diff options
author | thomascube <thomas@roundcube.net> | 2006-12-20 14:06:33 +0000 |
---|---|---|
committer | thomascube <thomas@roundcube.net> | 2006-12-20 14:06:33 +0000 |
commit | 2bca6e1da0e46f93297a7f60ff449b6c6ebac239 (patch) | |
tree | 7bdec5b01b6a4c150e99716f7cb3f3ed7d55c1a5 | |
parent | cfdf044df284d294e0e73efb10ebce1052264694 (diff) |
New (strict) quoting for all kind of strings
-rw-r--r-- | program/include/main.inc | 82 | ||||
-rw-r--r-- | program/include/rcube_shared.inc | 8 | ||||
-rw-r--r-- | program/steps/addressbook/func.inc | 2 | ||||
-rw-r--r-- | program/steps/mail/compose.inc | 53 | ||||
-rw-r--r-- | program/steps/mail/func.inc | 67 | ||||
-rw-r--r-- | program/steps/mail/sendmail.inc | 2 | ||||
-rw-r--r-- | program/steps/mail/show.inc | 9 | ||||
-rw-r--r-- | program/steps/mail/upload.inc | 10 | ||||
-rw-r--r-- | program/steps/settings/edit_identity.inc | 2 | ||||
-rw-r--r-- | program/steps/settings/func.inc | 18 | ||||
-rw-r--r-- | program/steps/settings/manage_folders.inc | 18 |
11 files changed, 149 insertions, 122 deletions
diff --git a/program/include/main.inc b/program/include/main.inc index 10436cab2..1abd84aa8 100644 --- a/program/include/main.inc +++ b/program/include/main.inc @@ -734,7 +734,7 @@ function show_message($message, $type='notice', $vars=NULL) $framed = $GLOBALS['_framed']; $command = sprintf("display_message('%s', '%s');", - rep_specialchars_output(rcube_label(array('name' => $message, 'vars' => $vars)), 'js'), + JQ(rcube_label(array('name' => $message, 'vars' => $vars))), $type); if ($REMOTE_REQUEST) @@ -854,7 +854,7 @@ function rcube_add_label() $OUTPUT->add_script(sprintf("%s.add_label('%s', '%s');", $JS_OBJECT_NAME, $name, - rep_specialchars_output(rcube_label($name), 'js'))); + JQ(rcube_label($name)))); } @@ -897,8 +897,15 @@ function rcmail_message_cache_gc() } -// convert a string from one charset to another -// this function is not complete and not tested well +/** + * Convert a string from one charset to another. + * Uses mbstring and iconv functions if possible + * + * @param string Input string + * @param string Suspected charset of the input string + * @param string Target charset to convert to; defaults to $GLOBALS['CHARSET'] + * @return Converted string + */ function rcube_charset_convert($str, $from, $to=NULL) { global $MBSTRING; @@ -953,12 +960,19 @@ function rcube_charset_convert($str, $from, $to=NULL) } - -// replace specials characters to a specific encoding type +/** + * Replacing specials characters to a specific encoding type + * + * @param string Input string + * @param string Encoding type: text|html|xml|js|url + * @param string Replace mode for tags: show|replace|remove + * @param boolean Convert newlines + * @return The quoted string + */ function rep_specialchars_output($str, $enctype='', $mode='', $newlines=TRUE) { global $OUTPUT_TYPE, $OUTPUT; - static $html_encode_arr, $js_rep_table, $rtf_rep_table, $xml_rep_table; + static $html_encode_arr, $js_rep_table, $xml_rep_table; if (!$enctype) $enctype = $GLOBALS['OUTPUT_TYPE']; @@ -1000,21 +1014,18 @@ function rep_specialchars_output($str, $enctype='', $mode='', $newlines=TRUE) return $newlines ? nl2br($out) : $out; } - if ($enctype=='url') return rawurlencode($str); - - // if the replace tables for RTF, XML and JS are not yet defined + // if the replace tables for XML and JS are not yet defined if (!$js_rep_table) { - $js_rep_table = $rtf_rep_table = $xml_rep_table = array(); + $js_rep_tabl = $xml_rep_table = array(); $xml_rep_table['&'] = '&'; for ($c=160; $c<256; $c++) // can be increased to support more charsets { $hex = dechex($c); - $rtf_rep_table[Chr($c)] = "\\'$hex"; $xml_rep_table[Chr($c)] = "&#$c;"; if ($OUTPUT->get_charset()=='ISO-8859-1') @@ -1025,7 +1036,7 @@ function rep_specialchars_output($str, $enctype='', $mode='', $newlines=TRUE) $xml_rep_table['"'] = '"'; } - // encode for RTF + // encode for XML if ($enctype=='xml') return strtr($str, $xml_rep_table); @@ -1038,14 +1049,28 @@ function rep_specialchars_output($str, $enctype='', $mode='', $newlines=TRUE) return addslashes(preg_replace(array("/\r\n/", "/\r/"), array('\n', '\n'), strtr($str, $js_rep_table))); } - // encode for RTF - if ($enctype=='rtf') - return preg_replace("/\r\n/", "\par ", strtr($str, $rtf_rep_table)); - // no encoding given -> return original string return $str; } +/** + * Quote a given string. Alias function for rep_specialchars_output + * @see rep_specialchars_output + */ +function Q($str, $mode='strict', $newlines=TRUE) + { + return rep_specialchars_output($str, 'html', $mode, $newlines); + } + +/** + * Quote a given string. Alias function for rep_specialchars_output + * @see rep_specialchars_output + */ +function JQ($str, $mode='strict', $newlines=TRUE) + { + return rep_specialchars_output($str, 'js', $mode, $newlines); + } + /** * Read input value and convert it for internal use @@ -1248,7 +1273,7 @@ function rcube_xml_command($command, $str_attrib, $add_attrib=array()) // show a label case 'label': if ($attrib['name'] || $attrib['command']) - return rep_specialchars_output(rcube_label($attrib)); + return Q(rcube_label($attrib)); break; // create a menu item @@ -1331,7 +1356,7 @@ function rcube_xml_command($command, $str_attrib, $add_attrib=array()) else if ($object=='productname') { $name = !empty($CONFIG['product_name']) ? $CONFIG['product_name'] : 'RoundCube Webmail'; - return rep_specialchars_output($name, 'html', 'all'); + return Q($name); } else if ($object=='version') { @@ -1353,7 +1378,7 @@ function rcube_xml_command($command, $str_attrib, $add_attrib=array()) else $title .= ucfirst($task); - return rep_specialchars_output($title, 'html', 'all'); + return Q($title); } break; @@ -1419,12 +1444,12 @@ function rcube_button($attrib) // get localized text for labels and titles if ($attrib['title']) - $attrib['title'] = rep_specialchars_output(rcube_label($attrib['title'])); + $attrib['title'] = Q(rcube_label($attrib['title'])); if ($attrib['label']) - $attrib['label'] = rep_specialchars_output(rcube_label($attrib['label'])); + $attrib['label'] = Q(rcube_label($attrib['label'])); if ($attrib['alt']) - $attrib['alt'] = rep_specialchars_output(rcube_label($attrib['alt'])); + $attrib['alt'] = Q(rcube_label($attrib['alt'])); // set title to alt attribute for IE browsers if ($BROWSER['ie'] && $attrib['title'] && !$attrib['alt']) @@ -1537,12 +1562,11 @@ function rcube_table_output($attrib, $table_data, $a_show_cols, $id_col) $table .= "<thead><tr>\n"; foreach ($a_show_cols as $col) - $table .= '<td class="'.$col.'">' . rep_specialchars_output(rcube_label($col)) . "</td>\n"; + $table .= '<td class="'.$col.'">' . Q(rcube_label($col)) . "</td>\n"; $table .= "</tr></thead>\n<tbody>\n"; $c = 0; - if (!is_array($table_data)) { while ($table_data && ($sql_arr = $DB->fetch_assoc($table_data))) @@ -1554,8 +1578,8 @@ function rcube_table_output($attrib, $table_data, $a_show_cols, $id_col) // format each col foreach ($a_show_cols as $col) { - $cont = rep_specialchars_output($sql_arr[$col]); - $table .= '<td class="'.$col.'">' . $cont . "</td>\n"; + $cont = Q($sql_arr[$col]); + $table .= '<td class="'.$col.'">' . $cont . "</td>\n"; } $table .= "</tr>\n"; @@ -1573,8 +1597,8 @@ function rcube_table_output($attrib, $table_data, $a_show_cols, $id_col) // format each col foreach ($a_show_cols as $col) { - $cont = rep_specialchars_output($row_data[$col]); - $table .= '<td class="'.$col.'">' . $cont . "</td>\n"; + $cont = Q($row_data[$col]); + $table .= '<td class="'.$col.'">' . $cont . "</td>\n"; } $table .= "</tr>\n"; diff --git a/program/include/rcube_shared.inc b/program/include/rcube_shared.inc index 2ac3f3c41..4200a914a 100644 --- a/program/include/rcube_shared.inc +++ b/program/include/rcube_shared.inc @@ -133,7 +133,7 @@ class rcube_html_page $this->title = 'RoundCube Mail'; // replace specialchars in content - $__page_title = rep_specialchars_output($this->title, 'html', 'show', FALSE); + $__page_title = Q($this->title, 'show', FALSE); $__page_header = $__page_body = $__page_footer = ''; @@ -725,7 +725,7 @@ class base_form_element // encode textarea content if ($key=='value') - $value = rep_specialchars_output($value, 'html', 'replace', FALSE); + $value = Q($value, 'strict', FALSE); // attributes with no value if (in_array($key, array('checked', 'multiple', 'disabled', 'selected'))) @@ -879,7 +879,7 @@ class textarea extends base_form_element unset($this->attrib['value']); if (strlen($value) && !isset($this->attrib['mce_editable'])) - $value = rep_specialchars_output($value, 'html', 'replace', FALSE); + $value = Q($value, 'strict', FALSE); // return final tag return sprintf('<%s%s>%s</%s>%s', @@ -1019,7 +1019,7 @@ class select extends base_form_element $this->_conv_case('option', 'tag'), strlen($option['value']) ? sprintf($value_str, $option['value']) : '', $selected, - rep_specialchars_output($option['text'], 'html', 'replace', FALSE), + Q($option['text'], 'strict', FALSE), $this->_conv_case('option', 'tag')); } diff --git a/program/steps/addressbook/func.inc b/program/steps/addressbook/func.inc index 0df6df3e3..1f993a9d3 100644 --- a/program/steps/addressbook/func.inc +++ b/program/steps/addressbook/func.inc @@ -119,7 +119,7 @@ function rcmail_js_contacts_list($sql_result, $obj_name='this') // format each col foreach ($a_show_cols as $col) { - $cont = rep_specialchars_output($sql_arr[$col]); + $cont = Q($sql_arr[$col]); $a_row_cols[$col] = $cont; } diff --git a/program/steps/mail/compose.inc b/program/steps/mail/compose.inc index ddc8610b1..a50b1ecf0 100644 --- a/program/steps/mail/compose.inc +++ b/program/steps/mail/compose.inc @@ -447,25 +447,26 @@ function rcmail_compose_body($attrib) $lang_set = "googie.setLanguages(".array2js($CONFIG['spellcheck_languages']).");\n"; $OUTPUT->include_script('googiespell.js'); - $OUTPUT->add_script(sprintf("var googie = new GoogieSpell('\$__skin_path/images/googiespell/','%s&_action=spell&lang=');\n". - "googie.lang_chck_spell = \"%s\";\n". - "googie.lang_rsm_edt = \"%s\";\n". - "googie.lang_close = \"%s\";\n". - "googie.lang_revert = \"%s\";\n". - "googie.lang_no_error_found = \"%s\";\n%s". - "googie.setCurrentLanguage('%s');\n". - "googie.decorateTextarea('%s');\n". - "%s.set_env('spellcheck', googie);", - $GLOBALS['COMM_PATH'], - rep_specialchars_output(rcube_label('checkspelling')), - rep_specialchars_output(rcube_label('resumeediting')), - rep_specialchars_output(rcube_label('close')), - rep_specialchars_output(rcube_label('revertto')), - rep_specialchars_output(rcube_label('nospellerrors')), - $lang_set, - substr($_SESSION['user_lang'], 0, 2), - $attrib['id'], - $JS_OBJECT_NAME), 'foot'); + $OUTPUT->add_script(sprintf( + "var googie = new GoogieSpell('\$__skin_path/images/googiespell/','%s&_action=spell&lang=');\n". + "googie.lang_chck_spell = \"%s\";\n". + "googie.lang_rsm_edt = \"%s\";\n". + "googie.lang_close = \"%s\";\n". + "googie.lang_revert = \"%s\";\n". + "googie.lang_no_error_found = \"%s\";\n%s". + "googie.setCurrentLanguage('%s');\n". + "googie.decorateTextarea('%s');\n". + "%s.set_env('spellcheck', googie);", + $GLOBALS['COMM_PATH'], + JQ(Q(rcube_label('checkspelling'))), + JQ(Q(rcube_label('resumeediting'))), + JQ(Q(rcube_label('close'))), + JQ(Q(rcube_label('revertto'))), + JQ(Q(rcube_label('nospellerrors'))), + $lang_set, + substr($_SESSION['user_lang'], 0, 2), + $attrib['id'], + $JS_OBJECT_NAME), 'foot'); rcube_add_label('checking'); } @@ -552,10 +553,10 @@ function rcmail_create_forward_body($body, $bodyIsHtml) "<tr><th align=\"right\" nowrap=\"nowrap\" valign=\"baseline\">From: </th><td>%s</td></tr>" . "<tr><th align=\"right\" nowrap=\"nowrap\" valign=\"baseline\">To: </th><td>%s</td></tr>" . "</tbody></table><br>", - rep_specialchars_output($MESSAGE['subject']), - rep_specialchars_output($MESSAGE['headers']->date), - rep_specialchars_output($IMAP->decode_header($MESSAGE['headers']->from)), - rep_specialchars_output($IMAP->decode_header($MESSAGE['headers']->to))); + Q($MESSAGE['subject']), + Q($MESSAGE['headers']->date), + Q($IMAP->decode_header($MESSAGE['headers']->from)), + Q($IMAP->decode_header($MESSAGE['headers']->to))); } // add attachments @@ -692,9 +693,9 @@ function rcmail_compose_attachment_list($attrib) $id, $JS_OBJECT_NAME, $id, - rcube_label('delete'), + Q(rcube_label('delete')), $button, - rep_specialchars_output($a_prop['name'])); + Q($a_prop['name'])); } $OUTPUT->add_script(sprintf("%s.gui_object('attachmentlist', '%s');", $JS_OBJECT_NAME, $attrib['id'])); @@ -895,7 +896,7 @@ if ($DB->num_rows($sql_result)) $a_contacts = array(); while ($sql_arr = $DB->fetch_assoc($sql_result)) if ($sql_arr['email']) - $a_contacts[] = format_email_recipient($sql_arr['email'], rep_specialchars_output($sql_arr['name'], 'js')); + $a_contacts[] = format_email_recipient($sql_arr['email'], JQ($sql_arr['name'])); $OUTPUT->add_script(sprintf("$JS_OBJECT_NAME.set_env('contacts', %s);", array2js($a_contacts))); } diff --git a/program/steps/mail/func.inc b/program/steps/mail/func.inc index 0f062156c..f01e95bb9 100644 --- a/program/steps/mail/func.inc +++ b/program/steps/mail/func.inc @@ -51,7 +51,11 @@ if (!isset($_SESSION['sort_col'])) $_SESSION['sort_col'] = $CONFIG['message_sort_col']; if (!isset($_SESSION['sort_order'])) $_SESSION['sort_order'] = $CONFIG['message_sort_order']; - + +// set message set for search result +if (!empty($_GET['_search']) && isset($_SESSION['search'][$_GET['_search']])) + $IMAP->set_search_set($_SESSION['search'][$_GET['_search']]); + // define url for getting message parts if (strlen($_GET['_uid'])) @@ -193,7 +197,7 @@ function rcmail_render_folder_tree_html(&$arrFolders, &$special, &$mbox_name, $m { $fname = abbrevate_string($foldername, $maxlength); if ($fname != $foldername) - $title = ' title="'.rep_specialchars_output($foldername, 'html', 'all').'"'; + $title = ' title="'.Q($foldername).'"'; $foldername = $fname; } } @@ -215,7 +219,7 @@ function rcmail_render_folder_tree_html(&$arrFolders, &$special, &$mbox_name, $m else if ($folder['id']==$CONFIG['junk_mbox']) $class_name = 'junk'; - $js_name = htmlspecialchars(rep_specialchars_output($folder['id'], 'js')); + $js_name = htmlspecialchars(JQ($folder['id'])); $out .= sprintf('<li id="rcmbx%s" class="mailbox %s %s%s%s"><a href="%s&_mbox=%s"'. ' onclick="return %s.command(\'list\',\'%s\')"'. ' onmouseover="return %s.focus_mailbox(\'%s\')"' . @@ -237,7 +241,7 @@ function rcmail_render_folder_tree_html(&$arrFolders, &$special, &$mbox_name, $m $JS_OBJECT_NAME, $js_name, $title, - rep_specialchars_output($foldername, 'html', 'all')); + Q($foldername)); if (!empty($folder['folders'])) $out .= "\n<ul>\n" . rcmail_render_folder_tree_html($folder['folders'], $special, $mbox_name, $maxlength, $nestLevel+1) . "</ul>\n"; @@ -274,7 +278,7 @@ function rcmail_render_folder_tree_select(&$arrFolders, &$special, &$mbox_name, $out .= sprintf('<option value="%s">%s%s</option>'."\n", htmlspecialchars($folder['id']), str_repeat(' ', $nestLevel*4), - rep_specialchars_output($foldername, 'html', 'all')); + Q($foldername)); if (!empty($folder['folders'])) $out .= rcmail_render_folder_tree_select($folder['folders'], $special, $mbox_name, $maxlength, $nestLevel+1); @@ -340,7 +344,7 @@ function rcmail_message_list($attrib) foreach ($a_show_cols as $col) { // get column name - $col_name = rep_specialchars_output(rcube_label($col)); + $col_name = Q(rcube_label($col)); // make sort links $sort = ''; @@ -394,10 +398,9 @@ function rcmail_message_list($attrib) // no messages in this mailbox if (!sizeof($a_headers)) { - $out .= rep_specialchars_output( - sprintf('<tr><td colspan="%d">%s</td></tr>', - sizeof($a_show_cols)+2, - rcube_label('nomessagesfound'))); + $out .= sprintf('<tr><td colspan="%d">%s</td></tr>', + sizeof($a_show_cols)+2, + Q(rcube_label('nomessagesfound'))); } @@ -443,10 +446,10 @@ function rcmail_message_list($attrib) foreach ($a_show_cols as $col) { if ($col=='from' || $col=='to') - $cont = rep_specialchars_output(rcmail_address_string($header->$col, 3, $attrib['addicon'])); + $cont = Q(rcmail_address_string($header->$col, 3, $attrib['addicon']), 'show'); else if ($col=='subject') { - $cont = rep_specialchars_output($IMAP->decode_header($header->$col), 'html', 'all'); + $cont = Q($IMAP->decode_header($header->$col)); // firefox/mozilla temporary workaround to pad subject with content so that whitespace in rows responds to drag+drop $cont .= '<img src="./program/blank.gif" height="5" width="1000" alt="" />'; } @@ -455,9 +458,9 @@ function rcmail_message_list($attrib) else if ($col=='date') $cont = format_date($header->date); //date('m.d.Y G:i:s', strtotime($header->date)); else - $cont = rep_specialchars_output($header->$col, 'html', 'all'); + $cont = Q($header->$col); - $out .= '<td class="'.$col.'">' . $cont . "</td>\n"; + $out .= '<td class="'.$col.'">' . $cont . "</td>\n"; } $out .= sprintf("<td class=\"icon\">%s</td>\n", $attach_icon ? sprintf($image_tag, $skin_path, $attach_icon, '') : ''); @@ -530,15 +533,15 @@ function rcmail_js_message_list($a_headers, $insert_top=FALSE) foreach ($a_show_cols as $col) { if ($col=='from' || $col=='to') - $cont = rep_specialchars_output(rcmail_address_string($header->$col, 3), 'html'); + $cont = Q(rcmail_address_string($header->$col, 3), 'show'); else if ($col=='subject') - $cont = rep_specialchars_output($IMAP->decode_header($header->$col), 'html', 'all'); + $cont = Q($IMAP->decode_header($header->$col)); else if ($col=='size') $cont = show_bytes($header->$col); else if ($col=='date') $cont = format_date($header->date); //date('m.d.Y G:i:s', strtotime($header->date)); else - $cont = rep_specialchars_output($header->$col, 'html', 'all'); + $cont = Q($header->$col); $a_msg_cols[$col] = $cont; } @@ -642,7 +645,7 @@ function rcmail_quota_display($attrib) $OUTPUT->add_script(sprintf("%s.gui_object('quotadisplay', '%s');", $JS_OBJECT_NAME, $attrib['id'])); // allow the following attributes to be added to the <span> tag - $attrib_str = create_attrib_string($attrib, array('style', 'class', 'id', 'display')); + $attrib_str = create_attrib_string($attrib, array('style', 'class', 'id')); $out = '<span' . $attrib_str . '>'; $out .= rcmail_quota_content($attrib['display']); @@ -710,7 +713,7 @@ function rcmail_get_messagecount_text($count=NULL, $page=NULL) 'to' => min($max, $start_msg + $IMAP->page_size - 1), 'count' => $max))); - return rep_specialchars_output($out); + return Q($out); } @@ -757,13 +760,13 @@ function rcmail_print_body($part, $safe=FALSE, $plain=FALSE) $body = preg_replace($remote_patterns, $remote_replaces, $body); } - return rep_specialchars_output($body, 'html', '', FALSE); + return Q($body, 'show', FALSE); } // text/enriched if ($part->ctype_secondary=='enriched') { - return rep_specialchars_output(enriched_to_html($body), 'html'); + return Q(enriched_to_html($body), 'show'); } else { @@ -812,7 +815,7 @@ function rcmail_print_body($part, $safe=FALSE, $plain=FALSE) $quotation = str_repeat("</blockquote>", $quote_level); $quote_level = $q; - $a_lines[$n] = $quotation . rep_specialchars_output($line, 'html', 'replace', FALSE); + $a_lines[$n] = $quotation . Q($line, 'replace', FALSE); } // insert the links for urls and mailtos @@ -1066,12 +1069,12 @@ function rcmail_message_headers($attrib, $headers=NULL) if ($hkey=='date' && !empty($headers[$hkey])) $header_value = format_date(strtotime($headers[$hkey])); else if (in_array($hkey, array('from', 'to', 'cc', 'bcc', 'reply-to'))) - $header_value = rep_specialchars_output(rcmail_address_string($headers[$hkey], NULL, $attrib['addicon'])); + $header_value = Q(rcmail_address_string($headers[$hkey], NULL, $attrib['addicon']), 'show'); else - $header_value = rep_specialchars_output($IMAP->decode_header($headers[$hkey]), '', 'all'); + $header_value = Q($IMAP->decode_header($headers[$hkey])); $out .= "\n<tr>\n"; - $out .= '<td class="header-title">'.rep_specialchars_output(rcube_label($hkey)).": </td>\n"; + $out .= '<td class="header-title">'.Q(rcube_label($hkey)).": </td>\n"; $out .= '<td class="'.$hkey.'" width="90%">'.$header_value."</td>\n</tr>"; $header_count++; } @@ -1384,7 +1387,7 @@ function rcmail_address_string($input, $max=NULL, $addicon=NULL) { $j++; if ($PRINT_MODE) - $out .= sprintf('%s <%s>', rep_specialchars_output($part['name']), $part['mailto']); + $out .= sprintf('%s <%s>', Q($part['name']), $part['mailto']); else if (preg_match($EMAIL_ADDRESS_PATTERN, $part['mailto'])) { $out .= sprintf('<a href="mailto:%s" onclick="return %s.command(\'compose\',\'%s\',this)" class="rcmContactAddress" title="%s">%s</a>', @@ -1392,7 +1395,7 @@ function rcmail_address_string($input, $max=NULL, $addicon=NULL) $JS_OBJECT_NAME, $part['mailto'], $part['mailto'], - rep_specialchars_output($part['name'])); + Q($part['name'])); if ($addicon) $out .= sprintf(' <a href="#add" onclick="return %s.command(\'add-contact\',\'%s\',this)" title="%s"><img src="%s%s" alt="add" border="0" /></a>', @@ -1405,7 +1408,7 @@ function rcmail_address_string($input, $max=NULL, $addicon=NULL) else { if ($part['name']) - $out .= rep_specialchars_output($part['name']); + $out .= Q($part['name']); if ($part['mailto']) $out .= (strlen($out) ? ' ' : '') . sprintf('<%s>', $part['mailto']); } @@ -1442,15 +1445,15 @@ function rcmail_message_part_controls() if ($filename) { $out .= sprintf('<tr><td class="title">%s</td><td>%s</td><td>[<a href="./?%s">%s</a>]</tr>'."\n", - rcube_label('filename'), - rep_specialchars_output(rcube_imap::decode_mime_string($filename)), + Q(rcube_label('filename')), + Q(rcube_imap::decode_mime_string($filename)), str_replace('_frame=', '_download=', $_SERVER['QUERY_STRING']), - rcube_label('download')); + Q(rcube_label('download'))); } if ($filesize) $out .= sprintf('<tr><td class="title">%s</td><td>%s</td></tr>'."\n", - rcube_label('filesize'), + Q(rcube_label('filesize')), show_bytes($filesize)); $out .= "\n</table>"; diff --git a/program/steps/mail/sendmail.inc b/program/steps/mail/sendmail.inc index 98f413c85..716072a48 100644 --- a/program/steps/mail/sendmail.inc +++ b/program/steps/mail/sendmail.inc @@ -468,7 +468,7 @@ else rcmail_compose_cleanup(); rcube_iframe_response(sprintf("parent.$JS_OBJECT_NAME.sent_successfully('%s');", - rep_specialchars_output(rcube_label('messagesent'), 'js'))); + JQ(rcube_label('messagesent')))); } diff --git a/program/steps/mail/show.inc b/program/steps/mail/show.inc index fd82345bb..aa5b3733d 100644 --- a/program/steps/mail/show.inc +++ b/program/steps/mail/show.inc @@ -150,11 +150,10 @@ function rcmail_remote_objects_msg($attrib) $attrib_str = create_attrib_string($attrib, array('style', 'class', 'id')); $out = '<div' . $attrib_str . ">"; - $out .= rep_specialchars_output(sprintf('%s <a href="#loadimages" onclick="%s.command(\'load-images\')" title="%s">%s</a>', - rcube_label('blockedimages'), - $JS_OBJECT_NAME, - rcube_label('showimages'), - rcube_label('showimages'))); + $out .= sprintf('%s <a href="#loadimages" onclick="%s.command(\'load-images\')">%s</a>', + Q(rcube_label('blockedimages')), + $JS_OBJECT_NAME, + Q(rcube_label('showimages'))); $out .= '</div>'; diff --git a/program/steps/mail/upload.inc b/program/steps/mail/upload.inc index cde4ed2d4..50a6dba36 100644 --- a/program/steps/mail/upload.inc +++ b/program/steps/mail/upload.inc @@ -49,16 +49,16 @@ foreach ($_FILES['_attachments']['tmp_name'] as $i => $filepath) if (is_file($CONFIG['skin_path'] . '/images/icons/remove-attachment.png')) $button = sprintf('<img src="%s/images/icons/remove-attachment.png" alt="%s" border="0" style="padding-right:2px;vertical-align:middle" />', $CONFIG['skin_path'], - rcube_label('delete')); + Q(rcube_label('delete'))); else - $button = rcube_label('delete'); + $button = Q(rcube_label('delete')); $content = sprintf('<a href="#delete" onclick="return %s.command(\\\'remove-attachment\\\', \\\'rcmfile%d\\\', this)" title="%s">%s</a>%s', $JS_OBJECT_NAME, $id, - rcube_label('delete'), - $button, - rep_specialchars_output($_FILES['_attachments']['name'][$i], 'js')); + JQ(Q(rcube_label('delete'))), + JQ($button), + JQ(Q($_FILES['_attachments']['name'][$i]))); $response .= sprintf('parent.%s.add2attachment_list(\'rcmfile%d\',\'%s\');', $JS_OBJECT_NAME, diff --git a/program/steps/settings/edit_identity.inc b/program/steps/settings/edit_identity.inc index 1ea8947b7..5fa531a11 100644 --- a/program/steps/settings/edit_identity.inc +++ b/program/steps/settings/edit_identity.inc @@ -127,7 +127,7 @@ function rcube_identity_form($attrib) $out .= sprintf("<tr><td class=\"title\"><label for=\"%s\">%s</label></td><td>%s</td></tr>\n", $attrib['id'], - rep_specialchars_output(rcube_label($label)), + Q(rcube_label($label)), $value); } diff --git a/program/steps/settings/func.inc b/program/steps/settings/func.inc index 91f2f9080..e51f6838e 100644 --- a/program/steps/settings/func.inc +++ b/program/steps/settings/func.inc @@ -60,7 +60,7 @@ function rcmail_user_prefs_form($attrib) $out .= sprintf("<tr><td class=\"title\"><label for=\"%s\">%s</label></td><td>%s</td></tr>\n", $field_id, - rep_specialchars_output(rcube_label('language')), + Q(rcube_label('language')), $select_lang->show($sess_user_lang)); } @@ -106,7 +106,7 @@ function rcmail_user_prefs_form($attrib) $out .= sprintf("<tr><td class=\"title\"><label for=\"%s\">%s</label></td><td>%s</td></tr>\n", $field_id, - rep_specialchars_output(rcube_label('timezone')), + Q(rcube_label('timezone')), $select_timezone->show($CONFIG['timezone'])); } @@ -117,7 +117,7 @@ function rcmail_user_prefs_form($attrib) $input_dst = new checkbox(array('name' => '_dst_active', 'id' => $field_id, 'value' => 1)); $out .= sprintf("<tr><td class=\"title\"><label for=\"%s\">%s</label></td><td>%s</td></tr>\n", $field_id, - rep_specialchars_output(rcube_label('dstactive')), + Q(rcube_label('dstactive')), $input_dst->show($CONFIG['dst_active'])); } @@ -129,7 +129,7 @@ function rcmail_user_prefs_form($attrib) $out .= sprintf("<tr><td class=\"title\"><label for=\"%s\">%s</label></td><td>%s</td></tr>\n", $field_id, - rep_specialchars_output(rcube_label('pagesize')), + Q(rcube_label('pagesize')), $input_pagesize->show($CONFIG['pagesize'])); } @@ -141,7 +141,7 @@ function rcmail_user_prefs_form($attrib) $out .= sprintf("<tr><td class=\"title\"><label for=\"%s\">%s</label></td><td>%s</td></tr>\n", $field_id, - rep_specialchars_output(rcube_label('prettydate')), + Q(rcube_label('prettydate')), $input_prettydate->show($CONFIG['prettydate']?1:0)); } @@ -153,7 +153,7 @@ function rcmail_user_prefs_form($attrib) $out .= sprintf("<tr><td class=\"title\"><label for=\"%s\">%s</label></td><td>%s</td></tr>\n", $field_id, - rep_specialchars_output(rcube_label('preferhtml')), + Q(rcube_label('preferhtml')), $input_pagesize->show($CONFIG['prefer_html']?1:0)); } @@ -164,7 +164,7 @@ function rcmail_user_prefs_form($attrib) $input_htmleditor = new checkbox(array('name' => '_htmleditor', 'id' => $field_id, 'value' => 1)); $out .= sprintf("<tr><td class=\"title\"><label for=\"%s\">%s</label></td><td>%s</td></tr>\n", $field_id, - rep_specialchars_output(rcube_label('htmleditor')), + Q(rcube_label('htmleditor')), $input_htmleditor->show($CONFIG['htmleditor']?1:0)); } @@ -175,7 +175,7 @@ function rcmail_user_prefs_form($attrib) $input_preview = new checkbox(array('name' => '_preview_pane', 'id' => $field_id, 'value' => 1)); $out .= sprintf("<tr><td class=\"title\"><label for=\"%s\">%s</label></td><td>%s</td></tr>\n", $field_id, - rep_specialchars_output(rcube_label('previewpane')), + Q(rcube_label('previewpane')), $input_preview->show($CONFIG['preview_pane']?1:0)); } @@ -189,7 +189,7 @@ function rcmail_user_prefs_form($attrib) $out .= sprintf("<tr><td class=\"title\"><label for=\"%s\">%s</label></td><td>%s</td></tr>\n", $field_id, - rep_specialchars_output(rcube_label('autosavedraft')), + Q(rcube_label('autosavedraft')), $select_autosave->show($CONFIG['draft_autosave'])); } diff --git a/program/steps/settings/manage_folders.inc b/program/steps/settings/manage_folders.inc index 5f2da4e7f..8abd2c3b6 100644 --- a/program/steps/settings/manage_folders.inc +++ b/program/steps/settings/manage_folders.inc @@ -52,8 +52,8 @@ else if ($_action=='create-folder') if ($create && $REMOTE_REQUEST) { $commands = sprintf("this.add_folder_row('%s','%s')", - rep_specialchars_output($create, 'js'), - rep_specialchars_output(rcube_charset_convert($create, 'UTF-7'), 'js')); + JQ($create), + JQ(rcube_charset_convert($create, 'UTF-7'))); rcube_remote_response($commands); } else if (!$create && $REMOTE_REQUEST) @@ -74,9 +74,9 @@ else if ($_action=='rename-folder') if ($rename && $REMOTE_REQUEST) { $commands = sprintf("this.replace_folder_row('%s','%s','%s');\n", - rep_specialchars_output(get_input_value('_folder_oldname', RCUBE_INPUT_GET), 'js'), - rep_specialchars_output($rename, 'js'), - rep_specialchars_output(rcube_charset_convert($rename, 'UTF-7'), 'js')); + JQ(get_input_value('_folder_oldname', RCUBE_INPUT_GET)), + JQ($rename), + JQ(rcube_charset_convert($rename, 'UTF-7'))); $commands .= "this.reset_folder_rename();\n"; @@ -100,7 +100,7 @@ else if ($_action=='delete-folder') if ($REMOTE_REQUEST && $deleted) { - $commands = sprintf("this.remove_folder_row('%s');\n", rep_specialchars_output(get_input_value('_mboxes', RCUBE_INPUT_GET), 'js')); + $commands = sprintf("this.remove_folder_row('%s');\n", JQ(get_input_value('_mboxes', RCUBE_INPUT_GET))); $commands .= show_message('folderdeleted', 'confirmation'); rcube_remote_response($commands); } @@ -165,8 +165,8 @@ function rcube_subscription_form($attrib) $subscribed = in_array($folder, $a_subscribed); $protected = ($CONFIG['protect_default_folders'] == TRUE && in_array($folder,$CONFIG['default_imap_folders'])); $zebra_class = $i%2 ? 'even' : 'odd'; - $folder_js = rep_specialchars_output($folder, 'js'); - $folder_js_enc = rep_specialchars_output(rcube_charset_convert($folder, 'UTF-7'), 'js'); + $folder_js = JQ($folder); + $folder_js_enc = JQ(rcube_charset_convert($folder, 'UTF-7')); $folder_html = $CONFIG['protect_default_folders'] && in_array($folder, $CONFIG['default_imap_folders']) ? rcube_label(strtolower($folder)) : rcube_charset_convert($folder, 'UTF-7'); if (!$protected) @@ -175,7 +175,7 @@ function rcube_subscription_form($attrib) $out .= sprintf('<tr id="rcmrow%d" class="%s"><td>%s</td>', $i+1, $zebra_class, - rep_specialchars_output($folder_html, 'html', 'all')); + Q($folder_html)); if ($protected) $out .= '<td> '.($subscribed ? '•' : '-').'</td>'; |