diff options
Diffstat (limited to 'program')
-rw-r--r-- | program/include/html.php | 24 | ||||
-rw-r--r-- | program/include/rcmail.php | 9 | ||||
-rw-r--r-- | program/steps/mail/compose.inc | 1 | ||||
-rw-r--r-- | program/steps/settings/edit_identity.inc | 3 |
4 files changed, 24 insertions, 13 deletions
diff --git a/program/include/html.php b/program/include/html.php index 305a39781..c76eb746b 100644 --- a/program/include/html.php +++ b/program/include/html.php @@ -298,7 +298,7 @@ class html } } else { - $attrib_arr[] = $key . '="' . self::quote($value) . '"'; + $attrib_arr[] = $key . '="' . self::quote($value, true) . '"'; } } @@ -331,17 +331,20 @@ class html /** * Replacing specials characters in html attribute value * - * @param string $str Input string + * @param string $str Input string + * @param bool $validate Enables double quotation prevention * * @return string The quoted string */ - public static function quote($str) + public static function quote($str, $validate = false) { $str = htmlspecialchars($str, ENT_COMPAT, RCMAIL_CHARSET); // avoid douple quotation of & - // @TODO: get rid of it? - $str = preg_replace('/&([A-Za-z]{2,6}|#[0-9]{2,4});/', '&\\1;', $str); + // @TODO: get rid of it + if ($validate) { + $str = preg_replace('/&([A-Za-z]{2,6}|#[0-9]{2,4});/', '&\\1;', $str); + } return $str; } @@ -558,8 +561,8 @@ class html_textarea extends html unset($this->attrib['value']); } - if (!empty($value) && !preg_match('/mce_editor/', $this->attrib['class'])) { - $value = self::quote($value); + if (!empty($value) && empty($this->attrib['is_escaped'])) { + $value = self::quote($value, true); } return self::tag($this->tagname, $this->attrib, $value, @@ -633,7 +636,12 @@ class html_select extends html 'selected' => (in_array($option['value'], $select, true) || in_array($option['text'], $select, true)) ? 1 : null); - $this->content .= self::tag('option', $attr, self::quote($option['text'])); + $option_content = $option['text']; + if (empty($this->attrib['is_escaped'])) { + $option_content = self::quote($option_content, true); + } + + $this->content .= self::tag('option', $attr, $option_content); } return parent::show(); diff --git a/program/include/rcmail.php b/program/include/rcmail.php index e684a15bb..ee98a3678 100644 --- a/program/include/rcmail.php +++ b/program/include/rcmail.php @@ -1329,11 +1329,12 @@ class rcmail extends rcube $attrib = $hook['attribs']; if ($type == 'select') { + $attrib['is_escaped'] = true; $select = new html_select($attrib); // add no-selection option if ($attrib['noselection']) { - $select->add($rcmail->gettext($attrib['noselection']), ''); + $select->add(html::quote($rcmail->gettext($attrib['noselection'])), ''); } $rcmail->render_folder_tree_select($a_mailboxes, $mbox_name, $attrib['maxlength'], $select, $attrib['realnames']); @@ -1362,7 +1363,7 @@ class rcmail extends rcube */ public function folder_selector($p = array()) { - $p += array('maxlength' => 100, 'realnames' => false); + $p += array('maxlength' => 100, 'realnames' => false, 'is_escaped' => true); $a_mailboxes = array(); $storage = $this->get_storage(); @@ -1388,7 +1389,7 @@ class rcmail extends rcube $select = new html_select($p); if ($p['noselection']) { - $select->add($p['noselection'], ''); + $select->add(html::quote($p['noselection']), ''); } $this->render_folder_tree_select($a_mailboxes, $mbox, $p['maxlength'], $select, $p['realnames'], 0, $p); @@ -1579,7 +1580,7 @@ class rcmail extends rcube } } - $select->add(str_repeat(' ', $nestLevel*4) . $foldername, $folder['id']); + $select->add(str_repeat(' ', $nestLevel*4) . html::quote($foldername), $folder['id']); if (!empty($folder['folders'])) { $out .= $this->render_folder_tree_select($folder['folders'], $mbox_name, $maxlength, diff --git a/program/steps/mail/compose.inc b/program/steps/mail/compose.inc index 47d97faad..374a87649 100644 --- a/program/steps/mail/compose.inc +++ b/program/steps/mail/compose.inc @@ -772,6 +772,7 @@ function rcmail_compose_body($attrib) if ($isHtml) { $MESSAGE_BODY = htmlentities($MESSAGE_BODY, ENT_NOQUOTES, RCMAIL_CHARSET); $attrib['class'] = 'mce_editor'; + $attrib['is_escaped'] = true; $textarea = new html_textarea($attrib); $out .= $textarea->show($MESSAGE_BODY); } diff --git a/program/steps/settings/edit_identity.inc b/program/steps/settings/edit_identity.inc index c3ac4688f..2a2616540 100644 --- a/program/steps/settings/edit_identity.inc +++ b/program/steps/settings/edit_identity.inc @@ -88,7 +88,8 @@ function rcube_identity_form($attrib) // Enable TinyMCE editor if ($IDENTITY_RECORD['html_signature']) { - $form['signature']['content']['signature']['class'] = 'mce_editor'; + $form['signature']['content']['signature']['class'] = 'mce_editor'; + $form['signature']['content']['signature']['is_escaped'] = true; } $IDENTITY_RECORD['signature'] = htmlentities($IDENTITY_RECORD['signature'], ENT_NOQUOTES, RCMAIL_CHARSET); |