diff options
Diffstat (limited to 'program/include')
-rw-r--r-- | program/include/html.php | 24 | ||||
-rw-r--r-- | program/include/rcmail.php | 9 |
2 files changed, 21 insertions, 12 deletions
diff --git a/program/include/html.php b/program/include/html.php index 305a39781..c76eb746b 100644 --- a/program/include/html.php +++ b/program/include/html.php @@ -298,7 +298,7 @@ class html } } else { - $attrib_arr[] = $key . '="' . self::quote($value) . '"'; + $attrib_arr[] = $key . '="' . self::quote($value, true) . '"'; } } @@ -331,17 +331,20 @@ class html /** * Replacing specials characters in html attribute value * - * @param string $str Input string + * @param string $str Input string + * @param bool $validate Enables double quotation prevention * * @return string The quoted string */ - public static function quote($str) + public static function quote($str, $validate = false) { $str = htmlspecialchars($str, ENT_COMPAT, RCMAIL_CHARSET); // avoid douple quotation of & - // @TODO: get rid of it? - $str = preg_replace('/&([A-Za-z]{2,6}|#[0-9]{2,4});/', '&\\1;', $str); + // @TODO: get rid of it + if ($validate) { + $str = preg_replace('/&([A-Za-z]{2,6}|#[0-9]{2,4});/', '&\\1;', $str); + } return $str; } @@ -558,8 +561,8 @@ class html_textarea extends html unset($this->attrib['value']); } - if (!empty($value) && !preg_match('/mce_editor/', $this->attrib['class'])) { - $value = self::quote($value); + if (!empty($value) && empty($this->attrib['is_escaped'])) { + $value = self::quote($value, true); } return self::tag($this->tagname, $this->attrib, $value, @@ -633,7 +636,12 @@ class html_select extends html 'selected' => (in_array($option['value'], $select, true) || in_array($option['text'], $select, true)) ? 1 : null); - $this->content .= self::tag('option', $attr, self::quote($option['text'])); + $option_content = $option['text']; + if (empty($this->attrib['is_escaped'])) { + $option_content = self::quote($option_content, true); + } + + $this->content .= self::tag('option', $attr, $option_content); } return parent::show(); diff --git a/program/include/rcmail.php b/program/include/rcmail.php index e684a15bb..ee98a3678 100644 --- a/program/include/rcmail.php +++ b/program/include/rcmail.php @@ -1329,11 +1329,12 @@ class rcmail extends rcube $attrib = $hook['attribs']; if ($type == 'select') { + $attrib['is_escaped'] = true; $select = new html_select($attrib); // add no-selection option if ($attrib['noselection']) { - $select->add($rcmail->gettext($attrib['noselection']), ''); + $select->add(html::quote($rcmail->gettext($attrib['noselection'])), ''); } $rcmail->render_folder_tree_select($a_mailboxes, $mbox_name, $attrib['maxlength'], $select, $attrib['realnames']); @@ -1362,7 +1363,7 @@ class rcmail extends rcube */ public function folder_selector($p = array()) { - $p += array('maxlength' => 100, 'realnames' => false); + $p += array('maxlength' => 100, 'realnames' => false, 'is_escaped' => true); $a_mailboxes = array(); $storage = $this->get_storage(); @@ -1388,7 +1389,7 @@ class rcmail extends rcube $select = new html_select($p); if ($p['noselection']) { - $select->add($p['noselection'], ''); + $select->add(html::quote($p['noselection']), ''); } $this->render_folder_tree_select($a_mailboxes, $mbox, $p['maxlength'], $select, $p['realnames'], 0, $p); @@ -1579,7 +1580,7 @@ class rcmail extends rcube } } - $select->add(str_repeat(' ', $nestLevel*4) . $foldername, $folder['id']); + $select->add(str_repeat(' ', $nestLevel*4) . html::quote($foldername), $folder['id']); if (!empty($folder['folders'])) { $out .= $this->render_folder_tree_select($folder['folders'], $mbox_name, $maxlength, |