diff options
author | thomascube <thomas@roundcube.net> | 2006-12-20 14:06:33 +0000 |
---|---|---|
committer | thomascube <thomas@roundcube.net> | 2006-12-20 14:06:33 +0000 |
commit | 2bca6e1da0e46f93297a7f60ff449b6c6ebac239 (patch) | |
tree | 7bdec5b01b6a4c150e99716f7cb3f3ed7d55c1a5 /program/steps/mail | |
parent | cfdf044df284d294e0e73efb10ebce1052264694 (diff) |
New (strict) quoting for all kind of strings
Diffstat (limited to 'program/steps/mail')
-rw-r--r-- | program/steps/mail/compose.inc | 53 | ||||
-rw-r--r-- | program/steps/mail/func.inc | 67 | ||||
-rw-r--r-- | program/steps/mail/sendmail.inc | 2 | ||||
-rw-r--r-- | program/steps/mail/show.inc | 9 | ||||
-rw-r--r-- | program/steps/mail/upload.inc | 10 |
5 files changed, 72 insertions, 69 deletions
diff --git a/program/steps/mail/compose.inc b/program/steps/mail/compose.inc index ddc8610b1..a50b1ecf0 100644 --- a/program/steps/mail/compose.inc +++ b/program/steps/mail/compose.inc @@ -447,25 +447,26 @@ function rcmail_compose_body($attrib) $lang_set = "googie.setLanguages(".array2js($CONFIG['spellcheck_languages']).");\n"; $OUTPUT->include_script('googiespell.js'); - $OUTPUT->add_script(sprintf("var googie = new GoogieSpell('\$__skin_path/images/googiespell/','%s&_action=spell&lang=');\n". - "googie.lang_chck_spell = \"%s\";\n". - "googie.lang_rsm_edt = \"%s\";\n". - "googie.lang_close = \"%s\";\n". - "googie.lang_revert = \"%s\";\n". - "googie.lang_no_error_found = \"%s\";\n%s". - "googie.setCurrentLanguage('%s');\n". - "googie.decorateTextarea('%s');\n". - "%s.set_env('spellcheck', googie);", - $GLOBALS['COMM_PATH'], - rep_specialchars_output(rcube_label('checkspelling')), - rep_specialchars_output(rcube_label('resumeediting')), - rep_specialchars_output(rcube_label('close')), - rep_specialchars_output(rcube_label('revertto')), - rep_specialchars_output(rcube_label('nospellerrors')), - $lang_set, - substr($_SESSION['user_lang'], 0, 2), - $attrib['id'], - $JS_OBJECT_NAME), 'foot'); + $OUTPUT->add_script(sprintf( + "var googie = new GoogieSpell('\$__skin_path/images/googiespell/','%s&_action=spell&lang=');\n". + "googie.lang_chck_spell = \"%s\";\n". + "googie.lang_rsm_edt = \"%s\";\n". + "googie.lang_close = \"%s\";\n". + "googie.lang_revert = \"%s\";\n". + "googie.lang_no_error_found = \"%s\";\n%s". + "googie.setCurrentLanguage('%s');\n". + "googie.decorateTextarea('%s');\n". + "%s.set_env('spellcheck', googie);", + $GLOBALS['COMM_PATH'], + JQ(Q(rcube_label('checkspelling'))), + JQ(Q(rcube_label('resumeediting'))), + JQ(Q(rcube_label('close'))), + JQ(Q(rcube_label('revertto'))), + JQ(Q(rcube_label('nospellerrors'))), + $lang_set, + substr($_SESSION['user_lang'], 0, 2), + $attrib['id'], + $JS_OBJECT_NAME), 'foot'); rcube_add_label('checking'); } @@ -552,10 +553,10 @@ function rcmail_create_forward_body($body, $bodyIsHtml) "<tr><th align=\"right\" nowrap=\"nowrap\" valign=\"baseline\">From: </th><td>%s</td></tr>" . "<tr><th align=\"right\" nowrap=\"nowrap\" valign=\"baseline\">To: </th><td>%s</td></tr>" . "</tbody></table><br>", - rep_specialchars_output($MESSAGE['subject']), - rep_specialchars_output($MESSAGE['headers']->date), - rep_specialchars_output($IMAP->decode_header($MESSAGE['headers']->from)), - rep_specialchars_output($IMAP->decode_header($MESSAGE['headers']->to))); + Q($MESSAGE['subject']), + Q($MESSAGE['headers']->date), + Q($IMAP->decode_header($MESSAGE['headers']->from)), + Q($IMAP->decode_header($MESSAGE['headers']->to))); } // add attachments @@ -692,9 +693,9 @@ function rcmail_compose_attachment_list($attrib) $id, $JS_OBJECT_NAME, $id, - rcube_label('delete'), + Q(rcube_label('delete')), $button, - rep_specialchars_output($a_prop['name'])); + Q($a_prop['name'])); } $OUTPUT->add_script(sprintf("%s.gui_object('attachmentlist', '%s');", $JS_OBJECT_NAME, $attrib['id'])); @@ -895,7 +896,7 @@ if ($DB->num_rows($sql_result)) $a_contacts = array(); while ($sql_arr = $DB->fetch_assoc($sql_result)) if ($sql_arr['email']) - $a_contacts[] = format_email_recipient($sql_arr['email'], rep_specialchars_output($sql_arr['name'], 'js')); + $a_contacts[] = format_email_recipient($sql_arr['email'], JQ($sql_arr['name'])); $OUTPUT->add_script(sprintf("$JS_OBJECT_NAME.set_env('contacts', %s);", array2js($a_contacts))); } diff --git a/program/steps/mail/func.inc b/program/steps/mail/func.inc index 0f062156c..f01e95bb9 100644 --- a/program/steps/mail/func.inc +++ b/program/steps/mail/func.inc @@ -51,7 +51,11 @@ if (!isset($_SESSION['sort_col'])) $_SESSION['sort_col'] = $CONFIG['message_sort_col']; if (!isset($_SESSION['sort_order'])) $_SESSION['sort_order'] = $CONFIG['message_sort_order']; - + +// set message set for search result +if (!empty($_GET['_search']) && isset($_SESSION['search'][$_GET['_search']])) + $IMAP->set_search_set($_SESSION['search'][$_GET['_search']]); + // define url for getting message parts if (strlen($_GET['_uid'])) @@ -193,7 +197,7 @@ function rcmail_render_folder_tree_html(&$arrFolders, &$special, &$mbox_name, $m { $fname = abbrevate_string($foldername, $maxlength); if ($fname != $foldername) - $title = ' title="'.rep_specialchars_output($foldername, 'html', 'all').'"'; + $title = ' title="'.Q($foldername).'"'; $foldername = $fname; } } @@ -215,7 +219,7 @@ function rcmail_render_folder_tree_html(&$arrFolders, &$special, &$mbox_name, $m else if ($folder['id']==$CONFIG['junk_mbox']) $class_name = 'junk'; - $js_name = htmlspecialchars(rep_specialchars_output($folder['id'], 'js')); + $js_name = htmlspecialchars(JQ($folder['id'])); $out .= sprintf('<li id="rcmbx%s" class="mailbox %s %s%s%s"><a href="%s&_mbox=%s"'. ' onclick="return %s.command(\'list\',\'%s\')"'. ' onmouseover="return %s.focus_mailbox(\'%s\')"' . @@ -237,7 +241,7 @@ function rcmail_render_folder_tree_html(&$arrFolders, &$special, &$mbox_name, $m $JS_OBJECT_NAME, $js_name, $title, - rep_specialchars_output($foldername, 'html', 'all')); + Q($foldername)); if (!empty($folder['folders'])) $out .= "\n<ul>\n" . rcmail_render_folder_tree_html($folder['folders'], $special, $mbox_name, $maxlength, $nestLevel+1) . "</ul>\n"; @@ -274,7 +278,7 @@ function rcmail_render_folder_tree_select(&$arrFolders, &$special, &$mbox_name, $out .= sprintf('<option value="%s">%s%s</option>'."\n", htmlspecialchars($folder['id']), str_repeat(' ', $nestLevel*4), - rep_specialchars_output($foldername, 'html', 'all')); + Q($foldername)); if (!empty($folder['folders'])) $out .= rcmail_render_folder_tree_select($folder['folders'], $special, $mbox_name, $maxlength, $nestLevel+1); @@ -340,7 +344,7 @@ function rcmail_message_list($attrib) foreach ($a_show_cols as $col) { // get column name - $col_name = rep_specialchars_output(rcube_label($col)); + $col_name = Q(rcube_label($col)); // make sort links $sort = ''; @@ -394,10 +398,9 @@ function rcmail_message_list($attrib) // no messages in this mailbox if (!sizeof($a_headers)) { - $out .= rep_specialchars_output( - sprintf('<tr><td colspan="%d">%s</td></tr>', - sizeof($a_show_cols)+2, - rcube_label('nomessagesfound'))); + $out .= sprintf('<tr><td colspan="%d">%s</td></tr>', + sizeof($a_show_cols)+2, + Q(rcube_label('nomessagesfound'))); } @@ -443,10 +446,10 @@ function rcmail_message_list($attrib) foreach ($a_show_cols as $col) { if ($col=='from' || $col=='to') - $cont = rep_specialchars_output(rcmail_address_string($header->$col, 3, $attrib['addicon'])); + $cont = Q(rcmail_address_string($header->$col, 3, $attrib['addicon']), 'show'); else if ($col=='subject') { - $cont = rep_specialchars_output($IMAP->decode_header($header->$col), 'html', 'all'); + $cont = Q($IMAP->decode_header($header->$col)); // firefox/mozilla temporary workaround to pad subject with content so that whitespace in rows responds to drag+drop $cont .= '<img src="./program/blank.gif" height="5" width="1000" alt="" />'; } @@ -455,9 +458,9 @@ function rcmail_message_list($attrib) else if ($col=='date') $cont = format_date($header->date); //date('m.d.Y G:i:s', strtotime($header->date)); else - $cont = rep_specialchars_output($header->$col, 'html', 'all'); + $cont = Q($header->$col); - $out .= '<td class="'.$col.'">' . $cont . "</td>\n"; + $out .= '<td class="'.$col.'">' . $cont . "</td>\n"; } $out .= sprintf("<td class=\"icon\">%s</td>\n", $attach_icon ? sprintf($image_tag, $skin_path, $attach_icon, '') : ''); @@ -530,15 +533,15 @@ function rcmail_js_message_list($a_headers, $insert_top=FALSE) foreach ($a_show_cols as $col) { if ($col=='from' || $col=='to') - $cont = rep_specialchars_output(rcmail_address_string($header->$col, 3), 'html'); + $cont = Q(rcmail_address_string($header->$col, 3), 'show'); else if ($col=='subject') - $cont = rep_specialchars_output($IMAP->decode_header($header->$col), 'html', 'all'); + $cont = Q($IMAP->decode_header($header->$col)); else if ($col=='size') $cont = show_bytes($header->$col); else if ($col=='date') $cont = format_date($header->date); //date('m.d.Y G:i:s', strtotime($header->date)); else - $cont = rep_specialchars_output($header->$col, 'html', 'all'); + $cont = Q($header->$col); $a_msg_cols[$col] = $cont; } @@ -642,7 +645,7 @@ function rcmail_quota_display($attrib) $OUTPUT->add_script(sprintf("%s.gui_object('quotadisplay', '%s');", $JS_OBJECT_NAME, $attrib['id'])); // allow the following attributes to be added to the <span> tag - $attrib_str = create_attrib_string($attrib, array('style', 'class', 'id', 'display')); + $attrib_str = create_attrib_string($attrib, array('style', 'class', 'id')); $out = '<span' . $attrib_str . '>'; $out .= rcmail_quota_content($attrib['display']); @@ -710,7 +713,7 @@ function rcmail_get_messagecount_text($count=NULL, $page=NULL) 'to' => min($max, $start_msg + $IMAP->page_size - 1), 'count' => $max))); - return rep_specialchars_output($out); + return Q($out); } @@ -757,13 +760,13 @@ function rcmail_print_body($part, $safe=FALSE, $plain=FALSE) $body = preg_replace($remote_patterns, $remote_replaces, $body); } - return rep_specialchars_output($body, 'html', '', FALSE); + return Q($body, 'show', FALSE); } // text/enriched if ($part->ctype_secondary=='enriched') { - return rep_specialchars_output(enriched_to_html($body), 'html'); + return Q(enriched_to_html($body), 'show'); } else { @@ -812,7 +815,7 @@ function rcmail_print_body($part, $safe=FALSE, $plain=FALSE) $quotation = str_repeat("</blockquote>", $quote_level); $quote_level = $q; - $a_lines[$n] = $quotation . rep_specialchars_output($line, 'html', 'replace', FALSE); + $a_lines[$n] = $quotation . Q($line, 'replace', FALSE); } // insert the links for urls and mailtos @@ -1066,12 +1069,12 @@ function rcmail_message_headers($attrib, $headers=NULL) if ($hkey=='date' && !empty($headers[$hkey])) $header_value = format_date(strtotime($headers[$hkey])); else if (in_array($hkey, array('from', 'to', 'cc', 'bcc', 'reply-to'))) - $header_value = rep_specialchars_output(rcmail_address_string($headers[$hkey], NULL, $attrib['addicon'])); + $header_value = Q(rcmail_address_string($headers[$hkey], NULL, $attrib['addicon']), 'show'); else - $header_value = rep_specialchars_output($IMAP->decode_header($headers[$hkey]), '', 'all'); + $header_value = Q($IMAP->decode_header($headers[$hkey])); $out .= "\n<tr>\n"; - $out .= '<td class="header-title">'.rep_specialchars_output(rcube_label($hkey)).": </td>\n"; + $out .= '<td class="header-title">'.Q(rcube_label($hkey)).": </td>\n"; $out .= '<td class="'.$hkey.'" width="90%">'.$header_value."</td>\n</tr>"; $header_count++; } @@ -1384,7 +1387,7 @@ function rcmail_address_string($input, $max=NULL, $addicon=NULL) { $j++; if ($PRINT_MODE) - $out .= sprintf('%s <%s>', rep_specialchars_output($part['name']), $part['mailto']); + $out .= sprintf('%s <%s>', Q($part['name']), $part['mailto']); else if (preg_match($EMAIL_ADDRESS_PATTERN, $part['mailto'])) { $out .= sprintf('<a href="mailto:%s" onclick="return %s.command(\'compose\',\'%s\',this)" class="rcmContactAddress" title="%s">%s</a>', @@ -1392,7 +1395,7 @@ function rcmail_address_string($input, $max=NULL, $addicon=NULL) $JS_OBJECT_NAME, $part['mailto'], $part['mailto'], - rep_specialchars_output($part['name'])); + Q($part['name'])); if ($addicon) $out .= sprintf(' <a href="#add" onclick="return %s.command(\'add-contact\',\'%s\',this)" title="%s"><img src="%s%s" alt="add" border="0" /></a>', @@ -1405,7 +1408,7 @@ function rcmail_address_string($input, $max=NULL, $addicon=NULL) else { if ($part['name']) - $out .= rep_specialchars_output($part['name']); + $out .= Q($part['name']); if ($part['mailto']) $out .= (strlen($out) ? ' ' : '') . sprintf('<%s>', $part['mailto']); } @@ -1442,15 +1445,15 @@ function rcmail_message_part_controls() if ($filename) { $out .= sprintf('<tr><td class="title">%s</td><td>%s</td><td>[<a href="./?%s">%s</a>]</tr>'."\n", - rcube_label('filename'), - rep_specialchars_output(rcube_imap::decode_mime_string($filename)), + Q(rcube_label('filename')), + Q(rcube_imap::decode_mime_string($filename)), str_replace('_frame=', '_download=', $_SERVER['QUERY_STRING']), - rcube_label('download')); + Q(rcube_label('download'))); } if ($filesize) $out .= sprintf('<tr><td class="title">%s</td><td>%s</td></tr>'."\n", - rcube_label('filesize'), + Q(rcube_label('filesize')), show_bytes($filesize)); $out .= "\n</table>"; diff --git a/program/steps/mail/sendmail.inc b/program/steps/mail/sendmail.inc index 98f413c85..716072a48 100644 --- a/program/steps/mail/sendmail.inc +++ b/program/steps/mail/sendmail.inc @@ -468,7 +468,7 @@ else rcmail_compose_cleanup(); rcube_iframe_response(sprintf("parent.$JS_OBJECT_NAME.sent_successfully('%s');", - rep_specialchars_output(rcube_label('messagesent'), 'js'))); + JQ(rcube_label('messagesent')))); } diff --git a/program/steps/mail/show.inc b/program/steps/mail/show.inc index fd82345bb..aa5b3733d 100644 --- a/program/steps/mail/show.inc +++ b/program/steps/mail/show.inc @@ -150,11 +150,10 @@ function rcmail_remote_objects_msg($attrib) $attrib_str = create_attrib_string($attrib, array('style', 'class', 'id')); $out = '<div' . $attrib_str . ">"; - $out .= rep_specialchars_output(sprintf('%s <a href="#loadimages" onclick="%s.command(\'load-images\')" title="%s">%s</a>', - rcube_label('blockedimages'), - $JS_OBJECT_NAME, - rcube_label('showimages'), - rcube_label('showimages'))); + $out .= sprintf('%s <a href="#loadimages" onclick="%s.command(\'load-images\')">%s</a>', + Q(rcube_label('blockedimages')), + $JS_OBJECT_NAME, + Q(rcube_label('showimages'))); $out .= '</div>'; diff --git a/program/steps/mail/upload.inc b/program/steps/mail/upload.inc index cde4ed2d4..50a6dba36 100644 --- a/program/steps/mail/upload.inc +++ b/program/steps/mail/upload.inc @@ -49,16 +49,16 @@ foreach ($_FILES['_attachments']['tmp_name'] as $i => $filepath) if (is_file($CONFIG['skin_path'] . '/images/icons/remove-attachment.png')) $button = sprintf('<img src="%s/images/icons/remove-attachment.png" alt="%s" border="0" style="padding-right:2px;vertical-align:middle" />', $CONFIG['skin_path'], - rcube_label('delete')); + Q(rcube_label('delete'))); else - $button = rcube_label('delete'); + $button = Q(rcube_label('delete')); $content = sprintf('<a href="#delete" onclick="return %s.command(\\\'remove-attachment\\\', \\\'rcmfile%d\\\', this)" title="%s">%s</a>%s', $JS_OBJECT_NAME, $id, - rcube_label('delete'), - $button, - rep_specialchars_output($_FILES['_attachments']['name'][$i], 'js')); + JQ(Q(rcube_label('delete'))), + JQ($button), + JQ(Q($_FILES['_attachments']['name'][$i]))); $response .= sprintf('parent.%s.add2attachment_list(\'rcmfile%d\',\'%s\');', $JS_OBJECT_NAME, |