From 516467080bd822cb94a4a9ef58a168dcdaf7535b Mon Sep 17 00:00:00 2001
From: alecpl <alec@alec.pl>
Date: Fri, 27 May 2011 13:01:05 +0000
Subject: - Fix handling of "<" character in contact data, search fields and
 folder names, identity name and organization fields (#1487864)

---
 program/include/main.inc                 | 3 +--
 program/steps/addressbook/save.inc       | 9 ++++-----
 program/steps/addressbook/search.inc     | 2 +-
 program/steps/mail/search.inc            | 7 ++++---
 program/steps/settings/save_identity.inc | 6 +++---
 5 files changed, 13 insertions(+), 14 deletions(-)

(limited to 'program')

diff --git a/program/include/main.inc b/program/include/main.inc
index 44a43c64c..98b8bcb46 100644
--- a/program/include/main.inc
+++ b/program/include/main.inc
@@ -867,8 +867,7 @@ function rcmail_get_edit_field($col, $value, $attrib, $type='text')
 
   // use value from post
   if (isset($_POST[$fname])) {
-    $postvalue = get_input_value($fname, RCUBE_INPUT_POST,
-      $type == 'textarea' && strpos($attrib['class'], 'mce_editor')!==false ? true : false);
+    $postvalue = get_input_value($fname, RCUBE_INPUT_POST, true);
     $value = $attrib['array'] ? $postvalue[intval($colcounts[$col]++)] : $postvalue;
   }
 
diff --git a/program/steps/addressbook/save.inc b/program/steps/addressbook/save.inc
index 253609780..0092eb103 100644
--- a/program/steps/addressbook/save.inc
+++ b/program/steps/addressbook/save.inc
@@ -95,7 +95,6 @@ if ($RCMAIL->action == 'upload-photo') {
     $OUTPUT->send('iframe');
 }
 
-
 // read POST values into hash array
 $a_record = array();
 foreach ($GLOBALS['CONTACT_COLTYPES'] as $col => $colprop) {
@@ -106,7 +105,7 @@ foreach ($GLOBALS['CONTACT_COLTYPES'] as $col => $colprop) {
   if ($colprop['childs']) {
     $values = array();
     foreach ($colprop['childs'] as $childcol => $cp) {
-      $vals = get_input_value('_'.$childcol, RCUBE_INPUT_POST);
+      $vals = get_input_value('_'.$childcol, RCUBE_INPUT_POST, true);
       foreach ((array)$vals as $i => $val)
         $values[$i][$childcol] = $val;
     }
@@ -117,7 +116,7 @@ foreach ($GLOBALS['CONTACT_COLTYPES'] as $col => $colprop) {
   }
   // assign values and subtypes
   else if (is_array($_POST[$fname])) {
-    $values = get_input_value($fname, RCUBE_INPUT_POST);
+    $values = get_input_value($fname, RCUBE_INPUT_POST, true);
     $subtypes = get_input_value('_subtype_' . $col, RCUBE_INPUT_POST);
     foreach ($values as $i => $val) {
       $subtype = $subtypes[$i] ? ':'.$subtypes[$i] : '';
@@ -125,7 +124,7 @@ foreach ($GLOBALS['CONTACT_COLTYPES'] as $col => $colprop) {
     }
   }
   else if (isset($_POST[$fname])) {
-    $a_record[$col] = get_input_value($fname, RCUBE_INPUT_POST);
+    $a_record[$col] = get_input_value($fname, RCUBE_INPUT_POST, true);
   }
 }
 
@@ -190,7 +189,7 @@ if (!empty($cid))
       $record['name'] = $record['email'];
 
     foreach (array('name', 'email') as $col)
-      $a_js_cols[] = (string)$record[$col];
+      $a_js_cols[] = Q((string)$record[$col]);
 
     // update the changed col in list
     $OUTPUT->command('parent.update_contact_row', $cid, $a_js_cols, $newcid);
diff --git a/program/steps/addressbook/search.inc b/program/steps/addressbook/search.inc
index 7d6775507..8d25a8fbc 100644
--- a/program/steps/addressbook/search.inc
+++ b/program/steps/addressbook/search.inc
@@ -22,7 +22,7 @@
 $CONTACTS->set_page(1);
 $_SESSION['page'] = 1;
 
-$search = trim(get_input_value('_q', RCUBE_INPUT_GET));
+$search = trim(get_input_value('_q', RCUBE_INPUT_GET, true));
 $search_request = md5('addr'.$search);
 
 // get contacts for this user
diff --git a/program/steps/mail/search.inc b/program/steps/mail/search.inc
index 39fb32fc9..c038d772f 100644
--- a/program/steps/mail/search.inc
+++ b/program/steps/mail/search.inc
@@ -27,10 +27,11 @@ $_SESSION['page'] = 1;
 $imap_charset = RCMAIL_CHARSET;
 
 // get search string
-$str = get_input_value('_q', RCUBE_INPUT_GET);
-$filter = get_input_value('_filter', RCUBE_INPUT_GET);
-$mbox = get_input_value('_mbox', RCUBE_INPUT_GET);
+$str     = get_input_value('_q', RCUBE_INPUT_GET, true);
+$mbox    = get_input_value('_mbox', RCUBE_INPUT_GET, true);
+$filter  = get_input_value('_filter', RCUBE_INPUT_GET);
 $headers = get_input_value('_headers', RCUBE_INPUT_GET);
+
 $search_request = md5($mbox.$filter.$str);
 
 // add list filter string
diff --git a/program/steps/settings/save_identity.inc b/program/steps/settings/save_identity.inc
index 4fb6a2a9f..b2957a78b 100644
--- a/program/steps/settings/save_identity.inc
+++ b/program/steps/settings/save_identity.inc
@@ -22,17 +22,17 @@
 define('IDENTITIES_LEVEL', intval($RCMAIL->config->get('identities_level', 0)));
 
 $a_save_cols = array('name', 'email', 'organization', 'reply-to', 'bcc', 'standard', 'signature', 'html_signature');
-$a_html_cols = array('signature');
+$a_html_cols = array('signature', 'name', 'organization');
 $a_boolean_cols = array('standard', 'html_signature');
 $updated = $default_id = false;
 
 // check input
 if (empty($_POST['_name']) || (empty($_POST['_email']) && IDENTITIES_LEVEL != 1 && IDENTITIES_LEVEL != 3))
-  {
+{
   $OUTPUT->show_message('formincomplete', 'warning');
   rcmail_overwrite_action('edit-identity');
   return;
-  }
+}
 
 
 $save_data = array();
-- 
cgit v1.2.3