From ea7c46b4f37691702b8e78dea34c3e9a3afb232d Mon Sep 17 00:00:00 2001
From: thomascube <thomas@roundcube.net>
Date: Fri, 3 Mar 2006 16:34:35 +0000
Subject: Improved reading of POST and GET values

---
 program/steps/settings/manage_folders.inc | 16 ++++++++--------
 program/steps/settings/save_identity.inc  |  5 +++--
 2 files changed, 11 insertions(+), 10 deletions(-)

(limited to 'program/steps/settings')

diff --git a/program/steps/settings/manage_folders.inc b/program/steps/settings/manage_folders.inc
index 6f49018e7..86b9bb7fe 100644
--- a/program/steps/settings/manage_folders.inc
+++ b/program/steps/settings/manage_folders.inc
@@ -29,7 +29,7 @@ if ($_action=='subscribe')
   if (strlen($_GET['_mboxes']))
     $IMAP->subscribe(array($_GET['_mboxes']));
 
-  if ($_GET['_remote'])
+  if ($REMOTE_REQUEST)
     rcube_remote_response('// subscribed');
   }
 
@@ -39,22 +39,22 @@ else if ($_action=='unsubscribe')
   if (strlen($_GET['_mboxes']))
     $IMAP->unsubscribe(array($_GET['_mboxes']));
 
-  if ($_GET['_remote'])
+  if ($REMOTE_REQUEST)
     rcube_remote_response('// unsubscribed');
   }
 
 // create a new mailbox
 else if ($_action=='create-folder')
   {
-  if (strlen($_GET['_name']))
-    $create = $IMAP->create_mailbox(rcube_charset_convert(strip_tags(trim($_GET['_name'])), $OUTPUT->get_charset()), TRUE);
+  if (!empty($_GET['_name']))
+    $create = $IMAP->create_mailbox(trim(get_input_value('_name', RCUBE_INPUT_GET)), TRUE);
 
-  if ($create && $_GET['_remote'])
+  if ($create && $REMOTE_REQUEST)
     {
     $commands = sprintf("this.add_folder_row('%s')", rep_specialchars_output($create, 'js'));
     rcube_remote_response($commands);
     }
-  else if (!$create && $_GET['_remote'])
+  else if (!$create && $REMOTE_REQUEST)
     {
     $commands = show_message('errorsaving', 'error');
     rcube_remote_response($commands);
@@ -69,9 +69,9 @@ else if ($_action=='delete-folder')
   if (strlen($_GET['_mboxes']))
     $deleted = $IMAP->delete_mailbox(array($_GET['_mboxes']));
 
-  if ($_GET['_remote'] && $deleted)
+  if ($REMOTE_REQUEST && $deleted)
     rcube_remote_response(sprintf("this.remove_folder_row('%s')", rep_specialchars_output($_GET['_mboxes'], 'js')));
-  else if ($_GET['_remote'])
+  else if ($REMOTE_REQUEST)
     {
     $commands = show_message('errorsaving', 'error');
     rcube_remote_response($commands);
diff --git a/program/steps/settings/save_identity.inc b/program/steps/settings/save_identity.inc
index 1bfbf48e6..f5780de4b 100644
--- a/program/steps/settings/save_identity.inc
+++ b/program/steps/settings/save_identity.inc
@@ -20,6 +20,7 @@
 */
 
 $a_save_cols = array('name', 'email', 'organization', 'reply-to', 'bcc', 'standard', 'signature');
+$a_html_cols = array('signature');
 
 
 // check input
@@ -44,7 +45,7 @@ if ($_POST['_iid'])
 
     $a_write_sql[] = sprintf("%s=%s",
                              $DB->quoteIdentifier($col),
-                             $DB->quote(rcube_charset_convert(strip_tags($_POST[$fname]), $OUTPUT->get_charset())));
+                             $DB->quote(get_input_value($fname, RCUBE_INPUT_POST, in_array($col, $a_html_cols))));
     }
 
   if (sizeof($a_write_sql))
@@ -99,7 +100,7 @@ else
       continue;
     
     $a_insert_cols[] = $DB->quoteIdentifier($col);
-    $a_insert_values[] = $DB->quote(rcube_charset_convert(strip_tags($_POST[$fname]), $OUTPUT->get_charset()));
+    $a_insert_values[] = $DB->quote(get_input_value($fname, RCUBE_INPUT_POST, in_array($col, $a_html_cols)));
     }
     
   if (sizeof($a_insert_cols))
-- 
cgit v1.2.3