diff options
Diffstat (limited to 'program/include/html.php')
| -rw-r--r-- | program/include/html.php | 66 |
1 files changed, 54 insertions, 12 deletions
diff --git a/program/include/html.php b/program/include/html.php index 0e89d778f..305a39781 100644 --- a/program/include/html.php +++ b/program/include/html.php @@ -277,7 +277,7 @@ class html $attrib_arr = array(); foreach ($attrib as $key => $value) { // skip size if not numeric - if (($key=='size' && !is_numeric($value))) { + if ($key == 'size' && !is_numeric($value)) { continue; } @@ -297,17 +297,57 @@ class html $attrib_arr[] = $key . '="' . $key . '"'; } } - else if ($key=='value') { - $attrib_arr[] = $key . '="' . Q($value, 'strict', false) . '"'; - } else { - $attrib_arr[] = $key . '="' . Q($value) . '"'; + $attrib_arr[] = $key . '="' . self::quote($value) . '"'; } } + return count($attrib_arr) ? ' '.implode(' ', $attrib_arr) : ''; } + + /** + * Convert a HTML attribute string attributes to an associative array (name => value) + * + * @param string Input string + * @return array Key-value pairs of parsed attributes + */ + public static function parse_attrib_string($str) + { + $attrib = array(); + $regexp = '/\s*([-_a-z]+)=(["\'])??(?(2)([^\2]*)\2|(\S+?))/Ui'; + + preg_match_all($regexp, stripslashes($str), $regs, PREG_SET_ORDER); + + // convert attributes to an associative array (name => value) + if ($regs) { + foreach ($regs as $attr) { + $attrib[strtolower($attr[1])] = html_entity_decode($attr[3] . $attr[4]); + } + } + + return $attrib; + } + + /** + * Replacing specials characters in html attribute value + * + * @param string $str Input string + * + * @return string The quoted string + */ + public static function quote($str) + { + $str = htmlspecialchars($str, ENT_COMPAT, RCMAIL_CHARSET); + + // avoid douple quotation of & + // @TODO: get rid of it? + $str = preg_replace('/&([A-Za-z]{2,6}|#[0-9]{2,4});/', '&\\1;', $str); + + return $str; + } } + /** * Class to create an HTML input field * @@ -317,9 +357,11 @@ class html_inputfield extends html { protected $tagname = 'input'; protected $type = 'text'; - protected $allowed = array('type','name','value','size','tabindex', + protected $allowed = array( + 'type','name','value','size','tabindex', 'autocomplete','checked','onchange','onclick','disabled','readonly', - 'spellcheck','results','maxlength','src','multiple','placeholder'); + 'spellcheck','results','maxlength','src','multiple','placeholder', + ); /** * Object constructor @@ -517,11 +559,11 @@ class html_textarea extends html } if (!empty($value) && !preg_match('/mce_editor/', $this->attrib['class'])) { - $value = Q($value, 'strict', false); + $value = self::quote($value); } return self::tag($this->tagname, $this->attrib, $value, - array_merge(self::$common_attrib, $this->allowed)); + array_merge(self::$common_attrib, $this->allowed)); } } @@ -550,7 +592,7 @@ class html_select extends html protected $options = array(); protected $allowed = array('name','size','tabindex','autocomplete', 'multiple','onchange','disabled','rel'); - + /** * Add a new option to this drop-down * @@ -591,8 +633,9 @@ class html_select extends html 'selected' => (in_array($option['value'], $select, true) || in_array($option['text'], $select, true)) ? 1 : null); - $this->content .= self::tag('option', $attr, Q($option['text'])); + $this->content .= self::tag('option', $attr, self::quote($option['text'])); } + return parent::show(); } } @@ -803,4 +846,3 @@ class html_table extends html } } - |