use ENT_SUBSTITUTE on htmlspecialchars to harden display of message as source

2015-04-02 08:48:34 +00:00 · 2015-04-02 08:48:34 +00:00 · e3d4a685af
commit e3d4a685af
parent ed092a5887
1 changed files with 1 additions and 1 deletions
--- a/mail/inc/class.mail_ui.inc.php
+++ b/mail/inc/class.mail_ui.inc.php
@ -2611,7 +2611,7 @@ class mail_ui
 		else
 		{
 			html::safe_content_header($message, $subject.".eml", $mime='text/html', $size=0, true, false);
-			print '<pre>'. htmlspecialchars($message, ENT_NOQUOTES, 'utf-8') .'</pre>';
+			print '<pre>'. htmlspecialchars($message, ENT_NOQUOTES|ENT_SUBSTITUTE, 'utf-8') .'</pre>';
 		}
 	}