diff options
Diffstat (limited to 'program')
-rw-r--r-- | program/include/html.php | 23 | ||||
-rw-r--r-- | program/include/rcmail.php | 2 | ||||
-rw-r--r-- | program/include/rcube_output_html.php | 2 | ||||
-rw-r--r-- | program/include/rcube_utils.php | 3 | ||||
-rw-r--r-- | program/js/app.js | 6 | ||||
-rw-r--r-- | program/steps/addressbook/edit.inc | 7 | ||||
-rw-r--r-- | program/steps/addressbook/func.inc | 5 | ||||
-rw-r--r-- | program/steps/addressbook/import.inc | 2 | ||||
-rw-r--r-- | program/steps/settings/func.inc | 2 |
9 files changed, 21 insertions, 31 deletions
diff --git a/program/include/html.php b/program/include/html.php index c6507f813..948794283 100644 --- a/program/include/html.php +++ b/program/include/html.php @@ -295,7 +295,7 @@ class html } } else { - $attrib_arr[] = $key . '="' . self::quote($value, true) . '"'; + $attrib_arr[] = $key . '="' . self::quote($value) . '"'; } } @@ -328,22 +328,13 @@ class html /** * Replacing specials characters in html attribute value * - * @param string $str Input string - * @param bool $validate Enables double quotation prevention + * @param string $str Input string * - * @return string The quoted string + * @return string The quoted string */ - public static function quote($str, $validate = false) + public static function quote($str) { - $str = htmlspecialchars($str, ENT_COMPAT, RCMAIL_CHARSET); - - // avoid douple quotation of & - // @TODO: get rid of it - if ($validate) { - $str = preg_replace('/&([A-Za-z]{2,6}|#[0-9]{2,4});/', '&\\1;', $str); - } - - return $str; + return htmlspecialchars($str, ENT_COMPAT, RCMAIL_CHARSET); } } @@ -559,7 +550,7 @@ class html_textarea extends html } if (!empty($value) && empty($this->attrib['is_escaped'])) { - $value = self::quote($value, true); + $value = self::quote($value); } return self::tag($this->tagname, $this->attrib, $value, @@ -635,7 +626,7 @@ class html_select extends html $option_content = $option['text']; if (empty($this->attrib['is_escaped'])) { - $option_content = self::quote($option_content, true); + $option_content = self::quote($option_content); } $this->content .= self::tag('option', $attr, $option_content); diff --git a/program/include/rcmail.php b/program/include/rcmail.php index 5a9a1fa86..ee144faca 100644 --- a/program/include/rcmail.php +++ b/program/include/rcmail.php @@ -281,7 +281,7 @@ class rcmail extends rcube } $list[$id] = array( 'id' => $id, - 'name' => $prop['name'], + 'name' => html::quote($prop['name']), 'groups' => is_array($prop['groups']), 'readonly' => !$prop['writable'], 'hidden' => $prop['hidden'], diff --git a/program/include/rcube_output_html.php b/program/include/rcube_output_html.php index 2743e7705..6138e2a30 100644 --- a/program/include/rcube_output_html.php +++ b/program/include/rcube_output_html.php @@ -527,7 +527,7 @@ class rcube_output_html extends rcube_output { $GLOBALS['__version'] = html::quote(RCMAIL_VERSION); $GLOBALS['__comm_path'] = html::quote($this->app->comm_path); - $GLOBALS['__skin_path'] = Q($this->config->get('skin_path')); + $GLOBALS['__skin_path'] = html::quote($this->config->get('skin_path')); return preg_replace_callback('/\$(__[a-z0-9_\-]+)/', array($this, 'globals_callback'), $input); diff --git a/program/include/rcube_utils.php b/program/include/rcube_utils.php index c8457b7dc..2a4d4c482 100644 --- a/program/include/rcube_utils.php +++ b/program/include/rcube_utils.php @@ -250,9 +250,6 @@ class rcube_utils $out = strtr($str, $encode_arr); - // avoid douple quotation of & - $out = preg_replace('/&([A-Za-z]{2,6}|#[0-9]{2,4});/', '&\\1;', $out); - return $newlines ? nl2br($out) : $out; } diff --git a/program/js/app.js b/program/js/app.js index 2182a2b88..cf942e291 100644 --- a/program/js/app.js +++ b/program/js/app.js @@ -208,7 +208,7 @@ function rcube_webmail() this.gui_objects.messagelist.parentNode.onmousedown = function(e){ return p.click_on_list(e); }; this.message_list.init(); - this.enable_command('toggle_status', 'toggle_flag', 'menu-open', 'menu-save', true); + this.enable_command('toggle_status', 'toggle_flag', 'menu-open', 'menu-save', 'sort', true); // load messages this.command('list'); @@ -6114,7 +6114,7 @@ function rcube_webmail() this.show_contentframe(false); // disable commands useless when mailbox is empty this.enable_command(this.env.message_commands, 'purge', 'expunge', - 'select-all', 'select-none', 'sort', 'expand-all', 'expand-unread', 'collapse-all', false); + 'select-all', 'select-none', 'expand-all', 'expand-unread', 'collapse-all', false); } if (this.message_list) this.triggerEvent('listupdate', { folder:this.env.mailbox, rowcount:this.message_list.rowcount }); @@ -6127,7 +6127,7 @@ function rcube_webmail() this.env.qsearch = null; case 'list': if (this.task == 'mail') { - this.enable_command('show', 'expunge', 'select-all', 'select-none', 'sort', (this.env.messagecount > 0)); + this.enable_command('show', 'expunge', 'select-all', 'select-none', (this.env.messagecount > 0)); this.enable_command('purge', this.purge_mailbox_test()); this.enable_command('expand-all', 'expand-unread', 'collapse-all', this.env.threading && this.env.messagecount); diff --git a/program/steps/addressbook/edit.inc b/program/steps/addressbook/edit.inc index 90069a7eb..b216a7c70 100644 --- a/program/steps/addressbook/edit.inc +++ b/program/steps/addressbook/edit.inc @@ -244,11 +244,12 @@ function rcmail_source_selector($attrib) if (count($sources_list) < 2) { $source = $sources_list[$SOURCE_ID]; $hiddenfield = new html_hiddenfield(array('name' => '_source', 'value' => $SOURCE_ID)); - return html::span($attrib, Q($source['name']) . $hiddenfield->show()); + return html::span($attrib, $source['name'] . $hiddenfield->show()); } - $attrib['name'] = '_source'; - $attrib['onchange'] = JS_OBJECT_NAME . ".command('save', 'reload', this.form)"; + $attrib['name'] = '_source'; + $attrib['is_escaped'] = true; + $attrib['onchange'] = JS_OBJECT_NAME . ".command('save', 'reload', this.form)"; $select = new html_select($attrib); diff --git a/program/steps/addressbook/func.inc b/program/steps/addressbook/func.inc index 5f5fcc673..4ef4d1b51 100644 --- a/program/steps/addressbook/func.inc +++ b/program/steps/addressbook/func.inc @@ -178,7 +178,7 @@ function rcmail_set_sourcename($abook) if (!$name && $source == 0) { $name = rcube_label('personaladrbook'); } - $OUTPUT->set_env('sourcename', $name); + $OUTPUT->set_env('sourcename', html_entity_decode($name, ENT_COMPAT, 'UTF-8')); } } @@ -219,12 +219,13 @@ function rcmail_directory_list($attrib) if ($source['class_name']) $class_name .= ' ' . $source['class_name']; + $name = !empty($source['name']) ? $source['name'] : $id; $out .= sprintf($line_templ, html_identifier($id), $class_name, Q(rcmail_url(null, array('_source' => $id))), $source['id'], - $js_id, (!empty($source['name']) ? Q($source['name']) : Q($id))); + $js_id, $name); $groupdata = array('out' => $out, 'jsdata' => $jsdata, 'source' => $id); if ($source['groups']) diff --git a/program/steps/addressbook/import.inc b/program/steps/addressbook/import.inc index 15e04b82a..fb2251f18 100644 --- a/program/steps/addressbook/import.inc +++ b/program/steps/addressbook/import.inc @@ -43,7 +43,7 @@ function rcmail_import_form($attrib) // addressbook selector if (count($writable_books) > 1) { - $select = new html_select(array('name' => '_target', 'id' => 'rcmimporttarget')); + $select = new html_select(array('name' => '_target', 'id' => 'rcmimporttarget', 'is_escaped' => true)); foreach ($writable_books as $book) $select->add($book['name'], $book['id']); diff --git a/program/steps/settings/func.inc b/program/steps/settings/func.inc index 59b4e3735..4f8da1350 100644 --- a/program/steps/settings/func.inc +++ b/program/steps/settings/func.inc @@ -667,7 +667,7 @@ function rcmail_user_prefs($current=null) $select_abook = new html_select(array('name' => '_default_addressbook', 'id' => $field_id)); foreach ($books as $book) { - $select_abook->add($book['name'], $book['id']); + $select_abook->add(html_entity_decode($book['name'], ENT_COMPAT, 'UTF-8'), $book['id']); } $blocks['main']['options']['default_addressbook'] = array( |