diff options
Diffstat (limited to 'program/include')
-rw-r--r-- | program/include/html.php | 23 | ||||
-rw-r--r-- | program/include/rcmail.php | 2 | ||||
-rw-r--r-- | program/include/rcube_output_html.php | 2 | ||||
-rw-r--r-- | program/include/rcube_utils.php | 3 |
4 files changed, 9 insertions, 21 deletions
diff --git a/program/include/html.php b/program/include/html.php index c6507f813..948794283 100644 --- a/program/include/html.php +++ b/program/include/html.php @@ -295,7 +295,7 @@ class html } } else { - $attrib_arr[] = $key . '="' . self::quote($value, true) . '"'; + $attrib_arr[] = $key . '="' . self::quote($value) . '"'; } } @@ -328,22 +328,13 @@ class html /** * Replacing specials characters in html attribute value * - * @param string $str Input string - * @param bool $validate Enables double quotation prevention + * @param string $str Input string * - * @return string The quoted string + * @return string The quoted string */ - public static function quote($str, $validate = false) + public static function quote($str) { - $str = htmlspecialchars($str, ENT_COMPAT, RCMAIL_CHARSET); - - // avoid douple quotation of & - // @TODO: get rid of it - if ($validate) { - $str = preg_replace('/&([A-Za-z]{2,6}|#[0-9]{2,4});/', '&\\1;', $str); - } - - return $str; + return htmlspecialchars($str, ENT_COMPAT, RCMAIL_CHARSET); } } @@ -559,7 +550,7 @@ class html_textarea extends html } if (!empty($value) && empty($this->attrib['is_escaped'])) { - $value = self::quote($value, true); + $value = self::quote($value); } return self::tag($this->tagname, $this->attrib, $value, @@ -635,7 +626,7 @@ class html_select extends html $option_content = $option['text']; if (empty($this->attrib['is_escaped'])) { - $option_content = self::quote($option_content, true); + $option_content = self::quote($option_content); } $this->content .= self::tag('option', $attr, $option_content); diff --git a/program/include/rcmail.php b/program/include/rcmail.php index 5a9a1fa86..ee144faca 100644 --- a/program/include/rcmail.php +++ b/program/include/rcmail.php @@ -281,7 +281,7 @@ class rcmail extends rcube } $list[$id] = array( 'id' => $id, - 'name' => $prop['name'], + 'name' => html::quote($prop['name']), 'groups' => is_array($prop['groups']), 'readonly' => !$prop['writable'], 'hidden' => $prop['hidden'], diff --git a/program/include/rcube_output_html.php b/program/include/rcube_output_html.php index 2743e7705..6138e2a30 100644 --- a/program/include/rcube_output_html.php +++ b/program/include/rcube_output_html.php @@ -527,7 +527,7 @@ class rcube_output_html extends rcube_output { $GLOBALS['__version'] = html::quote(RCMAIL_VERSION); $GLOBALS['__comm_path'] = html::quote($this->app->comm_path); - $GLOBALS['__skin_path'] = Q($this->config->get('skin_path')); + $GLOBALS['__skin_path'] = html::quote($this->config->get('skin_path')); return preg_replace_callback('/\$(__[a-z0-9_\-]+)/', array($this, 'globals_callback'), $input); diff --git a/program/include/rcube_utils.php b/program/include/rcube_utils.php index c8457b7dc..2a4d4c482 100644 --- a/program/include/rcube_utils.php +++ b/program/include/rcube_utils.php @@ -250,9 +250,6 @@ class rcube_utils $out = strtr($str, $encode_arr); - // avoid douple quotation of & - $out = preg_replace('/&([A-Za-z]{2,6}|#[0-9]{2,4});/', '&\\1;', $out); - return $newlines ? nl2br($out) : $out; } |