From 2bca6e1da0e46f93297a7f60ff449b6c6ebac239 Mon Sep 17 00:00:00 2001 From: thomascube Date: Wed, 20 Dec 2006 14:06:33 +0000 Subject: New (strict) quoting for all kind of strings --- program/include/main.inc | 82 ++++++++++++++++++++++++++-------------- program/include/rcube_shared.inc | 8 ++-- 2 files changed, 57 insertions(+), 33 deletions(-) (limited to 'program/include') diff --git a/program/include/main.inc b/program/include/main.inc index 10436cab2..1abd84aa8 100644 --- a/program/include/main.inc +++ b/program/include/main.inc @@ -734,7 +734,7 @@ function show_message($message, $type='notice', $vars=NULL) $framed = $GLOBALS['_framed']; $command = sprintf("display_message('%s', '%s');", - rep_specialchars_output(rcube_label(array('name' => $message, 'vars' => $vars)), 'js'), + JQ(rcube_label(array('name' => $message, 'vars' => $vars))), $type); if ($REMOTE_REQUEST) @@ -854,7 +854,7 @@ function rcube_add_label() $OUTPUT->add_script(sprintf("%s.add_label('%s', '%s');", $JS_OBJECT_NAME, $name, - rep_specialchars_output(rcube_label($name), 'js'))); + JQ(rcube_label($name)))); } @@ -897,8 +897,15 @@ function rcmail_message_cache_gc() } -// convert a string from one charset to another -// this function is not complete and not tested well +/** + * Convert a string from one charset to another. + * Uses mbstring and iconv functions if possible + * + * @param string Input string + * @param string Suspected charset of the input string + * @param string Target charset to convert to; defaults to $GLOBALS['CHARSET'] + * @return Converted string + */ function rcube_charset_convert($str, $from, $to=NULL) { global $MBSTRING; @@ -953,12 +960,19 @@ function rcube_charset_convert($str, $from, $to=NULL) } - -// replace specials characters to a specific encoding type +/** + * Replacing specials characters to a specific encoding type + * + * @param string Input string + * @param string Encoding type: text|html|xml|js|url + * @param string Replace mode for tags: show|replace|remove + * @param boolean Convert newlines + * @return The quoted string + */ function rep_specialchars_output($str, $enctype='', $mode='', $newlines=TRUE) { global $OUTPUT_TYPE, $OUTPUT; - static $html_encode_arr, $js_rep_table, $rtf_rep_table, $xml_rep_table; + static $html_encode_arr, $js_rep_table, $xml_rep_table; if (!$enctype) $enctype = $GLOBALS['OUTPUT_TYPE']; @@ -1000,21 +1014,18 @@ function rep_specialchars_output($str, $enctype='', $mode='', $newlines=TRUE) return $newlines ? nl2br($out) : $out; } - if ($enctype=='url') return rawurlencode($str); - - // if the replace tables for RTF, XML and JS are not yet defined + // if the replace tables for XML and JS are not yet defined if (!$js_rep_table) { - $js_rep_table = $rtf_rep_table = $xml_rep_table = array(); + $js_rep_tabl = $xml_rep_table = array(); $xml_rep_table['&'] = '&'; for ($c=160; $c<256; $c++) // can be increased to support more charsets { $hex = dechex($c); - $rtf_rep_table[Chr($c)] = "\\'$hex"; $xml_rep_table[Chr($c)] = "&#$c;"; if ($OUTPUT->get_charset()=='ISO-8859-1') @@ -1025,7 +1036,7 @@ function rep_specialchars_output($str, $enctype='', $mode='', $newlines=TRUE) $xml_rep_table['"'] = '"'; } - // encode for RTF + // encode for XML if ($enctype=='xml') return strtr($str, $xml_rep_table); @@ -1038,14 +1049,28 @@ function rep_specialchars_output($str, $enctype='', $mode='', $newlines=TRUE) return addslashes(preg_replace(array("/\r\n/", "/\r/"), array('\n', '\n'), strtr($str, $js_rep_table))); } - // encode for RTF - if ($enctype=='rtf') - return preg_replace("/\r\n/", "\par ", strtr($str, $rtf_rep_table)); - // no encoding given -> return original string return $str; } +/** + * Quote a given string. Alias function for rep_specialchars_output + * @see rep_specialchars_output + */ +function Q($str, $mode='strict', $newlines=TRUE) + { + return rep_specialchars_output($str, 'html', $mode, $newlines); + } + +/** + * Quote a given string. Alias function for rep_specialchars_output + * @see rep_specialchars_output + */ +function JQ($str, $mode='strict', $newlines=TRUE) + { + return rep_specialchars_output($str, 'js', $mode, $newlines); + } + /** * Read input value and convert it for internal use @@ -1248,7 +1273,7 @@ function rcube_xml_command($command, $str_attrib, $add_attrib=array()) // show a label case 'label': if ($attrib['name'] || $attrib['command']) - return rep_specialchars_output(rcube_label($attrib)); + return Q(rcube_label($attrib)); break; // create a menu item @@ -1331,7 +1356,7 @@ function rcube_xml_command($command, $str_attrib, $add_attrib=array()) else if ($object=='productname') { $name = !empty($CONFIG['product_name']) ? $CONFIG['product_name'] : 'RoundCube Webmail'; - return rep_specialchars_output($name, 'html', 'all'); + return Q($name); } else if ($object=='version') { @@ -1353,7 +1378,7 @@ function rcube_xml_command($command, $str_attrib, $add_attrib=array()) else $title .= ucfirst($task); - return rep_specialchars_output($title, 'html', 'all'); + return Q($title); } break; @@ -1419,12 +1444,12 @@ function rcube_button($attrib) // get localized text for labels and titles if ($attrib['title']) - $attrib['title'] = rep_specialchars_output(rcube_label($attrib['title'])); + $attrib['title'] = Q(rcube_label($attrib['title'])); if ($attrib['label']) - $attrib['label'] = rep_specialchars_output(rcube_label($attrib['label'])); + $attrib['label'] = Q(rcube_label($attrib['label'])); if ($attrib['alt']) - $attrib['alt'] = rep_specialchars_output(rcube_label($attrib['alt'])); + $attrib['alt'] = Q(rcube_label($attrib['alt'])); // set title to alt attribute for IE browsers if ($BROWSER['ie'] && $attrib['title'] && !$attrib['alt']) @@ -1537,12 +1562,11 @@ function rcube_table_output($attrib, $table_data, $a_show_cols, $id_col) $table .= "\n"; foreach ($a_show_cols as $col) - $table .= '' . rep_specialchars_output(rcube_label($col)) . "\n"; + $table .= '' . Q(rcube_label($col)) . "\n"; $table .= "\n\n"; $c = 0; - if (!is_array($table_data)) { while ($table_data && ($sql_arr = $DB->fetch_assoc($table_data))) @@ -1554,8 +1578,8 @@ function rcube_table_output($attrib, $table_data, $a_show_cols, $id_col) // format each col foreach ($a_show_cols as $col) { - $cont = rep_specialchars_output($sql_arr[$col]); - $table .= '' . $cont . "\n"; + $cont = Q($sql_arr[$col]); + $table .= '' . $cont . "\n"; } $table .= "\n"; @@ -1573,8 +1597,8 @@ function rcube_table_output($attrib, $table_data, $a_show_cols, $id_col) // format each col foreach ($a_show_cols as $col) { - $cont = rep_specialchars_output($row_data[$col]); - $table .= '' . $cont . "\n"; + $cont = Q($row_data[$col]); + $table .= '' . $cont . "\n"; } $table .= "\n"; diff --git a/program/include/rcube_shared.inc b/program/include/rcube_shared.inc index 2ac3f3c41..4200a914a 100644 --- a/program/include/rcube_shared.inc +++ b/program/include/rcube_shared.inc @@ -133,7 +133,7 @@ class rcube_html_page $this->title = 'RoundCube Mail'; // replace specialchars in content - $__page_title = rep_specialchars_output($this->title, 'html', 'show', FALSE); + $__page_title = Q($this->title, 'show', FALSE); $__page_header = $__page_body = $__page_footer = ''; @@ -725,7 +725,7 @@ class base_form_element // encode textarea content if ($key=='value') - $value = rep_specialchars_output($value, 'html', 'replace', FALSE); + $value = Q($value, 'strict', FALSE); // attributes with no value if (in_array($key, array('checked', 'multiple', 'disabled', 'selected'))) @@ -879,7 +879,7 @@ class textarea extends base_form_element unset($this->attrib['value']); if (strlen($value) && !isset($this->attrib['mce_editable'])) - $value = rep_specialchars_output($value, 'html', 'replace', FALSE); + $value = Q($value, 'strict', FALSE); // return final tag return sprintf('<%s%s>%s%s', @@ -1019,7 +1019,7 @@ class select extends base_form_element $this->_conv_case('option', 'tag'), strlen($option['value']) ? sprintf($value_str, $option['value']) : '', $selected, - rep_specialchars_output($option['text'], 'html', 'replace', FALSE), + Q($option['text'], 'strict', FALSE), $this->_conv_case('option', 'tag')); } -- cgit v1.2.3