SquirrelMail 1.5.1 reviewDownload
SquirrelMail is a standards-based Webmail package written in PHP4
SquirrelMail is a standards-based Webmail package written in PHP4. It includes built-in pure PHP support for the IMAP and SMTP protocols, and all pages are rendered in pure HTML 4.0 for maximum compatibility across browsers.
SquirrelMail has very few requirements, and is very easy to configure and install. It has all the functionality you would want from an email client, including strong MIME support, address books, and folder manipulation.
What's New in 1.5.1 Development Release:
- New reply citation to include date and author.
- Security: Fix some possible XSS bugs.
- Norwegian Bokmal translation uses nb_NO.
- Integrated Msg_Flags plugin - turn on/off icons using configuration tool,
menu number 11 (Tweaks), option number 3, after which users must select an
icon theme in Options/Display Preferences.
"Flag"/"Unflag" buttons are implemented as separate plugin.
- Added Farsi and Tagalog translation support.
- Enabled Ukrainian and Russian-Ukrainian support
- Fixed subfolders named "foo.inbox" didn't always work well.
- sqimap_create_stream() was not obeying passed params properly.
- Fix non-selectable inbox.
- Add src/configtest.php script which checks for common errors in the config.
- Improve display of some unparsable/absent dates (#891354).
- Add comment (Highest,Normal,Lowest) to X-Priority header.
Some SpamAssassin rule triggers on the absence of such a comment.
- Corrected moving of last message in a folder using Delete-Move-Next
functionality added to core in 1.5.0.
- Fix test for LOGINDISABLED, should only test when the auth mech actually
- Update required PHP version to 4.1.0, and remove PHP 4.0.x legacy code.
- Make writing of preferences, abook, calendars fail better when disk full
- Remove code related to non-UID-supporting IMAP servers.
- Fix quoteimap() regex escaping problem (#921291).
- Added option to suppress Received: line in outbound SM headers (#847107).
- Changed read_body header from links to buttons (looks like message index).
- Add functions for building HTML forms (functions/forms.php).
- Added abook_init and abook_add_class hooks.
- Fixed "Resume Draft" to continue using selected identities (#845290).
- Fixed RFC2821 incompliancy by adding a fallback mechanism to HELO if
EHLO is not supported.
- Fixed RFC2298 incompliancy by setting envelope sender to null.
- Fixed problem where setting all the messages on the last page of the
message list would return one page higher.
- Remove call to perform expunge on mailbox select - auto-expunge will
still be performed on message delete, etc.
- Allow single quotes to be used in theme name in conf.pl (#805309).
- Fixed on the fly decoding of base64 encoded attachments.
- Fixed message rejects by the Postfix sendmail wrapper when attachments were
- Fixed date display bug for messages of today. Show short format in case
of long format. (only occurs in the timeframe around 0:00 AM till
- Added address book sorting options. Ascending/descending sorting code
written by Bryan Loniewski.
- Use Special Folder Color config option works again (#931956).
- In POP3-class, be more liberal regarding RFC-incompliant POP3-servers.
- Set up language before outputing errors in auth.php to make them appear in
the correct language.
- Added Basque translation support.
- Remove flag buttons / links from display if mailbox doesn't allow it.
- Make used of cached ordered uid list in case of server_side_sorting.
- Rewrite of internal mailbox sorting routines.
- Added sort by message size.
- Security: Fixed XSS vulnerability in content-type display in the attachment
area of read_body.php discovered by Roman Medina.
- Removed src/move_messages.php, move_before_move and move_messages_button_action
hooks. Mailbox listing actions should be handled by src/right_main.php and
- Get alternating row colors of addressbook in sync with mailbox list.
- Give proper error when PEAR DB not found.
- Remove inappropriate strip_tags() from add-to-addressbook (#968475).
- Prefs caching didn't work properly with register_globals off (#995102).
- Security: fix SQL injection vulnerability in addressbook.
- Removed html_top and html_bottom hooks. No longer used/needed.
- Added "trailing text" for options built by SquirrelMail (text placed
after text and select list inputs on options pages)
- Custom option page values now repopulate correctly
- Added "no focus" option for compose page in display preferences (setting
reply focus to "No focus" also affects composing new messages)
- Current hook name is now globally available when running a hook
- Fix bug when Saving to Draft folder that contains special characters.
- Added size limit to signatures saved in file backend. Created
error_option_save function, that allows sending error message to options
page. Thanks to Martynas Bieliauskas for spotting big signature "option".
- Make SquirrelSpell work with safe_mode enabled, if using PHP >=4.3.0.
Patch by Ray Ferguson.
- Make IP-address in Message-ID RFC822 compliant.
- Uneditable address book entries no longer have checkboxes on addresses page.
- Alignment of title text above folder list fixed.
- Changed structure of xtra_code functions that are used by some translations.
- Added Uighur language support.
- Added status bar to compose window when "Compose In New Window" is used.
- Reenabled the move_messages_button_action hook and changed its name to
mailbox_display_button_action to promote the new location
- Making delete button, when viewing a message, consider which page was viewed
- $agresive_decoding configuration option changed to $aggressive_decoding.
- Added $lossy_encoding option (provides fix for #806698)
- Reenabled use of $default_charset option. Option works only with en_US
translation in order to prevent language/charset misconfiguration.
- Fixes for nonpopulation of folder lists and errors when emptying the trash
(provides fixes for #1019185 and #1017941)
- Fixed $custom_css loading in squirrelspell plugin.
- Turkish translation uses C character case conversion rules. Fixes PHP and
SquirrelMail functions are assume English conversion rules.
- Fixed problem that caused an error when deleting all messages on the last
page of a paginated view (provides fix for #1014612).
- Added MySQL password/UNIX crypt support to mysql backend in the
- Make SMTP Authentication detection in conf.pl more RFC-compliant.
- Fixed IMAP errors when using mail_fetch plugin to auto-fetch on login.
- Fixed folder list in Create Folders list for Courier (properly skip INBOX).
- Fixed undefined variables in sqimap_create_stream().
- Added Bengali translation support.
- Fixed left frame mailbox list when sorting by case.
- Separated fortune plugin configuration variables from main plugin scripts.
- Fix for #906217 when checking spelling of inline replies, the corrected
words would appear through original email.
- Fixed empty information menu when viewing vCards without information
but name and e-mail address.
- User may now add an e-mail address when adding vCards without one to the
address book. No need to wait for the error message anymore.
- Removed japanese_xtra function used by older XTRA_CODE calls. Plugins
should use separate xtra_code functions. Older function does not provide
information about supported options.
- Added php-gettext classes (see class/l10n/*.php) and ngettext support
functions (provides fix for #1019007).
- LC_NUMERIC locale is set to C. (workaround for #1027130). Some plugins
might use decimal delimiters incorrectly.
- Added sq_is8bit function that can be used to detect 8bit strings.
- Added sq_mb_list_encodings function that provides list of encodings
supported by PHP mbstring module.
- Added Content-Transfer-Encoding: 8bit header for read receipts that contain
8bit symbols. (provides fix for #934033).
- Fixed decoding function problems when mbstring.func_override has
- Security: Fixed XSS exploit in decodeHeader function. [CVE-2004-1036]
- Added site configuration and custom translation engine support to translate
- Fixed SquirrelSpell error output. Patch courtesy David Boone.
- Fixed bug in IMAP read routines that treated "0" as false instead of
a string (patch courtesy Maurice Makaay).
- Fixed PHP notice when header property value is blank.
- Added compact paginator option. Patch by Felix Egli.
- Fixed reply/forward form in order to avoid warnings in SSL enabled sites.
Patch by Felix Egli.
- Removed command line option unsupported by qmail-inject in
class/deliver/Deliver_SendMail.class.php. Thanks to Ken Brush.
- Global file based address book is controled in configuration. Removed
global_file address book backend (use 'local_file' instead).
- Added Net-Style theme by Gabriele Maidecchi. Closes patch #1041323.
- Fix: Messages shown with bad times in message list due to misinterpreted
UW IMAP internal date.
- Fixed path used by random theme.
- Utf7-imap encoding/decoding functions will check, if required charset is
supported by mbstring and use it. Fixes bug #1005353.
- LDAP backend will use internal SquirrelMail charset conversion functions
instead of PHP XML extension. Fixes bug #655137.
- Added Wood and Silver Steel themes by Pavel Spatny and Simple Green theme.
- Fix two time zone calculation bugs, thanks to David White. Fixes #1063879.
- 'Priority' and 'Importance' headers are now also recognised, next to the
'X-Priority' header that we've supported since a long time. Fixes #1039935.
- Handle a reload of the signout page gracefully: do not present an error
about having to be logged in to be able to sign out. Fixes #1070069.
- Prevent & being eaten in set_url_var, thanks Marcin Orlowski (#1053725).
- Removed internal_link hook.
- Added sq_setlocale function in order to use multiple locale names.
- Set up language before outputing errors in signout.php to make them appear
in the correct language.
- Added size attributes to new_mail sound tags. Fixes #818958.
- Removed extra ; in SquirrelMail added Received header per RFC 822
- Add IMAP server type "hmailserver" to make search work with hMailServer.
- Reuploaded newmail plugin sounds. Fixes files uploaded to cvs without binary
- Fix listcommands plugin to behave like normal reply/compose
links, and return to message page that originally called from.
- Max upload file size now correctly handles a '-1' value, meaning
- Security: Added hook for Preferences Backend to resolve potential
file inclusions. [CVE-2005-0075]
- Remove Printer Friendly Clean Display config option, the cleaning
is now always done.
- Create new Options section "Compose Preferences" and move some
options from Display Preferences there; also move some around within
- Security: Fix possible file/offsite inclusion in src/webmail.php.
- Security: Fix possible XSS issues in src/webmail.php. [CVE-2005-0104]
- Fix undefined variables in src/webmail.php.
- 24hr clock format should include a leading 0.
- Removed numeric keys for plugin array in config.php.
- Fixed translations of "On DATE, AUTHOR Wrote" and "AUTHOR Wrote" replies.
- Added sq_str_pad function for padding of multi-byte strings.
- Added sq_strlen function for calculation of multi-byte string length.
- Quoted "INBOX" in check for the status of INBOX in a LIST call. Fixes an
issue with a specific IMAP server.
- Move default_pref to the config/ dir, but keep checking legacy locations
first for bc. Do not fail with an error when default_pref not found, just
create an empty one.
- Add trailing slash for data directory used by global file based address
- Fixed sorting problem is get_squirrel_sort() function (#1115403).
- Add "Show Only Subscribed Folders" option to allow users to show all
folders instead of only subscribed ones (#1105756, #1105250).
- Add workaround for Mercury/32 servers that will subscribe again to
an already subscribed folder (#1115409).
- Added blank.png for missing image support.
- Use the proper attachment filenames in case of forwarding a message.
- Fix for #855320 where Outlook Express was creating CID: based URLs,
but not assigning a content-id to the attachment. This is a bug in
Outlook Express and is non-RFC compliant behaviour.
- Strip tags out. This is a Microsoft only protocol and
references files local to the sending machine. This causes issues
with Internet Explorer.
- Replace links with clean images to stop
issues with Internet Explorer not being able to track down the image.
- Empty src attribute on img tags causes logouts (IE only), replacing
string with blank.png.
- Added vmailmgrd backend to change_password plugin.
- Fixed change_password_init hook.
- Give an error to the user when SquirrelMail is not configured yet
(instead of "failed to include config.php").
- Added swf and mp3 support to newmail plugin. Restored custom user media
- Removed unused save_option_header() function from display and compose
- Fixed bug #1124764, view unsafe images inside printer friendly view.
- Fixed bug #1032366, remove NUL characters in text attachments on sent.
- URL Encode required for string being passed in mailto: links to pass on
additional values (cc, body, subject etc).
- Fixed bug #801060. Removed option for INBOX in filters plugin as source
is always INBOX.
- Always show Purge link next to Trash, even when empty.
- errors in addressbook_init() function are no longer fatal. If function
fails to activate address book backend, it displays error box (with
error_box() function). error box can be hidden by setting first
function argument to false.
- Sanitized search in ldap address book backend. Use of asterisk
together with other symbols is not supported.
- Added ldap backend to change_password plugin.
- Change defaults of some prefs to more sensible / usable settings.
- Revise the documentation of the packaged plugins.
- Fixed edit form checks in address listing (#1124018).
- After sending resumed draft, return to message list.
- Parse and replace mailto: links with internal compose links when
viewing in HTML format.
- Plugins may now define an "extra" array element to return to the attachment
types hook, which will be also inserted in the attachment link for the
- Added mouseover row highlighting on message index.
- Added for checkboxes on message index (when highlighting is off).
- Fixed mailto: parsing in functions/url_parser.php.
- Fixed broken signout page (plugins work here again).
- Fixed configtest to use correct PostgreSQL connection function
- Added configuration option that blocks remote use of
src/configtest.php by default.
- Fixed ldap checks in configtest.php.
- Added configuration option that controls listing of global file based
- Fixed administrator's plugin breaks related to latest sqGetGlobalVar()
and $plugins array changes.
- Included local configuration file in config.php generated by
- Updated the Filters plugin to comply with our Plugin Standards.
- Fixed Filters plugin problems with duplicate rule processing and false
unread message counts (Bug# 676073 and patch #919045).
- Strip position:absolute style from HTML mails.
- Add ability to the Filters plugin to filter on Message Body, or both
the Headers and the Message Body.
- Update the message copy and move functions to allow for error handling.
- Fix the filter plugin from halting the login process when copying errors
- Clean up the folder management (create, rename, subscribe) code.
- Added filtering support to address book LDAP backend (#539534). Thanks
to Tim Bell.
- Added domain scope limit controls to address book LDAP backend. Issue
is specific to Microsoft ADS (#1035454). Thanks to Michael Brown.
- Missing PHP LDAP extension errors are now handled by ldap backend and
errors are displayed after address book initialization.
- LDAP connections are opened during search and not during address book
- Fixed wrapping of multibyte strings in message view and replies
- mbstring internal encoding is switched to ASCII, if mbstring.func_overload
is enabled (#929644).
- Fixed checking for quota when appending to Sent folder (#1172694).
- Create a generic function to empty a folder tree, thanks to
Randy Smith (#1145578).
- Add robots noindex/nofollow meta tag to SquirrelMail generated pages.
- Fix incorrect folder hierarchy display (#1009654), thanks
Awais Ahmad for the patch (#1082558).
- src/delete_message.php script is disabled. It provided functions that
could be implemented without playing with multiple redirects.
- Remove lots of obsoleted code from left_main.php.
- Partial support of IMAP REFERRAL: do not fail on IMAP REFERRAL response
(RFC 2221) but log the user out with a hint. Patch by Ariel Arjona
- Fixed SquirrelMail language cookie detection in php register_globals=off.
- If default SquirrelMail language is set to empty string, interface will
try to follow browser's HTTP_ACCEPT_LANGUAGE header or fallback to en_US
- If From: field is unset in an email, header object for from field is not
correctly set, and generates an error on reply (#1179754).
- Add Cancel button to addressbook (#1180565).
- RFC 2046: Send mixed messages with multipart/alternative nested boundaries
with correct boundary strings.
- EXPERIMENTAL: Mailbox listing converted to templated layout. Added
template support functions and classes. Rewrote some page header and
mailbox listing functions. Disabled 'show_recipient_instead' option.
Added more columns to mailbox listing and index order options.
- Removed sort by internal date option. Now you can use the Received column
in the index order option page for that.
- WARNING: if same user data storage location is used to store SquirrelMail
1.4.x and 1.5.1+ user settings, SquirrelMail 1.5.1+ will reset mailbox
display order (Options->Index Options) in stable. Backup your data before
testing 1.5.1+ or use different storage location.
- Added experimental iframe sandbox for display of html formated emails.
- Disabled LOGINDISABLED check in src/login.php when IMAP server mapping is
- Check destination folder in mail_fetch plugin before storing messages
in it. Modify destination folder, if it is renamed or deleted within
- Made the Flags column a required column in the index order options page to
prohibit missing seen/unseen info in the messages list.
- Fixed disabled prev/next links in the message display when you reach the
end of the page (message set).
- Moved delete button to the right in the message list.
- Fixed imap capability detection in bug_report plugin. It was broken
when IMAP TLS was enabled or imap server mapping was used.
- Added mail_fetch plugin configuration file and moved plugin functions
from setup.php to functions.php file.
- SquirrelSpell plugin was modified to use standard SquirrelMail
preference system. User dictionaries that are stored in $username.words
files should be automatically updated to new format, when user logs in.
Fixed possible php script errors caused by $SQSPELL_APP configuration
variable changes. Removed $SQSPELL_EREG configuration option. Plugin's
version increased to 0.5.
- $skip_SM_header option was replaced with $encode_header_key and
$hide_auth_header options. First option allows to encode user's information
with provided encryption key (set in 2. Server settings -> B. Update SMTP /
Sendmail settings). Second option allows to disable authenticated user part
in Received: header, when user can't forge used email address. It is set in
4. General Options -> 9. Allow editing of identity.
- Added dovecot preset to configuration utility.
- Modified mercury32 preset in order to remove INBOX prefix in mercury32 4.01.
- Added peardb backend to change_password plugin.
- Tweak IMAP connection error display (#1203154).
- Gracefully recover from over quota error while sending a mail (#1145144).
- Fix get_identities() for the case where the user has not set an email
address: use the fallback $username@$domain that's used in compose aswell.
- Fix "Include me in CC on Reply All" for the case where email address was
not set in the prefs (#781202, #1093363).
- Move documentation for SquirrelMail developers to doc/Development.
- Added id attribute support to form functions. It can be used for Section
508 or WAI fixes. Original idea and patch by dugan passwall.com.
- Fixed broken attachments caused by inconsistency of PHP chunk_split().
Thanks to Roalt Zijlstra.
- Identity code was not checking for domain part in username before setting
email address (Bug #1219184).
- Disallow access to the administrator plugin screens when the plugin is
not enabled in the config.
- Security: fix several cross site scripting (XSS) attacks. Thanks go to
Martijn Brinkers for finding a lot of these. [CVE-2005-1769]
- Update COPYING with new address of the FSF.
- Fixed missing quote character when trying to build cid: urls.
- Added address listing functions and listing controls to address
book LDAP backend. Blocked wildcard searches in file and database
backends when listing is disabled (#529563).
- Some LDAP address book backend configuration options (listing
controls, filtering, scope limit) are moved to 'advanced
password box if username was supplied as a url arg (#1222617).
- Fix variable typo in parseFetch which caused IMAP errors on Exchange.
Thanks Christian Froemmel.
- Added Bluesome theme by Saku Lehti? (#1188209).
- Rewrite of advanced identity handlying to remove stupid extraction
of all post variables. [CVE-2005-2095]
- Added StartTLS support to address book LDAP backend (#1197703). Patch
by John Lane.
- Added subtree/one level search options to address book LDAP backend
- Added Simple Green 2 and Simple Purple themes by Vicky Pyne (#1217066
- sqimap_messages_delete|copy|flag and sqimap_get_small_header()
functions are removed from SquirrelMail IMAP API. Use sqimap_msgs_*
and sqimap_get_small_header_list() functions instead.
- Fix for bad cache on massive expunge/delete/move operations.
- Moved time zone configuration from locale/timezones.cfg to php array.
Adds time zone name localization options and fixes problems on systems
that don't support GNU C time zone mappings (#1177067).
- Use default color theme in logout_error function when possible.
- Fixes for increased error checking in PHP 5.0.5+ array_shift() (#1237160).
- Added extra checks in delivery class for In-Reply-To header. Fixes
E_NOTICE level warnings in php 5.0.4 and later (#1206474). [php5]
- Added extra checks in SquirrelMail charset_encode() function in case
somebody removes HTML to US-ASCII conversion library (#1239782).
- Fixed invalid reference in src/download.php. E_NOTICE level warnings
could corrupt attachments in php 4.4.0.
- Added internal dgettext() and dngettext() functions.
- Added display of attachments on printer friendly page.
- Added custom error handling class and related functions.
- Added option to disable upload of sounds in newmail plugin.
- Removed full URL from sound file preferences in newmail plugin
- Stripped BaseDN from nicknames in address book's ldap_server backend.
- Fixed error handling in SquirrelSpell plugin. sprintf and gettext
formating errors in check_me.mod. Reported by Edward Chapman.
- Translations are loaded automatically from locale//setup.php
- Allow configure to be ran from any directory, thanks Ceri Davies.
- Removed $available_languages configuration option. List is limited to
installed translations. Similar feature is implemented in limit_languages
- Don't load plugins/administrator/auth.php during plugin initiation.
- Removed function references from address book database backend class,
list_addr(), lookup() and search() functions. Referenced lookup()
function caused E_NOTICE warnings in php 4.4.0. Reported by Cor Bosman.
- Test to ensure folder exists before attempting to delete it, otherwise
IMAP server will return an error.
- Added $save_html argument to charset_decode() function in order to be
able to convert html formated mails to different character set. Initial
patch by Peter Draganov (#1195232). Fixed display of html formated emails
in formatBody() function (#1258925).
- login_form hook changed from do_hook to concat_hook_function in order to
place form elements before login button (#1245070).
- Forwarding broken when not using compose in new window (#1222436).
- Drop data/ dir from distributed tarball.
- Readded options_identity_process and options_identity_renumber hooks
broken by CVE-2005-2095 fixes.
- Removed duplicate generic_header hook call in src/right_main.php (#1269189).
- Removed other special folders from rename/delete/unsubscribe folder forms.
Suggested by Florian Daumling.
- Focus on compose screen no longer shifts automatically if user has manually
focused somewhere herself.
- Running SquirrelMail with PHP register_globals = on will cause fatal error
- Added field size controls to database preference backend (#1233721).
- Added bincimap preset (#1285099).
- Fixed IMAP search command in filters plugin. Command was breaking
sqimap_mailbox_exists() check. Reported by Daniel Watts.
- Fixed decoding of quoted-printable text in decodeBody function.
Reported by Jo?o Carlos Mendes Lu?s.
- Added CR trimming to SquirrelSpell plugin in order to fix problems on
- Sanitized names displayed in address book listing.
- Added extra field controls to address book class.
- HttpOnly cookie support (cookies inaccessible by JS). This will protect
- Rare case of session being destroyed causing PHP errors, so ensure session
- If you don't have any filters defined, and spam filters are disabled, no
point issuing a STATUS call on INBOX for the filters plugin.
- Added folder filtering controls to SMOPT_TYPE_FLDRLIST option widget.
- Security: Fixed possible XSS issue in search feature. Issue was
originally resolved in stable, but changes not migrated forward.
- Update the cached mailbox header with the Answered flag in case of an
- Added site configuration options to bug_report plugin. Plugin is available
only to interface administrators by default. See more information in
- E_NOTICE and unlink error message if user hits delete multiple times
before compose page has reloaded.
- Undefined variable in rare case in view_header.php
- Variable by reference fix in printer_friendly_bottom.php.
- Undefined index in addressbook backends.
- sqimap_utf7_decode_mbx_tree returns variables by reference, rather than a
return value (#1351822)
- Make test for IE6 in SendDownloadHeaders also match versions higher
than 6 (#1339211).
- Allow double quote to be used in MOTD (#1276959).
- Prevent right_frame to be set to '//www.example.com'.
- Tweak printer friendly attachment view.
- Added new compose_send_after hook.
- Added new scheme to allow multiple plugins to share the onsubmit handler
for the compose form from the compose_form hook. See plugin.txt for more
- Support for LIST-SUBSCRIBED extension. This speeds up the retrieval of
the subscribed mailbox-list.
- Properly clean up temporary attachment files when saving as Draft
(#1358407) and fix attachment cleaning code on logout.
- Fixed error message in addressbook.php lookup (#1351825).
- Fixed incorrect curly escape in sqimap_append(). Error triggered by PHP 5.1
- Fixed ContentType object check in Rfc822Header class. E_NOTICE error
in PHP 5.1.
- Key value being overwritten by reuse of var in filters plugin.
- Add doc/security.txt with some hints for a more secure installation.
- Added sqauth_read_password() and sqauth_save_password() functions.
- Unset global GET, POST and COOKIE variables registered in PHP
- Capabilities array now contains all multivalue information provided
by the IMAP server. (Such as THREAD=SORT, THREAD=REFERENCES).
- Inclusion of Compatibility plugin automatic (no patch needed for plugin)
- Moved sqm_baseuri() into more centralized location (strings.php)
- Introduced $sendmail_args configuration variable in order to control
/usr/sbin/sendmail command arguments (#1365779). Deliver_SendMail class was
modified to provide support of $sendmail_args. Modifications broke backwards
compatibility with qmail-inject workarounds.
- Added execution error handling in Deliver_SendMail class (#1374174).
- Sanitized Draft folder error message in compose.
- Fixed character wrapping/encoding issues in Japanese translation (#1377622).
Issue is specific to sqBodyWrap() and string function wrappers introduced in
- Security: MagicHTML fix for comments in styles which allowed
for cross site scripting when using Internet Explorer
- Added 'mail' and 'sn' attributes to address book LDAP backend search
- Added mailbox caching code by Michael Long.
- Prevent output of whitespace during plugin activation. Fixes possible
attachment corruption by incorrectly coded plugins.
- Fixed data sanitizing in calendar plugin (#1291081)(#705796).
- Security: Prohibit imap injection attempts (reported by Vicente Aguilera)
- Don't move messages in sqimap_msgs_list_move() function call, when target
mailbox is same as source mailbox. Adds fifth argument to
sqimap_msgs_list_move() function. Fixes possible issues on MacOS Cyrus
IMAP server (#1409453).
- Style sheets are moved to template.
- displayHtmlHeader() function call sends http headers in order to prevent
- Added Template set selection.
- Merged patch from Steve Brown to transform current templates to css
- Added footer template to every page.
- Added experimental IMAP and SMTP STARTTLS extension support.
- Security: Fix possible cross site scripting through the right_main
parameter of webmail.php. This now uses a whitelist of acceptable
- Disabled display of regexp compilation errors in local_file address
- DOCTYPE tags are switched from quirks to standard compliance mode.
- Improved error reporting concerning THREAD, SORT and BADCHARSET.
- Added options to disable THREAD and SORT extension.
- Fixed mailbox cache issues caused by using prev/next links in
- Added View as HTML support to the SquirrelMail core.
- Fixed bug #550557.
- Applied status cache patch created by Michael Long.
- Updated newmail plugin to make use of status cache (Michael Long)
- Added RECENT check to left_main.php to bold the unseen message string if
there are recent messages.
- Fixed search query in filters.php, now we respect the imap continuation
request (Michael Long).
- Fixed bug in digest message view where the from name disappeared after
opening a digest message.
- Rewrite of thread parsing code in order to improve performance.
- Adapted message squisher function to gain performance.
- Fixed bug #1093360, skip untagged NO responses in APPEND query.
What's New in 1.4.9a Stable Release:
Security: Multiple IE cross site scripting issues related to the widely acceptation of the word expression and url by IE.
Security: Removing @import when sanitizing html mail.
SquirrelMail 1.5.1 keywords