Add is_escaped attribute for html_select and html_textarea (#1488485)

13 years ago · 0a1dd5b073
parent 5a575b7eb0
commit 0a1dd5b073
5 changed files with 25 additions and 13 deletions
--- a/1
+++ b/1
@ -1,6 +1,7 @@
 CHANGELOG Roundcube Webmail
 ===========================
 - Add is_escaped attribute for html_select and html_textarea (#1488485)
 - Fix HTML entities handling in HTML editor (#1488483)
 - Fix listing shared folders on Courier IMAP (#1488466)
 - Fix issue where draft auto-save wasn't executed after some inactivity time
--- a/program/include/html.php
+++ b/program/include/html.php
@ -298,7 +298,7 @@ class html
                }
            }
            else {
-                $attrib_arr[] = $key . '="' . self::quote($value) . '"';
+                $attrib_arr[] = $key . '="' . self::quote($value, true) . '"';
            }
        }
@ -332,16 +332,19 @@ class html
     * Replacing specials characters in html attribute value
     *
     * @param  string  $str       Input string
     * @param  bool    $validate  Enables double quotation prevention
     *
     * @return string  The quoted string
     */
-    public static function quote($str)
+    public static function quote($str, $validate = false)
    {
        $str = htmlspecialchars($str, ENT_COMPAT, RCMAIL_CHARSET);
        // avoid douple quotation of &
-        // @TODO: get rid of it?
+        // @TODO: get rid of it
        if ($validate) {
            $str = preg_replace('/&amp;([A-Za-z]{2,6}|#[0-9]{2,4});/', '&\\1;', $str);
        }
        return $str;
    }
@ -558,8 +561,8 @@ class html_textarea extends html
            unset($this->attrib['value']);
        }
-        if (!empty($value) && !preg_match('/mce_editor/', $this->attrib['class'])) {
+        if (!empty($value) && empty($this->attrib['is_escaped'])) {
-            $value = self::quote($value);
+            $value = self::quote($value, true);
        }
        return self::tag($this->tagname, $this->attrib, $value,
@ -633,7 +636,12 @@ class html_select extends html
                'selected' => (in_array($option['value'], $select, true) ||
                  in_array($option['text'], $select, true)) ? 1 : null);
-            $this->content .= self::tag('option', $attr, self::quote($option['text']));
+            $option_content = $option['text'];
            if (empty($this->attrib['is_escaped'])) {
                $option_content = self::quote($option_content, true);
            }
            $this->content .= self::tag('option', $attr, $option_content);
        }
        return parent::show();
--- a/program/include/rcmail.php
+++ b/program/include/rcmail.php
@ -1329,11 +1329,12 @@ class rcmail extends rcube
        $attrib      = $hook['attribs'];
        if ($type == 'select') {
            $attrib['is_escaped'] = true;
            $select = new html_select($attrib);
            // add no-selection option
            if ($attrib['noselection']) {
-                $select->add($rcmail->gettext($attrib['noselection']), '');
+                $select->add(html::quote($rcmail->gettext($attrib['noselection'])), '');
            }
            $rcmail->render_folder_tree_select($a_mailboxes, $mbox_name, $attrib['maxlength'], $select, $attrib['realnames']);
@ -1362,7 +1363,7 @@ class rcmail extends rcube
     */
    public function folder_selector($p = array())
    {
-        $p += array('maxlength' => 100, 'realnames' => false);
+        $p += array('maxlength' => 100, 'realnames' => false, 'is_escaped' => true);
        $a_mailboxes = array();
        $storage = $this->get_storage();
@ -1388,7 +1389,7 @@ class rcmail extends rcube
        $select = new html_select($p);
        if ($p['noselection']) {
-            $select->add($p['noselection'], '');
+            $select->add(html::quote($p['noselection']), '');
        }
        $this->render_folder_tree_select($a_mailboxes, $mbox, $p['maxlength'], $select, $p['realnames'], 0, $p);
@ -1579,7 +1580,7 @@ class rcmail extends rcube
                }
            }
-            $select->add(str_repeat('&nbsp;', $nestLevel*4) . $foldername, $folder['id']);
+            $select->add(str_repeat('&nbsp;', $nestLevel*4) . html::quote($foldername), $folder['id']);
            if (!empty($folder['folders'])) {
                $out .= $this->render_folder_tree_select($folder['folders'], $mbox_name, $maxlength,
--- a/program/steps/mail/compose.inc
+++ b/program/steps/mail/compose.inc
@ -772,6 +772,7 @@ function rcmail_compose_body($attrib)
  if ($isHtml) {
    $MESSAGE_BODY = htmlentities($MESSAGE_BODY, ENT_NOQUOTES, RCMAIL_CHARSET);
    $attrib['class'] = 'mce_editor';
    $attrib['is_escaped'] = true;
    $textarea = new html_textarea($attrib);
    $out .= $textarea->show($MESSAGE_BODY);
  }
--- a/program/steps/settings/edit_identity.inc
+++ b/program/steps/settings/edit_identity.inc
@ -89,6 +89,7 @@ function rcube_identity_form($attrib)
  // Enable TinyMCE editor
  if ($IDENTITY_RECORD['html_signature']) {
    $form['signature']['content']['signature']['class']      = 'mce_editor';
    $form['signature']['content']['signature']['is_escaped'] = true;
  }
  $IDENTITY_RECORD['signature'] = htmlentities($IDENTITY_RECORD['signature'], ENT_NOQUOTES, RCMAIL_CHARSET);