From 73b07f2e921b57188070cc7d66220218d53f83e5 Mon Sep 17 00:00:00 2001
From: Roman Kelesidis <roman25052006.kelesh@gmail.com>
Date: Sat, 18 Nov 2023 10:36:16 +0700
Subject: [PATCH] Security measures (#1113)

---
 posting.php |  2 ++
 privmsg.php | 26 ++++++++++++++++++--------
 2 files changed, 20 insertions(+), 8 deletions(-)

diff --git a/posting.php b/posting.php
index d493e6a83..84d457a96 100644
--- a/posting.php
+++ b/posting.php
@@ -579,6 +579,8 @@ if ($userdata['user_level'] == GROUP_MEMBER || IS_AM) {
     }
 }
 
+// Assign posting title & hidden fields
+$page_title = '';
 $hidden_form_fields = '<input type="hidden" name="mode" value="' . $mode . '" />';
 
 switch ($mode) {
diff --git a/privmsg.php b/privmsg.php
index 175b9286a..6755d28e9 100644
--- a/privmsg.php
+++ b/privmsg.php
@@ -1097,14 +1097,24 @@ if ($mode == 'read') {
     $template->assign_block_vars('switch_privmsg', []);
     $template->assign_var('POSTING_USERNAME');
 
-    $post_a = '&nbsp;';
-    if ($mode == 'post') {
-        $post_a = $lang['SEND_A_NEW_MESSAGE'];
-    } elseif ($mode == 'reply') {
-        $post_a = $lang['SEND_A_REPLY'];
-        $mode = 'post';
-    } elseif ($mode == 'edit') {
-        $post_a = $lang['EDIT_MESSAGE'];
+    //
+    // Assign posting title & hidden fields
+    //
+    $post_a = false;
+    switch ($mode) {
+        case 'post':
+            $post_a = $lang['SEND_A_NEW_MESSAGE'];
+            break;
+        case 'reply':
+            $post_a = $lang['SEND_A_REPLY'];
+            $mode = 'post';
+            break;
+        case 'edit':
+            $post_a = $lang['EDIT_MESSAGE'];
+            break;
+        default:
+            pm_die($lang['NONE_SELECTED']);
+            break;
     }
 
     $s_hidden_fields = '<input type="hidden" name="folder" value="' . $folder . '" />';