summaryrefslogtreecommitdiff
path: root/program
diff options
context:
space:
mode:
Diffstat (limited to 'program')
-rw-r--r--program/include/html.php24
-rw-r--r--program/include/rcmail.php9
-rw-r--r--program/steps/mail/compose.inc1
-rw-r--r--program/steps/settings/edit_identity.inc3
4 files changed, 24 insertions, 13 deletions
diff --git a/program/include/html.php b/program/include/html.php
index 305a39781..c76eb746b 100644
--- a/program/include/html.php
+++ b/program/include/html.php
@@ -298,7 +298,7 @@ class html
}
}
else {
- $attrib_arr[] = $key . '="' . self::quote($value) . '"';
+ $attrib_arr[] = $key . '="' . self::quote($value, true) . '"';
}
}
@@ -331,17 +331,20 @@ class html
/**
* Replacing specials characters in html attribute value
*
- * @param string $str Input string
+ * @param string $str Input string
+ * @param bool $validate Enables double quotation prevention
*
* @return string The quoted string
*/
- public static function quote($str)
+ public static function quote($str, $validate = false)
{
$str = htmlspecialchars($str, ENT_COMPAT, RCMAIL_CHARSET);
// avoid douple quotation of &
- // @TODO: get rid of it?
- $str = preg_replace('/&([A-Za-z]{2,6}|#[0-9]{2,4});/', '&\\1;', $str);
+ // @TODO: get rid of it
+ if ($validate) {
+ $str = preg_replace('/&([A-Za-z]{2,6}|#[0-9]{2,4});/', '&\\1;', $str);
+ }
return $str;
}
@@ -558,8 +561,8 @@ class html_textarea extends html
unset($this->attrib['value']);
}
- if (!empty($value) && !preg_match('/mce_editor/', $this->attrib['class'])) {
- $value = self::quote($value);
+ if (!empty($value) && empty($this->attrib['is_escaped'])) {
+ $value = self::quote($value, true);
}
return self::tag($this->tagname, $this->attrib, $value,
@@ -633,7 +636,12 @@ class html_select extends html
'selected' => (in_array($option['value'], $select, true) ||
in_array($option['text'], $select, true)) ? 1 : null);
- $this->content .= self::tag('option', $attr, self::quote($option['text']));
+ $option_content = $option['text'];
+ if (empty($this->attrib['is_escaped'])) {
+ $option_content = self::quote($option_content, true);
+ }
+
+ $this->content .= self::tag('option', $attr, $option_content);
}
return parent::show();
diff --git a/program/include/rcmail.php b/program/include/rcmail.php
index e684a15bb..ee98a3678 100644
--- a/program/include/rcmail.php
+++ b/program/include/rcmail.php
@@ -1329,11 +1329,12 @@ class rcmail extends rcube
$attrib = $hook['attribs'];
if ($type == 'select') {
+ $attrib['is_escaped'] = true;
$select = new html_select($attrib);
// add no-selection option
if ($attrib['noselection']) {
- $select->add($rcmail->gettext($attrib['noselection']), '');
+ $select->add(html::quote($rcmail->gettext($attrib['noselection'])), '');
}
$rcmail->render_folder_tree_select($a_mailboxes, $mbox_name, $attrib['maxlength'], $select, $attrib['realnames']);
@@ -1362,7 +1363,7 @@ class rcmail extends rcube
*/
public function folder_selector($p = array())
{
- $p += array('maxlength' => 100, 'realnames' => false);
+ $p += array('maxlength' => 100, 'realnames' => false, 'is_escaped' => true);
$a_mailboxes = array();
$storage = $this->get_storage();
@@ -1388,7 +1389,7 @@ class rcmail extends rcube
$select = new html_select($p);
if ($p['noselection']) {
- $select->add($p['noselection'], '');
+ $select->add(html::quote($p['noselection']), '');
}
$this->render_folder_tree_select($a_mailboxes, $mbox, $p['maxlength'], $select, $p['realnames'], 0, $p);
@@ -1579,7 +1580,7 @@ class rcmail extends rcube
}
}
- $select->add(str_repeat(' ', $nestLevel*4) . $foldername, $folder['id']);
+ $select->add(str_repeat(' ', $nestLevel*4) . html::quote($foldername), $folder['id']);
if (!empty($folder['folders'])) {
$out .= $this->render_folder_tree_select($folder['folders'], $mbox_name, $maxlength,
diff --git a/program/steps/mail/compose.inc b/program/steps/mail/compose.inc
index 47d97faad..374a87649 100644
--- a/program/steps/mail/compose.inc
+++ b/program/steps/mail/compose.inc
@@ -772,6 +772,7 @@ function rcmail_compose_body($attrib)
if ($isHtml) {
$MESSAGE_BODY = htmlentities($MESSAGE_BODY, ENT_NOQUOTES, RCMAIL_CHARSET);
$attrib['class'] = 'mce_editor';
+ $attrib['is_escaped'] = true;
$textarea = new html_textarea($attrib);
$out .= $textarea->show($MESSAGE_BODY);
}
diff --git a/program/steps/settings/edit_identity.inc b/program/steps/settings/edit_identity.inc
index c3ac4688f..2a2616540 100644
--- a/program/steps/settings/edit_identity.inc
+++ b/program/steps/settings/edit_identity.inc
@@ -88,7 +88,8 @@ function rcube_identity_form($attrib)
// Enable TinyMCE editor
if ($IDENTITY_RECORD['html_signature']) {
- $form['signature']['content']['signature']['class'] = 'mce_editor';
+ $form['signature']['content']['signature']['class'] = 'mce_editor';
+ $form['signature']['content']['signature']['is_escaped'] = true;
}
$IDENTITY_RECORD['signature'] = htmlentities($IDENTITY_RECORD['signature'], ENT_NOQUOTES, RCMAIL_CHARSET);