Index: trunk/CHANGELOG
===================================================================
--- trunk/CHANGELOG	(revision 1114)
+++ trunk/CHANGELOG	(revision 1115)
@@ -12,6 +12,7 @@
 
 ------------------------------------- 2.8.0 -------------------------------------
 9-Aug-2009 Matthias Gallas
+#	Fixed possible xss injection in login/forgot/index.php
 #	Fixed bug in news modul introduced in changeset [1057]
 #	Added missing variables also to preferences.php. Forgot in Changeset [1112]
 8-Aug-2009 Matthias Gallas
Index: trunk/wb/admin/login/forgot/index.php
===================================================================
--- trunk/wb/admin/login/forgot/index.php	(revision 1114)
+++ trunk/wb/admin/login/forgot/index.php	(revision 1115)
@@ -40,7 +40,7 @@
 // Check if the user has already submitted the form, otherwise show it
 if(isset($_POST['email']) AND $_POST['email'] != "") {
 	
-	$email = $_POST['email'];
+	$email = htmlspecialchars($_POST['email'],ENT_QUOTES);
 	
 	// Check if the email exists in the database
 	$query = "SELECT user_id,username,display_name,email,last_reset,password FROM ".TABLE_PREFIX."users WHERE email = '".$admin->add_slashes($_POST['email'])."'";
@@ -105,6 +105,8 @@
 	} else {
 		// Email doesn't exist, so tell the user
 		$message = $MESSAGE['FORGOT_PASS']['EMAIL_NOT_FOUND'];
+		// and delete the wrong Email
+		$email = '';
 	}
 	
 } else {