summaryrefslogtreecommitdiff
path: root/program/include
diff options
context:
space:
mode:
Diffstat (limited to 'program/include')
-rw-r--r--program/include/html.php23
-rw-r--r--program/include/rcmail.php2
-rw-r--r--program/include/rcube_output_html.php2
-rw-r--r--program/include/rcube_utils.php3
4 files changed, 9 insertions, 21 deletions
diff --git a/program/include/html.php b/program/include/html.php
index c6507f813..948794283 100644
--- a/program/include/html.php
+++ b/program/include/html.php
@@ -295,7 +295,7 @@ class html
}
}
else {
- $attrib_arr[] = $key . '="' . self::quote($value, true) . '"';
+ $attrib_arr[] = $key . '="' . self::quote($value) . '"';
}
}
@@ -328,22 +328,13 @@ class html
/**
* Replacing specials characters in html attribute value
*
- * @param string $str Input string
- * @param bool $validate Enables double quotation prevention
+ * @param string $str Input string
*
- * @return string The quoted string
+ * @return string The quoted string
*/
- public static function quote($str, $validate = false)
+ public static function quote($str)
{
- $str = htmlspecialchars($str, ENT_COMPAT, RCMAIL_CHARSET);
-
- // avoid douple quotation of &
- // @TODO: get rid of it
- if ($validate) {
- $str = preg_replace('/&([A-Za-z]{2,6}|#[0-9]{2,4});/', '&\\1;', $str);
- }
-
- return $str;
+ return htmlspecialchars($str, ENT_COMPAT, RCMAIL_CHARSET);
}
}
@@ -559,7 +550,7 @@ class html_textarea extends html
}
if (!empty($value) && empty($this->attrib['is_escaped'])) {
- $value = self::quote($value, true);
+ $value = self::quote($value);
}
return self::tag($this->tagname, $this->attrib, $value,
@@ -635,7 +626,7 @@ class html_select extends html
$option_content = $option['text'];
if (empty($this->attrib['is_escaped'])) {
- $option_content = self::quote($option_content, true);
+ $option_content = self::quote($option_content);
}
$this->content .= self::tag('option', $attr, $option_content);
diff --git a/program/include/rcmail.php b/program/include/rcmail.php
index 5a9a1fa86..ee144faca 100644
--- a/program/include/rcmail.php
+++ b/program/include/rcmail.php
@@ -281,7 +281,7 @@ class rcmail extends rcube
}
$list[$id] = array(
'id' => $id,
- 'name' => $prop['name'],
+ 'name' => html::quote($prop['name']),
'groups' => is_array($prop['groups']),
'readonly' => !$prop['writable'],
'hidden' => $prop['hidden'],
diff --git a/program/include/rcube_output_html.php b/program/include/rcube_output_html.php
index 2743e7705..6138e2a30 100644
--- a/program/include/rcube_output_html.php
+++ b/program/include/rcube_output_html.php
@@ -527,7 +527,7 @@ class rcube_output_html extends rcube_output
{
$GLOBALS['__version'] = html::quote(RCMAIL_VERSION);
$GLOBALS['__comm_path'] = html::quote($this->app->comm_path);
- $GLOBALS['__skin_path'] = Q($this->config->get('skin_path'));
+ $GLOBALS['__skin_path'] = html::quote($this->config->get('skin_path'));
return preg_replace_callback('/\$(__[a-z0-9_\-]+)/',
array($this, 'globals_callback'), $input);
diff --git a/program/include/rcube_utils.php b/program/include/rcube_utils.php
index c8457b7dc..2a4d4c482 100644
--- a/program/include/rcube_utils.php
+++ b/program/include/rcube_utils.php
@@ -250,9 +250,6 @@ class rcube_utils
$out = strtr($str, $encode_arr);
- // avoid douple quotation of &
- $out = preg_replace('/&([A-Za-z]{2,6}|#[0-9]{2,4});/', '&\\1;', $out);
-
return $newlines ? nl2br($out) : $out;
}