passwords with less than sign (<) don't work

[nobody]

After upgrading to roundcube-0.1-20060328.tar.bz2 (from
unixified.net) from the 0.1 beta, I can't log in using
a password that contains a less than sign (<).

If my password were "abc<def", roundcube thinks that my
password is "abc".

[nobody]

Logged In: NO 

Reverting this change seems to fix the problem. 

@@ -144,7 +137,10 @@
     {
     show_message("cookiesdisabled", 'warning');
     }
-  else if (isset($_POST['_user']) && isset($_POST['_pass'])
&& rcmail_login($_POST['_user'], $_POST['_pass'], $host))
+  else if (isset($_POST['_user']) && isset($_POST['_pass']) &&
+           rcmail_login(get_input_value('_user',
RCUBE_INPUT_POST),
+                        get_input_value('_pass',
RCUBE_INPUT_POST),
+                        $host))
     {
     // send redirect
     header("Location: $COMM_PATH");

[nobody]

Logged In: NO 

Reverting this change seems to solve the problem.

@@ -144,7 +137,10 @@
     {
     show_message("cookiesdisabled", 'warning');
     }
-  else if (isset($_POST['_user']) && isset($_POST['_pass'])
&& rcmail_login($_POST['_user'], $_POST['_pass'], $host))
+  else if (isset($_POST['_user']) && isset($_POST['_pass']) &&
+           rcmail_login(get_input_value('_user',
RCUBE_INPUT_POST),
+                        get_input_value('_pass',
RCUBE_INPUT_POST),
+                        $host))
     {
     // send redirect
     header("Location: $COMM_PATH");

[thomasb]

rcmail_login() uses strip_tags() for XSS protection which obviously strips that off.

[thomasb]

Fixed in Trunk