POST["v_password"],
-			"hostname" => $hostname,
+			"name" => htmlentities($name),
+			"user" => htmlentities($_POST["v_username"]),
+			"password" => htmlentities($_POST["v_password"]),
+			"hostname" => htmlentities($hostname),
 			"appname" => $_SESSION["APP_NAME"],
 		]);
 
diff --git a/web/edit/mail/index.php b/web/edit/mail/index.php
@@ -1069,6 +1069,11 @@
 		}
 	}
 
+	$webmail = "http://" . $hostname . "/" . $v_webmail_alias . "/";
+	if (!empty($_SESSION["WEBMAIL_ALIAS"])) {
+		$webmail = $_SESSION["WEBMAIL_ALIAS"];
+	}
+
 	// Email login credentials
 	if (!empty($_POST["v_send_email"]) && empty($_SESSION["error_msg"])) {
 		$to = $_POST["v_send_email"];
@@ -1146,7 +1151,7 @@
 		$mailtext = translate_email($template, [
 			"domain" => htmlentities($_POST["v_domain"]),
 			"account" => htmlentities(strtolower($_POST["v_account"])),
-			"password" => $_POST["v_password"],
+			"password" => htmlentities($_POST["v_password"]),
 			"webmail" => $webmail . "." . htmlentities($_POST["v_domain"]),
 			"hostname" => "mail." . htmlentities($_POST["v_domain"]),
 			"appname" => $_SESSION["APP_NAME"],
diff --git a/web/edit/web/index.php b/web/edit/web/index.php
@@ -1267,9 +1267,11 @@
 						}
 
 						$mailtext = translate_email($template, [
-							"domain" => $v_domain,
-							"username" => $user_plain . "_" . $v_ftp_username_for_emailing,
-							"password" => $v_ftp_user_data["v_ftp_password"],
+							"domain" => htmlentities($v_domain),
+							"username" => htmlentities(
+								$user_plain . "_" . $v_ftp_username_for_emailing,
+							),
+							"password" => htmlentities($v_ftp_user_data["v_ftp_password"]),
 							"appname" => $_SESSION["APP_NAME"],
 						]);
 
diff --git a/web/reset/index.php b/web/reset/index.php
@@ -123,10 +123,10 @@
 					$name = empty($data[$user]["NAME"]) ? $user : $data[$user]["NAME"];
 
 					$mailtext = translate_email($template, [
-						"name" => $name,
-						"hostname" => $hostname . $port,
-						"user" => $user,
-						"resetcode" => $rkey,
+						"name" => htmlentities($name),
+						"hostname" => htmlentities($hostname . $port),
+						"user" => htmlentities($user),
+						"resetcode" => htmlentities($rkey),
 						"appname" => $_SESSION["APP_NAME"],
 					]);
 
