From d66e50d6b50523f68109c46b074b36fb161da552 Mon Sep 17 00:00:00 2001 From: Aleksander Machniak Date: Mon, 17 Sep 2012 15:01:34 +0200 Subject: Remove double-quotation prevention code for form elements --- program/include/html.php | 23 +++++++---------------- 1 file changed, 7 insertions(+), 16 deletions(-) (limited to 'program/include/html.php') diff --git a/program/include/html.php b/program/include/html.php index c6507f813..948794283 100644 --- a/program/include/html.php +++ b/program/include/html.php @@ -295,7 +295,7 @@ class html } } else { - $attrib_arr[] = $key . '="' . self::quote($value, true) . '"'; + $attrib_arr[] = $key . '="' . self::quote($value) . '"'; } } @@ -328,22 +328,13 @@ class html /** * Replacing specials characters in html attribute value * - * @param string $str Input string - * @param bool $validate Enables double quotation prevention + * @param string $str Input string * - * @return string The quoted string + * @return string The quoted string */ - public static function quote($str, $validate = false) + public static function quote($str) { - $str = htmlspecialchars($str, ENT_COMPAT, RCMAIL_CHARSET); - - // avoid douple quotation of & - // @TODO: get rid of it - if ($validate) { - $str = preg_replace('/&([A-Za-z]{2,6}|#[0-9]{2,4});/', '&\\1;', $str); - } - - return $str; + return htmlspecialchars($str, ENT_COMPAT, RCMAIL_CHARSET); } } @@ -559,7 +550,7 @@ class html_textarea extends html } if (!empty($value) && empty($this->attrib['is_escaped'])) { - $value = self::quote($value, true); + $value = self::quote($value); } return self::tag($this->tagname, $this->attrib, $value, @@ -635,7 +626,7 @@ class html_select extends html $option_content = $option['text']; if (empty($this->attrib['is_escaped'])) { - $option_content = self::quote($option_content, true); + $option_content = self::quote($option_content); } $this->content .= self::tag('option', $attr, $option_content); -- cgit v1.2.3