summaryrefslogtreecommitdiff
path: root/program
diff options
context:
space:
mode:
Diffstat (limited to 'program')
-rw-r--r--program/include/html.php23
-rw-r--r--program/include/rcmail.php2
-rw-r--r--program/include/rcube_output_html.php2
-rw-r--r--program/include/rcube_utils.php5
-rw-r--r--program/lib/html2text.php2
-rw-r--r--program/steps/addressbook/edit.inc7
-rw-r--r--program/steps/addressbook/func.inc5
-rw-r--r--program/steps/addressbook/import.inc2
-rw-r--r--program/steps/settings/func.inc2
9 files changed, 21 insertions, 29 deletions
diff --git a/program/include/html.php b/program/include/html.php
index c6507f813..948794283 100644
--- a/program/include/html.php
+++ b/program/include/html.php
@@ -295,7 +295,7 @@ class html
}
}
else {
- $attrib_arr[] = $key . '="' . self::quote($value, true) . '"';
+ $attrib_arr[] = $key . '="' . self::quote($value) . '"';
}
}
@@ -328,22 +328,13 @@ class html
/**
* Replacing specials characters in html attribute value
*
- * @param string $str Input string
- * @param bool $validate Enables double quotation prevention
+ * @param string $str Input string
*
- * @return string The quoted string
+ * @return string The quoted string
*/
- public static function quote($str, $validate = false)
+ public static function quote($str)
{
- $str = htmlspecialchars($str, ENT_COMPAT, RCMAIL_CHARSET);
-
- // avoid douple quotation of &
- // @TODO: get rid of it
- if ($validate) {
- $str = preg_replace('/&([A-Za-z]{2,6}|#[0-9]{2,4});/', '&\\1;', $str);
- }
-
- return $str;
+ return htmlspecialchars($str, ENT_COMPAT, RCMAIL_CHARSET);
}
}
@@ -559,7 +550,7 @@ class html_textarea extends html
}
if (!empty($value) && empty($this->attrib['is_escaped'])) {
- $value = self::quote($value, true);
+ $value = self::quote($value);
}
return self::tag($this->tagname, $this->attrib, $value,
@@ -635,7 +626,7 @@ class html_select extends html
$option_content = $option['text'];
if (empty($this->attrib['is_escaped'])) {
- $option_content = self::quote($option_content, true);
+ $option_content = self::quote($option_content);
}
$this->content .= self::tag('option', $attr, $option_content);
diff --git a/program/include/rcmail.php b/program/include/rcmail.php
index 5a9a1fa86..ee144faca 100644
--- a/program/include/rcmail.php
+++ b/program/include/rcmail.php
@@ -281,7 +281,7 @@ class rcmail extends rcube
}
$list[$id] = array(
'id' => $id,
- 'name' => $prop['name'],
+ 'name' => html::quote($prop['name']),
'groups' => is_array($prop['groups']),
'readonly' => !$prop['writable'],
'hidden' => $prop['hidden'],
diff --git a/program/include/rcube_output_html.php b/program/include/rcube_output_html.php
index 2743e7705..6138e2a30 100644
--- a/program/include/rcube_output_html.php
+++ b/program/include/rcube_output_html.php
@@ -527,7 +527,7 @@ class rcube_output_html extends rcube_output
{
$GLOBALS['__version'] = html::quote(RCMAIL_VERSION);
$GLOBALS['__comm_path'] = html::quote($this->app->comm_path);
- $GLOBALS['__skin_path'] = Q($this->config->get('skin_path'));
+ $GLOBALS['__skin_path'] = html::quote($this->config->get('skin_path'));
return preg_replace_callback('/\$(__[a-z0-9_\-]+)/',
array($this, 'globals_callback'), $input);
diff --git a/program/include/rcube_utils.php b/program/include/rcube_utils.php
index b278431a6..2a4d4c482 100644
--- a/program/include/rcube_utils.php
+++ b/program/include/rcube_utils.php
@@ -250,9 +250,6 @@ class rcube_utils
$out = strtr($str, $encode_arr);
- // avoid douple quotation of &
- $out = preg_replace('/&([A-Za-z]{2,6}|#[0-9]{2,4});/', '&\\1;', $out);
-
return $newlines ? nl2br($out) : $out;
}
@@ -682,7 +679,7 @@ class rcube_utils
// %s - domain name after the '@' from e-mail address provided at login screen. Returns FALSE if an invalid email is provided
if (strpos($name, '%s') !== false) {
$user_email = self::get_input_value('_user', self::INPUT_POST);
- $user_email = rcube_utils::idn_convert($user_email, true);
+ $user_email = self::idn_convert($user_email, true);
$matches = preg_match('/(.*)@([a-z0-9\.\-\[\]\:]+)/i', $user_email, $s);
if ($matches < 1 || filter_var($s[1]."@".$s[2], FILTER_VALIDATE_EMAIL) === false) {
return false;
diff --git a/program/lib/html2text.php b/program/lib/html2text.php
index 28c5ae059..dd413e0d6 100644
--- a/program/lib/html2text.php
+++ b/program/lib/html2text.php
@@ -145,6 +145,7 @@ class html2text
var $search = array(
"/\r/", // Non-legal carriage return
"/[\n\t]+/", // Newlines and tabs
+ '/<head[^>]*>.*?<\/head>/i', // <head>
'/<script[^>]*>.*?<\/script>/i', // <script>s -- which strip_tags supposedly has problems with
'/<style[^>]*>.*?<\/style>/i', // <style>s -- which strip_tags supposedly has problems with
'/<p[^>]*>/i', // <P>
@@ -172,6 +173,7 @@ class html2text
var $replace = array(
'', // Non-legal carriage return
' ', // Newlines and tabs
+ '', // <head>
'', // <script>s -- which strip_tags supposedly has problems with
'', // <style>s -- which strip_tags supposedly has problems with
"\n\n", // <P>
diff --git a/program/steps/addressbook/edit.inc b/program/steps/addressbook/edit.inc
index 90069a7eb..b216a7c70 100644
--- a/program/steps/addressbook/edit.inc
+++ b/program/steps/addressbook/edit.inc
@@ -244,11 +244,12 @@ function rcmail_source_selector($attrib)
if (count($sources_list) < 2) {
$source = $sources_list[$SOURCE_ID];
$hiddenfield = new html_hiddenfield(array('name' => '_source', 'value' => $SOURCE_ID));
- return html::span($attrib, Q($source['name']) . $hiddenfield->show());
+ return html::span($attrib, $source['name'] . $hiddenfield->show());
}
- $attrib['name'] = '_source';
- $attrib['onchange'] = JS_OBJECT_NAME . ".command('save', 'reload', this.form)";
+ $attrib['name'] = '_source';
+ $attrib['is_escaped'] = true;
+ $attrib['onchange'] = JS_OBJECT_NAME . ".command('save', 'reload', this.form)";
$select = new html_select($attrib);
diff --git a/program/steps/addressbook/func.inc b/program/steps/addressbook/func.inc
index 5f5fcc673..4ef4d1b51 100644
--- a/program/steps/addressbook/func.inc
+++ b/program/steps/addressbook/func.inc
@@ -178,7 +178,7 @@ function rcmail_set_sourcename($abook)
if (!$name && $source == 0) {
$name = rcube_label('personaladrbook');
}
- $OUTPUT->set_env('sourcename', $name);
+ $OUTPUT->set_env('sourcename', html_entity_decode($name, ENT_COMPAT, 'UTF-8'));
}
}
@@ -219,12 +219,13 @@ function rcmail_directory_list($attrib)
if ($source['class_name'])
$class_name .= ' ' . $source['class_name'];
+ $name = !empty($source['name']) ? $source['name'] : $id;
$out .= sprintf($line_templ,
html_identifier($id),
$class_name,
Q(rcmail_url(null, array('_source' => $id))),
$source['id'],
- $js_id, (!empty($source['name']) ? Q($source['name']) : Q($id)));
+ $js_id, $name);
$groupdata = array('out' => $out, 'jsdata' => $jsdata, 'source' => $id);
if ($source['groups'])
diff --git a/program/steps/addressbook/import.inc b/program/steps/addressbook/import.inc
index 15e04b82a..fb2251f18 100644
--- a/program/steps/addressbook/import.inc
+++ b/program/steps/addressbook/import.inc
@@ -43,7 +43,7 @@ function rcmail_import_form($attrib)
// addressbook selector
if (count($writable_books) > 1) {
- $select = new html_select(array('name' => '_target', 'id' => 'rcmimporttarget'));
+ $select = new html_select(array('name' => '_target', 'id' => 'rcmimporttarget', 'is_escaped' => true));
foreach ($writable_books as $book)
$select->add($book['name'], $book['id']);
diff --git a/program/steps/settings/func.inc b/program/steps/settings/func.inc
index 59b4e3735..4f8da1350 100644
--- a/program/steps/settings/func.inc
+++ b/program/steps/settings/func.inc
@@ -667,7 +667,7 @@ function rcmail_user_prefs($current=null)
$select_abook = new html_select(array('name' => '_default_addressbook', 'id' => $field_id));
foreach ($books as $book) {
- $select_abook->add($book['name'], $book['id']);
+ $select_abook->add(html_entity_decode($book['name'], ENT_COMPAT, 'UTF-8'), $book['id']);
}
$blocks['main']['options']['default_addressbook'] = array(