summaryrefslogtreecommitdiff
path: root/program
diff options
context:
space:
mode:
Diffstat (limited to 'program')
-rw-r--r--program/include/html.php23
-rw-r--r--program/include/rcmail.php2
-rw-r--r--program/include/rcube_output_html.php2
-rw-r--r--program/include/rcube_utils.php3
-rw-r--r--program/js/app.js6
-rw-r--r--program/steps/addressbook/edit.inc7
-rw-r--r--program/steps/addressbook/func.inc5
-rw-r--r--program/steps/addressbook/import.inc2
-rw-r--r--program/steps/settings/func.inc2
9 files changed, 21 insertions, 31 deletions
diff --git a/program/include/html.php b/program/include/html.php
index c6507f813..948794283 100644
--- a/program/include/html.php
+++ b/program/include/html.php
@@ -295,7 +295,7 @@ class html
}
}
else {
- $attrib_arr[] = $key . '="' . self::quote($value, true) . '"';
+ $attrib_arr[] = $key . '="' . self::quote($value) . '"';
}
}
@@ -328,22 +328,13 @@ class html
/**
* Replacing specials characters in html attribute value
*
- * @param string $str Input string
- * @param bool $validate Enables double quotation prevention
+ * @param string $str Input string
*
- * @return string The quoted string
+ * @return string The quoted string
*/
- public static function quote($str, $validate = false)
+ public static function quote($str)
{
- $str = htmlspecialchars($str, ENT_COMPAT, RCMAIL_CHARSET);
-
- // avoid douple quotation of &
- // @TODO: get rid of it
- if ($validate) {
- $str = preg_replace('/&([A-Za-z]{2,6}|#[0-9]{2,4});/', '&\\1;', $str);
- }
-
- return $str;
+ return htmlspecialchars($str, ENT_COMPAT, RCMAIL_CHARSET);
}
}
@@ -559,7 +550,7 @@ class html_textarea extends html
}
if (!empty($value) && empty($this->attrib['is_escaped'])) {
- $value = self::quote($value, true);
+ $value = self::quote($value);
}
return self::tag($this->tagname, $this->attrib, $value,
@@ -635,7 +626,7 @@ class html_select extends html
$option_content = $option['text'];
if (empty($this->attrib['is_escaped'])) {
- $option_content = self::quote($option_content, true);
+ $option_content = self::quote($option_content);
}
$this->content .= self::tag('option', $attr, $option_content);
diff --git a/program/include/rcmail.php b/program/include/rcmail.php
index 5a9a1fa86..ee144faca 100644
--- a/program/include/rcmail.php
+++ b/program/include/rcmail.php
@@ -281,7 +281,7 @@ class rcmail extends rcube
}
$list[$id] = array(
'id' => $id,
- 'name' => $prop['name'],
+ 'name' => html::quote($prop['name']),
'groups' => is_array($prop['groups']),
'readonly' => !$prop['writable'],
'hidden' => $prop['hidden'],
diff --git a/program/include/rcube_output_html.php b/program/include/rcube_output_html.php
index 2743e7705..6138e2a30 100644
--- a/program/include/rcube_output_html.php
+++ b/program/include/rcube_output_html.php
@@ -527,7 +527,7 @@ class rcube_output_html extends rcube_output
{
$GLOBALS['__version'] = html::quote(RCMAIL_VERSION);
$GLOBALS['__comm_path'] = html::quote($this->app->comm_path);
- $GLOBALS['__skin_path'] = Q($this->config->get('skin_path'));
+ $GLOBALS['__skin_path'] = html::quote($this->config->get('skin_path'));
return preg_replace_callback('/\$(__[a-z0-9_\-]+)/',
array($this, 'globals_callback'), $input);
diff --git a/program/include/rcube_utils.php b/program/include/rcube_utils.php
index c8457b7dc..2a4d4c482 100644
--- a/program/include/rcube_utils.php
+++ b/program/include/rcube_utils.php
@@ -250,9 +250,6 @@ class rcube_utils
$out = strtr($str, $encode_arr);
- // avoid douple quotation of &
- $out = preg_replace('/&([A-Za-z]{2,6}|#[0-9]{2,4});/', '&\\1;', $out);
-
return $newlines ? nl2br($out) : $out;
}
diff --git a/program/js/app.js b/program/js/app.js
index 2182a2b88..cf942e291 100644
--- a/program/js/app.js
+++ b/program/js/app.js
@@ -208,7 +208,7 @@ function rcube_webmail()
this.gui_objects.messagelist.parentNode.onmousedown = function(e){ return p.click_on_list(e); };
this.message_list.init();
- this.enable_command('toggle_status', 'toggle_flag', 'menu-open', 'menu-save', true);
+ this.enable_command('toggle_status', 'toggle_flag', 'menu-open', 'menu-save', 'sort', true);
// load messages
this.command('list');
@@ -6114,7 +6114,7 @@ function rcube_webmail()
this.show_contentframe(false);
// disable commands useless when mailbox is empty
this.enable_command(this.env.message_commands, 'purge', 'expunge',
- 'select-all', 'select-none', 'sort', 'expand-all', 'expand-unread', 'collapse-all', false);
+ 'select-all', 'select-none', 'expand-all', 'expand-unread', 'collapse-all', false);
}
if (this.message_list)
this.triggerEvent('listupdate', { folder:this.env.mailbox, rowcount:this.message_list.rowcount });
@@ -6127,7 +6127,7 @@ function rcube_webmail()
this.env.qsearch = null;
case 'list':
if (this.task == 'mail') {
- this.enable_command('show', 'expunge', 'select-all', 'select-none', 'sort', (this.env.messagecount > 0));
+ this.enable_command('show', 'expunge', 'select-all', 'select-none', (this.env.messagecount > 0));
this.enable_command('purge', this.purge_mailbox_test());
this.enable_command('expand-all', 'expand-unread', 'collapse-all', this.env.threading && this.env.messagecount);
diff --git a/program/steps/addressbook/edit.inc b/program/steps/addressbook/edit.inc
index 90069a7eb..b216a7c70 100644
--- a/program/steps/addressbook/edit.inc
+++ b/program/steps/addressbook/edit.inc
@@ -244,11 +244,12 @@ function rcmail_source_selector($attrib)
if (count($sources_list) < 2) {
$source = $sources_list[$SOURCE_ID];
$hiddenfield = new html_hiddenfield(array('name' => '_source', 'value' => $SOURCE_ID));
- return html::span($attrib, Q($source['name']) . $hiddenfield->show());
+ return html::span($attrib, $source['name'] . $hiddenfield->show());
}
- $attrib['name'] = '_source';
- $attrib['onchange'] = JS_OBJECT_NAME . ".command('save', 'reload', this.form)";
+ $attrib['name'] = '_source';
+ $attrib['is_escaped'] = true;
+ $attrib['onchange'] = JS_OBJECT_NAME . ".command('save', 'reload', this.form)";
$select = new html_select($attrib);
diff --git a/program/steps/addressbook/func.inc b/program/steps/addressbook/func.inc
index 5f5fcc673..4ef4d1b51 100644
--- a/program/steps/addressbook/func.inc
+++ b/program/steps/addressbook/func.inc
@@ -178,7 +178,7 @@ function rcmail_set_sourcename($abook)
if (!$name && $source == 0) {
$name = rcube_label('personaladrbook');
}
- $OUTPUT->set_env('sourcename', $name);
+ $OUTPUT->set_env('sourcename', html_entity_decode($name, ENT_COMPAT, 'UTF-8'));
}
}
@@ -219,12 +219,13 @@ function rcmail_directory_list($attrib)
if ($source['class_name'])
$class_name .= ' ' . $source['class_name'];
+ $name = !empty($source['name']) ? $source['name'] : $id;
$out .= sprintf($line_templ,
html_identifier($id),
$class_name,
Q(rcmail_url(null, array('_source' => $id))),
$source['id'],
- $js_id, (!empty($source['name']) ? Q($source['name']) : Q($id)));
+ $js_id, $name);
$groupdata = array('out' => $out, 'jsdata' => $jsdata, 'source' => $id);
if ($source['groups'])
diff --git a/program/steps/addressbook/import.inc b/program/steps/addressbook/import.inc
index 15e04b82a..fb2251f18 100644
--- a/program/steps/addressbook/import.inc
+++ b/program/steps/addressbook/import.inc
@@ -43,7 +43,7 @@ function rcmail_import_form($attrib)
// addressbook selector
if (count($writable_books) > 1) {
- $select = new html_select(array('name' => '_target', 'id' => 'rcmimporttarget'));
+ $select = new html_select(array('name' => '_target', 'id' => 'rcmimporttarget', 'is_escaped' => true));
foreach ($writable_books as $book)
$select->add($book['name'], $book['id']);
diff --git a/program/steps/settings/func.inc b/program/steps/settings/func.inc
index 59b4e3735..4f8da1350 100644
--- a/program/steps/settings/func.inc
+++ b/program/steps/settings/func.inc
@@ -667,7 +667,7 @@ function rcmail_user_prefs($current=null)
$select_abook = new html_select(array('name' => '_default_addressbook', 'id' => $field_id));
foreach ($books as $book) {
- $select_abook->add($book['name'], $book['id']);
+ $select_abook->add(html_entity_decode($book['name'], ENT_COMPAT, 'UTF-8'), $book['id']);
}
$blocks['main']['options']['default_addressbook'] = array(