diff --git a/CHANGELOG.TXT b/CHANGELOG.TXT
index d848233f..ee9c4755 100644
--- a/CHANGELOG.TXT
+++ b/CHANGELOG.TXT
@@ -21,6 +21,9 @@ SVN changes since 2.3.4 release (postfixadmin-2.3 branch)
contain malicious SQL. Double-check before using them!
- fix XSS with $_GET[domain] in templates/menu.php and edit-vacation
- fix XSS in some create-domain input fields
+ - fix XSS in create-alias and edit-alias error message
+ - fix XSS (by values stored in the database) in fetchmail list view,
+ list-domain and list-virtual
- create-domain: fix SQL injection (only exploitable by superadmins)
- add missing $LANG['pAdminDelete_admin_error']
- don't mark mailbox targets with recipient delimiter as "forward only"
diff --git a/create-alias.php b/create-alias.php
index 24e72ecb..1e45dd18 100644
--- a/create-alias.php
+++ b/create-alias.php
@@ -133,7 +133,7 @@ if ($_SERVER['REQUEST_METHOD'] == "POST")
$error = 1;
$tGoto = $goto;
if (!empty($tMessage)) $tMessage .= "
";
- $tMessage .= $PALANG['pEdit_alias_goto_text_error2'] . "$address";
+ $tMessage .= $PALANG['pEdit_alias_goto_text_error2'] . htmlentities($address) . "";
}
}
diff --git a/edit-alias.php b/edit-alias.php
index a82bc87d..b1040936 100644
--- a/edit-alias.php
+++ b/edit-alias.php
@@ -129,7 +129,7 @@ if ($_SERVER['REQUEST_METHOD'] == "POST")
$error = 1;
$tGoto = $goto;
if (!empty($tMessage)) $tMessage .= "
";
- $tMessage .= $PALANG['pEdit_alias_goto_text_error2'] . "$address";
+ $tMessage .= $PALANG['pEdit_alias_goto_text_error2'] . htmlentities($address) . "";
}
}
diff --git a/templates/admin_list-domain.php b/templates/admin_list-domain.php
index 95c6dcbf..eb1bcdc3 100644
--- a/templates/admin_list-domain.php
+++ b/templates/admin_list-domain.php
@@ -50,7 +50,7 @@ if (sizeof ($domain_properties) > 0)
{
print "