Add is_escaped attribute for html_select and html_textarea (#1488485)

4 files changed, 24 insertions, 13 deletions

diff --git a/program/include/html.php b/program/include/html.php
index 305a39781..c76eb746b 100644
--- a/program/include/html.php
+++ b/program/include/html.php
@@ -298,7 +298,7 @@ class html
                 }
             }
             else {
-                $attrib_arr[] = $key . '="' . self::quote($value) . '"';
+                $attrib_arr[] = $key . '="' . self::quote($value, true) . '"';
             }
         }
 
@@ -331,17 +331,20 @@ class html
     /**
      * Replacing specials characters in html attribute value
      *
-     * @param  string  $str  Input string
+     * @param  string  $str       Input string
+     * @param  bool    $validate  Enables double quotation prevention
      *
      * @return string  The quoted string
      */
-    public static function quote($str)
+    public static function quote($str, $validate = false)
     {
         $str = htmlspecialchars($str, ENT_COMPAT, RCMAIL_CHARSET);
 
         // avoid douple quotation of &
-        // @TODO: get rid of it?
-        $str = preg_replace('/&([A-Za-z]{2,6}|#[0-9]{2,4});/', '&\\1;', $str);
+        // @TODO: get rid of it
+        if ($validate) {
+            $str = preg_replace('/&([A-Za-z]{2,6}|#[0-9]{2,4});/', '&\\1;', $str);
+        }
 
         return $str;
     }
@@ -558,8 +561,8 @@ class html_textarea extends html
             unset($this->attrib['value']);
         }
 
-        if (!empty($value) && !preg_match('/mce_editor/', $this->attrib['class'])) {
-            $value = self::quote($value);
+        if (!empty($value) && empty($this->attrib['is_escaped'])) {
+            $value = self::quote($value, true);
         }
 
         return self::tag($this->tagname, $this->attrib, $value,
@@ -633,7 +636,12 @@ class html_select extends html
                 'selected' => (in_array($option['value'], $select, true) ||
                   in_array($option['text'], $select, true)) ? 1 : null);
 
-            $this->content .= self::tag('option', $attr, self::quote($option['text']));
+            $option_content = $option['text'];
+            if (empty($this->attrib['is_escaped'])) {
+                $option_content = self::quote($option_content, true);
+            }
+
+            $this->content .= self::tag('option', $attr, $option_content);
         }
 
         return parent::show();
diff --git a/program/include/rcmail.php b/program/include/rcmail.php
index e684a15bb..ee98a3678 100644
--- a/program/include/rcmail.php
+++ b/program/include/rcmail.php
@@ -1329,11 +1329,12 @@ class rcmail extends rcube
         $attrib      = $hook['attribs'];
 
         if ($type == 'select') {
+            $attrib['is_escaped'] = true;
             $select = new html_select($attrib);
 
             // add no-selection option
             if ($attrib['noselection']) {
-                $select->add($rcmail->gettext($attrib['noselection']), '');
+                $select->add(html::quote($rcmail->gettext($attrib['noselection'])), '');
             }
 
             $rcmail->render_folder_tree_select($a_mailboxes, $mbox_name, $attrib['maxlength'], $select, $attrib['realnames']);
@@ -1362,7 +1363,7 @@ class rcmail extends rcube
      */
     public function folder_selector($p = array())
     {
-        $p += array('maxlength' => 100, 'realnames' => false);
+        $p += array('maxlength' => 100, 'realnames' => false, 'is_escaped' => true);
         $a_mailboxes = array();
         $storage = $this->get_storage();
 
@@ -1388,7 +1389,7 @@ class rcmail extends rcube
         $select = new html_select($p);
 
         if ($p['noselection']) {
-            $select->add($p['noselection'], '');
+            $select->add(html::quote($p['noselection']), '');
         }
 
         $this->render_folder_tree_select($a_mailboxes, $mbox, $p['maxlength'], $select, $p['realnames'], 0, $p);
@@ -1579,7 +1580,7 @@ class rcmail extends rcube
                 }
             }
 
-            $select->add(str_repeat(' ', $nestLevel*4) . $foldername, $folder['id']);
+            $select->add(str_repeat(' ', $nestLevel*4) . html::quote($foldername), $folder['id']);
 
             if (!empty($folder['folders'])) {
                 $out .= $this->render_folder_tree_select($folder['folders'], $mbox_name, $maxlength,
diff --git a/program/steps/mail/compose.inc b/program/steps/mail/compose.inc
index 47d97faad..374a87649 100644
--- a/program/steps/mail/compose.inc
+++ b/program/steps/mail/compose.inc
@@ -772,6 +772,7 @@ function rcmail_compose_body($attrib)
   if ($isHtml) {
     $MESSAGE_BODY = htmlentities($MESSAGE_BODY, ENT_NOQUOTES, RCMAIL_CHARSET);
     $attrib['class'] = 'mce_editor';
+    $attrib['is_escaped'] = true;
     $textarea = new html_textarea($attrib);
     $out .= $textarea->show($MESSAGE_BODY);
   }
diff --git a/program/steps/settings/edit_identity.inc b/program/steps/settings/edit_identity.inc
index c3ac4688f..2a2616540 100644
--- a/program/steps/settings/edit_identity.inc
+++ b/program/steps/settings/edit_identity.inc
@@ -88,7 +88,8 @@ function rcube_identity_form($attrib)
 
   // Enable TinyMCE editor
   if ($IDENTITY_RECORD['html_signature']) {
-    $form['signature']['content']['signature']['class'] = 'mce_editor';
+    $form['signature']['content']['signature']['class']      = 'mce_editor';
+    $form['signature']['content']['signature']['is_escaped'] = true;
   }
 
   $IDENTITY_RECORD['signature'] = htmlentities($IDENTITY_RECORD['signature'], ENT_NOQUOTES, RCMAIL_CHARSET);