From 1768fffb2bfdc556fdae490744c50b046175c294 Mon Sep 17 00:00:00 2001
From: james <james>
Date: Fri, 12 Feb 2010 18:24:22 +0000
Subject: [PATCH] Properly escape the email name in the javascript function,
 and htmlspecialchars the name in the output

---
 admin/communication.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/admin/communication.php b/admin/communication.php
index c6a3ddc..f097d45 100644
--- a/admin/communication.php
+++ b/admin/communication.php
@@ -605,7 +605,7 @@ case "email_get_list":
 		if($r->name) $name=$r->name;
 		else $name=i18n("no email name specified");
 
-		echo "<tr><td><a href=\"#\" onclick=\"return opencommunicationeditor('$r->val',$r->id,$fcid)\">$name</a></td>";
+		echo "<tr><td><a href=\"#\" onclick=\"return opencommunicationeditor('".addslashes($r->val)."',$r->id,$fcid)\">",htmlspecialchars($name)."</a></td>";
 		echo "<td>$r->type</td>";
 
 		echo " <td align=\"center\">";