diff --git a/CHANGELOG.md b/CHANGELOG.md
index a99257c2..6866480a 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -6,6 +6,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
## [Unreleased]
+### Security
+- Rewrote the mailto function to not use `eval` when encoding with javascript
+
## [3.1.40] - 2021-10-13
### Changed
diff --git a/libs/plugins/function.mailto.php b/libs/plugins/function.mailto.php
index 27351df8..8faf696a 100644
--- a/libs/plugins/function.mailto.php
+++ b/libs/plugins/function.mailto.php
@@ -94,22 +94,19 @@ function smarty_function_mailto($params)
);
return;
}
- // FIXME: (rodneyrehm) document.write() excues me what? 1998 has passed!
if ($encode === 'javascript') {
- $string = 'document.write(\'' . $text . '\');';
+ $string = '' . $text . '';
$js_encode = '';
for ($x = 0, $_length = strlen($string); $x < $_length; $x++) {
$js_encode .= '%' . bin2hex($string[ $x ]);
}
- return '';
+ return '';
} elseif ($encode === 'javascript_charcode') {
$string = '' . $text . '';
- for ($x = 0, $y = strlen($string); $x < $y; $x++) {
+ for ($x = 0, $_length = strlen($string); $x < $_length; $x++) {
$ord[] = ord($string[ $x ]);
}
- $_ret = "\n";
- return $_ret;
+ return '';
} elseif ($encode === 'hex') {
preg_match('!^(.*)(\?.*)$!', $address, $match);
if (!empty($match[ 2 ])) {