Security measures (#1113)

posting.php

@@ -579,6 +579,8 @@ if ($userdata['user_level'] == GROUP_MEMBER || IS_AM) {
     }
 }
 
+// Assign posting title & hidden fields
+$page_title = '';
 $hidden_form_fields = '<input type="hidden" name="mode" value="' . $mode . '" />';
 
 switch ($mode) {

privmsg.php

@@ -1097,14 +1097,24 @@ if ($mode == 'read') {
     $template->assign_block_vars('switch_privmsg', []);
     $template->assign_var('POSTING_USERNAME');
 
-    $post_a = ' ';
+    //
-    if ($mode == 'post') {
+    // Assign posting title & hidden fields
+    //
+    $post_a = false;
+    switch ($mode) {
+        case 'post':
             $post_a = $lang['SEND_A_NEW_MESSAGE'];
-    } elseif ($mode == 'reply') {
+            break;
+        case 'reply':
             $post_a = $lang['SEND_A_REPLY'];
             $mode = 'post';
-    } elseif ($mode == 'edit') {
+            break;
+        case 'edit':
             $post_a = $lang['EDIT_MESSAGE'];
+            break;
+        default:
+            pm_die($lang['NONE_SELECTED']);
+            break;
     }
 
     $s_hidden_fields = '<input type="hidden" name="folder" value="' . $folder . '" />';