From 4fc50fba1f3bfccb43ad6b556063e37dea3320f8 Mon Sep 17 00:00:00 2001
From: Michael Kaufmann <d00p@froxlor.org>
Date: Sat, 5 Nov 2022 12:51:23 +0100
Subject: [PATCH] avoid possible html injection via
 forgot-password-error-message

Signed-off-by: Michael Kaufmann <d00p@froxlor.org>
---
 index.php      | 7 +------
 lng/de.lng.php | 1 +
 lng/en.lng.php | 1 +
 3 files changed, 3 insertions(+), 6 deletions(-)

diff --git a/index.php b/index.php
index 902d9cbb..3414df68 100644
--- a/index.php
+++ b/index.php
@@ -356,12 +356,7 @@ if ($action == '2fa_entercode') {
 				$message = lng('error.login_blocked', [Settings::Get('login.deactivatetime')]);
 				break;
 			case 4:
-				$cmail = isset($_GET['customermail']) ? $_GET['customermail'] : 'unknown';
-				if (!Validate::validateEmail($cmail)) {
-					$message = lng('error.errorsendingmail', ['invalid.address']);
-				} else {
-					$message = lng('error.errorsendingmail', [$cmail]);
- 				}
+				$message = lng('error.errorsendingmailpub');
 				break;
 			case 5:
 				$message = lng('error.user_banned');
diff --git a/lng/de.lng.php b/lng/de.lng.php
index e7bd2933..2dcdf48b 100644
--- a/lng/de.lng.php
+++ b/lng/de.lng.php
@@ -799,6 +799,7 @@ return [
 		'nomessagetosend' => 'Keine Nachricht angegeben',
 		'norecipientsgiven' => 'Keine Empfänger angegeben',
 		'errorsendingmail' => 'Das Versenden der Nachricht an "%s" schlug fehl.',
+		'errorsendingmailpub' => 'Das Versenden der Nachricht an die angegebene E-Mail Adresse schlug fehl.',
 		'cannotreaddir' => 'Der Ordner "%s" kann nicht gelesen werden',
 		'invalidip' => 'Ungültige IP-Adresse: "%s"',
 		'invalidmysqlhost' => 'Ungültige MySQL-Host-Adresse: "%s"',
diff --git a/lng/en.lng.php b/lng/en.lng.php
index c18629db..49a51920 100644
--- a/lng/en.lng.php
+++ b/lng/en.lng.php
@@ -864,6 +864,7 @@ return [
 		'nomessagetosend' => 'You did not enter a message.',
 		'norecipientsgiven' => 'You did not specify any recipient',
 		'errorsendingmail' => 'The message to "%s" failed',
+		'errorsendingmailpub' => 'The message to the given email-address failed',
 		'cannotreaddir' => 'Unable to read directory "%s"',
 		'invalidip' => 'Invalid IP address: %s',
 		'invalidmysqlhost' => 'Invalid MySQL host address: %s',