diff -r a78b0798a116 -r 7e6537fd4730 includes/template.php --- a/includes/template.php Tue Nov 16 12:44:22 2010 -0500 +++ b/includes/template.php Tue Jul 12 22:13:37 2011 -0400 @@ -609,7 +609,7 @@ $parser = $this->makeParserText($tplvars['sidebar_button']); $parser->assign_vars(Array( - 'HREF'=>makeUrlNS('Special', 'Logout'), + 'HREF'=>makeUrlNS('Special', 'Logout/' . $session->csrf_token), 'FLAGS'=>'onclick="if ( !KILL_SWITCH ) { mb_logout(); return false; }"', 'TEXT'=>'Log out', )); @@ -681,7 +681,8 @@ } } $js_dynamic .= '\'; - var ENANO_CURRENT_THEME = \''. $session->theme .'\';'; + var ENANO_CURRENT_THEME = \''. $session->theme .'\'; + var csrf_token = \'' . $session->csrf_token . '\';'; foreach($paths->nslist as $k => $c) { $js_dynamic .= "namespace_list['{$k}'] = '$c';"; @@ -1680,13 +1681,13 @@ $ob = '
'."\n"; $s = ( $session->unread_pms == 1 ) ? '' : 's'; $ob .= " You have $session->unread_pms unread private message$s.
\n Messages: "; - $q = $db->sql_query('SELECT message_id,message_from,subject,date FROM '.table_prefix.'privmsgs WHERE message_to=\'' . $session->username . '\' AND message_read=0 ORDER BY date DESC;'); + $q = $db->sql_query('SELECT message_id,message_from,subject,date FROM '.table_prefix.'privmsgs WHERE message_to=\'' . $session->username . '\' AND message_read=0 AND folder_name != \'drafts\' ORDER BY date DESC;'); if ( !$q ) $db->_die(); $messages = array(); while ( $row = $db->fetchrow() ) { - $messages[] = '' . $row['subject'] . ''; + $messages[] = '' . htmlspecialchars($row['subject']) . ''; } $ob .= implode(",\n " , $messages)."\n"; $ob .= '
'."\n";