New (strict) quoting for all kind of strings

release-0.6
thomascube 18 years ago
parent cfdf044df2
commit 2bca6e1da0

@ -734,7 +734,7 @@ function show_message($message, $type='notice', $vars=NULL)
$framed = $GLOBALS['_framed'];
$command = sprintf("display_message('%s', '%s');",
rep_specialchars_output(rcube_label(array('name' => $message, 'vars' => $vars)), 'js'),
JQ(rcube_label(array('name' => $message, 'vars' => $vars))),
$type);
if ($REMOTE_REQUEST)
@ -854,7 +854,7 @@ function rcube_add_label()
$OUTPUT->add_script(sprintf("%s.add_label('%s', '%s');",
$JS_OBJECT_NAME,
$name,
rep_specialchars_output(rcube_label($name), 'js')));
JQ(rcube_label($name))));
}
@ -897,8 +897,15 @@ function rcmail_message_cache_gc()
}
// convert a string from one charset to another
// this function is not complete and not tested well
/**
* Convert a string from one charset to another.
* Uses mbstring and iconv functions if possible
*
* @param string Input string
* @param string Suspected charset of the input string
* @param string Target charset to convert to; defaults to $GLOBALS['CHARSET']
* @return Converted string
*/
function rcube_charset_convert($str, $from, $to=NULL)
{
global $MBSTRING;
@ -953,12 +960,19 @@ function rcube_charset_convert($str, $from, $to=NULL)
}
// replace specials characters to a specific encoding type
/**
* Replacing specials characters to a specific encoding type
*
* @param string Input string
* @param string Encoding type: text|html|xml|js|url
* @param string Replace mode for tags: show|replace|remove
* @param boolean Convert newlines
* @return The quoted string
*/
function rep_specialchars_output($str, $enctype='', $mode='', $newlines=TRUE)
{
global $OUTPUT_TYPE, $OUTPUT;
static $html_encode_arr, $js_rep_table, $rtf_rep_table, $xml_rep_table;
static $html_encode_arr, $js_rep_table, $xml_rep_table;
if (!$enctype)
$enctype = $GLOBALS['OUTPUT_TYPE'];
@ -1000,21 +1014,18 @@ function rep_specialchars_output($str, $enctype='', $mode='', $newlines=TRUE)
return $newlines ? nl2br($out) : $out;
}
if ($enctype=='url')
return rawurlencode($str);
// if the replace tables for RTF, XML and JS are not yet defined
// if the replace tables for XML and JS are not yet defined
if (!$js_rep_table)
{
$js_rep_table = $rtf_rep_table = $xml_rep_table = array();
$js_rep_tabl = $xml_rep_table = array();
$xml_rep_table['&'] = '&';
for ($c=160; $c<256; $c++) // can be increased to support more charsets
{
$hex = dechex($c);
$rtf_rep_table[Chr($c)] = "\\'$hex";
$xml_rep_table[Chr($c)] = "&#$c;";
if ($OUTPUT->get_charset()=='ISO-8859-1')
@ -1025,7 +1036,7 @@ function rep_specialchars_output($str, $enctype='', $mode='', $newlines=TRUE)
$xml_rep_table['"'] = '&quot;';
}
// encode for RTF
// encode for XML
if ($enctype=='xml')
return strtr($str, $xml_rep_table);
@ -1038,14 +1049,28 @@ function rep_specialchars_output($str, $enctype='', $mode='', $newlines=TRUE)
return addslashes(preg_replace(array("/\r\n/", "/\r/"), array('\n', '\n'), strtr($str, $js_rep_table)));
}
// encode for RTF
if ($enctype=='rtf')
return preg_replace("/\r\n/", "\par ", strtr($str, $rtf_rep_table));
// no encoding given -> return original string
return $str;
}
/**
* Quote a given string. Alias function for rep_specialchars_output
* @see rep_specialchars_output
*/
function Q($str, $mode='strict', $newlines=TRUE)
{
return rep_specialchars_output($str, 'html', $mode, $newlines);
}
/**
* Quote a given string. Alias function for rep_specialchars_output
* @see rep_specialchars_output
*/
function JQ($str, $mode='strict', $newlines=TRUE)
{
return rep_specialchars_output($str, 'js', $mode, $newlines);
}
/**
* Read input value and convert it for internal use
@ -1248,7 +1273,7 @@ function rcube_xml_command($command, $str_attrib, $add_attrib=array())
// show a label
case 'label':
if ($attrib['name'] || $attrib['command'])
return rep_specialchars_output(rcube_label($attrib));
return Q(rcube_label($attrib));
break;
// create a menu item
@ -1331,7 +1356,7 @@ function rcube_xml_command($command, $str_attrib, $add_attrib=array())
else if ($object=='productname')
{
$name = !empty($CONFIG['product_name']) ? $CONFIG['product_name'] : 'RoundCube Webmail';
return rep_specialchars_output($name, 'html', 'all');
return Q($name);
}
else if ($object=='version')
{
@ -1353,7 +1378,7 @@ function rcube_xml_command($command, $str_attrib, $add_attrib=array())
else
$title .= ucfirst($task);
return rep_specialchars_output($title, 'html', 'all');
return Q($title);
}
break;
@ -1419,12 +1444,12 @@ function rcube_button($attrib)
// get localized text for labels and titles
if ($attrib['title'])
$attrib['title'] = rep_specialchars_output(rcube_label($attrib['title']));
$attrib['title'] = Q(rcube_label($attrib['title']));
if ($attrib['label'])
$attrib['label'] = rep_specialchars_output(rcube_label($attrib['label']));
$attrib['label'] = Q(rcube_label($attrib['label']));
if ($attrib['alt'])
$attrib['alt'] = rep_specialchars_output(rcube_label($attrib['alt']));
$attrib['alt'] = Q(rcube_label($attrib['alt']));
// set title to alt attribute for IE browsers
if ($BROWSER['ie'] && $attrib['title'] && !$attrib['alt'])
@ -1537,12 +1562,11 @@ function rcube_table_output($attrib, $table_data, $a_show_cols, $id_col)
$table .= "<thead><tr>\n";
foreach ($a_show_cols as $col)
$table .= '<td class="'.$col.'">' . rep_specialchars_output(rcube_label($col)) . "</td>\n";
$table .= '<td class="'.$col.'">' . Q(rcube_label($col)) . "</td>\n";
$table .= "</tr></thead>\n<tbody>\n";
$c = 0;
if (!is_array($table_data))
{
while ($table_data && ($sql_arr = $DB->fetch_assoc($table_data)))
@ -1554,8 +1578,8 @@ function rcube_table_output($attrib, $table_data, $a_show_cols, $id_col)
// format each col
foreach ($a_show_cols as $col)
{
$cont = rep_specialchars_output($sql_arr[$col]);
$table .= '<td class="'.$col.'">' . $cont . "</td>\n";
$cont = Q($sql_arr[$col]);
$table .= '<td class="'.$col.'">' . $cont . "</td>\n";
}
$table .= "</tr>\n";
@ -1573,8 +1597,8 @@ function rcube_table_output($attrib, $table_data, $a_show_cols, $id_col)
// format each col
foreach ($a_show_cols as $col)
{
$cont = rep_specialchars_output($row_data[$col]);
$table .= '<td class="'.$col.'">' . $cont . "</td>\n";
$cont = Q($row_data[$col]);
$table .= '<td class="'.$col.'">' . $cont . "</td>\n";
}
$table .= "</tr>\n";

@ -133,7 +133,7 @@ class rcube_html_page
$this->title = 'RoundCube Mail';
// replace specialchars in content
$__page_title = rep_specialchars_output($this->title, 'html', 'show', FALSE);
$__page_title = Q($this->title, 'show', FALSE);
$__page_header = $__page_body = $__page_footer = '';
@ -725,7 +725,7 @@ class base_form_element
// encode textarea content
if ($key=='value')
$value = rep_specialchars_output($value, 'html', 'replace', FALSE);
$value = Q($value, 'strict', FALSE);
// attributes with no value
if (in_array($key, array('checked', 'multiple', 'disabled', 'selected')))
@ -879,7 +879,7 @@ class textarea extends base_form_element
unset($this->attrib['value']);
if (strlen($value) && !isset($this->attrib['mce_editable']))
$value = rep_specialchars_output($value, 'html', 'replace', FALSE);
$value = Q($value, 'strict', FALSE);
// return final tag
return sprintf('<%s%s>%s</%s>%s',
@ -1019,7 +1019,7 @@ class select extends base_form_element
$this->_conv_case('option', 'tag'),
strlen($option['value']) ? sprintf($value_str, $option['value']) : '',
$selected,
rep_specialchars_output($option['text'], 'html', 'replace', FALSE),
Q($option['text'], 'strict', FALSE),
$this->_conv_case('option', 'tag'));
}

@ -119,7 +119,7 @@ function rcmail_js_contacts_list($sql_result, $obj_name='this')
// format each col
foreach ($a_show_cols as $col)
{
$cont = rep_specialchars_output($sql_arr[$col]);
$cont = Q($sql_arr[$col]);
$a_row_cols[$col] = $cont;
}

@ -447,25 +447,26 @@ function rcmail_compose_body($attrib)
$lang_set = "googie.setLanguages(".array2js($CONFIG['spellcheck_languages']).");\n";
$OUTPUT->include_script('googiespell.js');
$OUTPUT->add_script(sprintf("var googie = new GoogieSpell('\$__skin_path/images/googiespell/','%s&_action=spell&lang=');\n".
"googie.lang_chck_spell = \"%s\";\n".
"googie.lang_rsm_edt = \"%s\";\n".
"googie.lang_close = \"%s\";\n".
"googie.lang_revert = \"%s\";\n".
"googie.lang_no_error_found = \"%s\";\n%s".
"googie.setCurrentLanguage('%s');\n".
"googie.decorateTextarea('%s');\n".
"%s.set_env('spellcheck', googie);",
$GLOBALS['COMM_PATH'],
rep_specialchars_output(rcube_label('checkspelling')),
rep_specialchars_output(rcube_label('resumeediting')),
rep_specialchars_output(rcube_label('close')),
rep_specialchars_output(rcube_label('revertto')),
rep_specialchars_output(rcube_label('nospellerrors')),
$lang_set,
substr($_SESSION['user_lang'], 0, 2),
$attrib['id'],
$JS_OBJECT_NAME), 'foot');
$OUTPUT->add_script(sprintf(
"var googie = new GoogieSpell('\$__skin_path/images/googiespell/','%s&_action=spell&lang=');\n".
"googie.lang_chck_spell = \"%s\";\n".
"googie.lang_rsm_edt = \"%s\";\n".
"googie.lang_close = \"%s\";\n".
"googie.lang_revert = \"%s\";\n".
"googie.lang_no_error_found = \"%s\";\n%s".
"googie.setCurrentLanguage('%s');\n".
"googie.decorateTextarea('%s');\n".
"%s.set_env('spellcheck', googie);",
$GLOBALS['COMM_PATH'],
JQ(Q(rcube_label('checkspelling'))),
JQ(Q(rcube_label('resumeediting'))),
JQ(Q(rcube_label('close'))),
JQ(Q(rcube_label('revertto'))),
JQ(Q(rcube_label('nospellerrors'))),
$lang_set,
substr($_SESSION['user_lang'], 0, 2),
$attrib['id'],
$JS_OBJECT_NAME), 'foot');
rcube_add_label('checking');
}
@ -552,10 +553,10 @@ function rcmail_create_forward_body($body, $bodyIsHtml)
"<tr><th align=\"right\" nowrap=\"nowrap\" valign=\"baseline\">From: </th><td>%s</td></tr>" .
"<tr><th align=\"right\" nowrap=\"nowrap\" valign=\"baseline\">To: </th><td>%s</td></tr>" .
"</tbody></table><br>",
rep_specialchars_output($MESSAGE['subject']),
rep_specialchars_output($MESSAGE['headers']->date),
rep_specialchars_output($IMAP->decode_header($MESSAGE['headers']->from)),
rep_specialchars_output($IMAP->decode_header($MESSAGE['headers']->to)));
Q($MESSAGE['subject']),
Q($MESSAGE['headers']->date),
Q($IMAP->decode_header($MESSAGE['headers']->from)),
Q($IMAP->decode_header($MESSAGE['headers']->to)));
}
// add attachments
@ -692,9 +693,9 @@ function rcmail_compose_attachment_list($attrib)
$id,
$JS_OBJECT_NAME,
$id,
rcube_label('delete'),
Q(rcube_label('delete')),
$button,
rep_specialchars_output($a_prop['name']));
Q($a_prop['name']));
}
$OUTPUT->add_script(sprintf("%s.gui_object('attachmentlist', '%s');", $JS_OBJECT_NAME, $attrib['id']));
@ -895,7 +896,7 @@ if ($DB->num_rows($sql_result))
$a_contacts = array();
while ($sql_arr = $DB->fetch_assoc($sql_result))
if ($sql_arr['email'])
$a_contacts[] = format_email_recipient($sql_arr['email'], rep_specialchars_output($sql_arr['name'], 'js'));
$a_contacts[] = format_email_recipient($sql_arr['email'], JQ($sql_arr['name']));
$OUTPUT->add_script(sprintf("$JS_OBJECT_NAME.set_env('contacts', %s);", array2js($a_contacts)));
}

@ -51,7 +51,11 @@ if (!isset($_SESSION['sort_col']))
$_SESSION['sort_col'] = $CONFIG['message_sort_col'];
if (!isset($_SESSION['sort_order']))
$_SESSION['sort_order'] = $CONFIG['message_sort_order'];
// set message set for search result
if (!empty($_GET['_search']) && isset($_SESSION['search'][$_GET['_search']]))
$IMAP->set_search_set($_SESSION['search'][$_GET['_search']]);
// define url for getting message parts
if (strlen($_GET['_uid']))
@ -193,7 +197,7 @@ function rcmail_render_folder_tree_html(&$arrFolders, &$special, &$mbox_name, $m
{
$fname = abbrevate_string($foldername, $maxlength);
if ($fname != $foldername)
$title = ' title="'.rep_specialchars_output($foldername, 'html', 'all').'"';
$title = ' title="'.Q($foldername).'"';
$foldername = $fname;
}
}
@ -215,7 +219,7 @@ function rcmail_render_folder_tree_html(&$arrFolders, &$special, &$mbox_name, $m
else if ($folder['id']==$CONFIG['junk_mbox'])
$class_name = 'junk';
$js_name = htmlspecialchars(rep_specialchars_output($folder['id'], 'js'));
$js_name = htmlspecialchars(JQ($folder['id']));
$out .= sprintf('<li id="rcmbx%s" class="mailbox %s %s%s%s"><a href="%s&amp;_mbox=%s"'.
' onclick="return %s.command(\'list\',\'%s\')"'.
' onmouseover="return %s.focus_mailbox(\'%s\')"' .
@ -237,7 +241,7 @@ function rcmail_render_folder_tree_html(&$arrFolders, &$special, &$mbox_name, $m
$JS_OBJECT_NAME,
$js_name,
$title,
rep_specialchars_output($foldername, 'html', 'all'));
Q($foldername));
if (!empty($folder['folders']))
$out .= "\n<ul>\n" . rcmail_render_folder_tree_html($folder['folders'], $special, $mbox_name, $maxlength, $nestLevel+1) . "</ul>\n";
@ -274,7 +278,7 @@ function rcmail_render_folder_tree_select(&$arrFolders, &$special, &$mbox_name,
$out .= sprintf('<option value="%s">%s%s</option>'."\n",
htmlspecialchars($folder['id']),
str_repeat('&nbsp;', $nestLevel*4),
rep_specialchars_output($foldername, 'html', 'all'));
Q($foldername));
if (!empty($folder['folders']))
$out .= rcmail_render_folder_tree_select($folder['folders'], $special, $mbox_name, $maxlength, $nestLevel+1);
@ -340,7 +344,7 @@ function rcmail_message_list($attrib)
foreach ($a_show_cols as $col)
{
// get column name
$col_name = rep_specialchars_output(rcube_label($col));
$col_name = Q(rcube_label($col));
// make sort links
$sort = '';
@ -394,10 +398,9 @@ function rcmail_message_list($attrib)
// no messages in this mailbox
if (!sizeof($a_headers))
{
$out .= rep_specialchars_output(
sprintf('<tr><td colspan="%d">%s</td></tr>',
sizeof($a_show_cols)+2,
rcube_label('nomessagesfound')));
$out .= sprintf('<tr><td colspan="%d">%s</td></tr>',
sizeof($a_show_cols)+2,
Q(rcube_label('nomessagesfound')));
}
@ -443,10 +446,10 @@ function rcmail_message_list($attrib)
foreach ($a_show_cols as $col)
{
if ($col=='from' || $col=='to')
$cont = rep_specialchars_output(rcmail_address_string($header->$col, 3, $attrib['addicon']));
$cont = Q(rcmail_address_string($header->$col, 3, $attrib['addicon']), 'show');
else if ($col=='subject')
{
$cont = rep_specialchars_output($IMAP->decode_header($header->$col), 'html', 'all');
$cont = Q($IMAP->decode_header($header->$col));
// firefox/mozilla temporary workaround to pad subject with content so that whitespace in rows responds to drag+drop
$cont .= '<img src="./program/blank.gif" height="5" width="1000" alt="" />';
}
@ -455,9 +458,9 @@ function rcmail_message_list($attrib)
else if ($col=='date')
$cont = format_date($header->date); //date('m.d.Y G:i:s', strtotime($header->date));
else
$cont = rep_specialchars_output($header->$col, 'html', 'all');
$cont = Q($header->$col);
$out .= '<td class="'.$col.'">' . $cont . "</td>\n";
$out .= '<td class="'.$col.'">' . $cont . "</td>\n";
}
$out .= sprintf("<td class=\"icon\">%s</td>\n", $attach_icon ? sprintf($image_tag, $skin_path, $attach_icon, '') : '');
@ -530,15 +533,15 @@ function rcmail_js_message_list($a_headers, $insert_top=FALSE)
foreach ($a_show_cols as $col)
{
if ($col=='from' || $col=='to')
$cont = rep_specialchars_output(rcmail_address_string($header->$col, 3), 'html');
$cont = Q(rcmail_address_string($header->$col, 3), 'show');
else if ($col=='subject')
$cont = rep_specialchars_output($IMAP->decode_header($header->$col), 'html', 'all');
$cont = Q($IMAP->decode_header($header->$col));
else if ($col=='size')
$cont = show_bytes($header->$col);
else if ($col=='date')
$cont = format_date($header->date); //date('m.d.Y G:i:s', strtotime($header->date));
else
$cont = rep_specialchars_output($header->$col, 'html', 'all');
$cont = Q($header->$col);
$a_msg_cols[$col] = $cont;
}
@ -642,7 +645,7 @@ function rcmail_quota_display($attrib)
$OUTPUT->add_script(sprintf("%s.gui_object('quotadisplay', '%s');", $JS_OBJECT_NAME, $attrib['id']));
// allow the following attributes to be added to the <span> tag
$attrib_str = create_attrib_string($attrib, array('style', 'class', 'id', 'display'));
$attrib_str = create_attrib_string($attrib, array('style', 'class', 'id'));
$out = '<span' . $attrib_str . '>';
$out .= rcmail_quota_content($attrib['display']);
@ -710,7 +713,7 @@ function rcmail_get_messagecount_text($count=NULL, $page=NULL)
'to' => min($max, $start_msg + $IMAP->page_size - 1),
'count' => $max)));
return rep_specialchars_output($out);
return Q($out);
}
@ -757,13 +760,13 @@ function rcmail_print_body($part, $safe=FALSE, $plain=FALSE)
$body = preg_replace($remote_patterns, $remote_replaces, $body);
}
return rep_specialchars_output($body, 'html', '', FALSE);
return Q($body, 'show', FALSE);
}
// text/enriched
if ($part->ctype_secondary=='enriched')
{
return rep_specialchars_output(enriched_to_html($body), 'html');
return Q(enriched_to_html($body), 'show');
}
else
{
@ -812,7 +815,7 @@ function rcmail_print_body($part, $safe=FALSE, $plain=FALSE)
$quotation = str_repeat("</blockquote>", $quote_level);
$quote_level = $q;
$a_lines[$n] = $quotation . rep_specialchars_output($line, 'html', 'replace', FALSE);
$a_lines[$n] = $quotation . Q($line, 'replace', FALSE);
}
// insert the links for urls and mailtos
@ -1066,12 +1069,12 @@ function rcmail_message_headers($attrib, $headers=NULL)
if ($hkey=='date' && !empty($headers[$hkey]))
$header_value = format_date(strtotime($headers[$hkey]));
else if (in_array($hkey, array('from', 'to', 'cc', 'bcc', 'reply-to')))
$header_value = rep_specialchars_output(rcmail_address_string($headers[$hkey], NULL, $attrib['addicon']));
$header_value = Q(rcmail_address_string($headers[$hkey], NULL, $attrib['addicon']), 'show');
else
$header_value = rep_specialchars_output($IMAP->decode_header($headers[$hkey]), '', 'all');
$header_value = Q($IMAP->decode_header($headers[$hkey]));
$out .= "\n<tr>\n";
$out .= '<td class="header-title">'.rep_specialchars_output(rcube_label($hkey)).":&nbsp;</td>\n";
$out .= '<td class="header-title">'.Q(rcube_label($hkey)).":&nbsp;</td>\n";
$out .= '<td class="'.$hkey.'" width="90%">'.$header_value."</td>\n</tr>";
$header_count++;
}
@ -1384,7 +1387,7 @@ function rcmail_address_string($input, $max=NULL, $addicon=NULL)
{
$j++;
if ($PRINT_MODE)
$out .= sprintf('%s &lt;%s&gt;', rep_specialchars_output($part['name']), $part['mailto']);
$out .= sprintf('%s &lt;%s&gt;', Q($part['name']), $part['mailto']);
else if (preg_match($EMAIL_ADDRESS_PATTERN, $part['mailto']))
{
$out .= sprintf('<a href="mailto:%s" onclick="return %s.command(\'compose\',\'%s\',this)" class="rcmContactAddress" title="%s">%s</a>',
@ -1392,7 +1395,7 @@ function rcmail_address_string($input, $max=NULL, $addicon=NULL)
$JS_OBJECT_NAME,
$part['mailto'],
$part['mailto'],
rep_specialchars_output($part['name']));
Q($part['name']));
if ($addicon)
$out .= sprintf('&nbsp;<a href="#add" onclick="return %s.command(\'add-contact\',\'%s\',this)" title="%s"><img src="%s%s" alt="add" border="0" /></a>',
@ -1405,7 +1408,7 @@ function rcmail_address_string($input, $max=NULL, $addicon=NULL)
else
{
if ($part['name'])
$out .= rep_specialchars_output($part['name']);
$out .= Q($part['name']);
if ($part['mailto'])
$out .= (strlen($out) ? ' ' : '') . sprintf('&lt;%s&gt;', $part['mailto']);
}
@ -1442,15 +1445,15 @@ function rcmail_message_part_controls()
if ($filename)
{
$out .= sprintf('<tr><td class="title">%s</td><td>%s</td><td>[<a href="./?%s">%s</a>]</tr>'."\n",
rcube_label('filename'),
rep_specialchars_output(rcube_imap::decode_mime_string($filename)),
Q(rcube_label('filename')),
Q(rcube_imap::decode_mime_string($filename)),
str_replace('_frame=', '_download=', $_SERVER['QUERY_STRING']),
rcube_label('download'));
Q(rcube_label('download')));
}
if ($filesize)
$out .= sprintf('<tr><td class="title">%s</td><td>%s</td></tr>'."\n",
rcube_label('filesize'),
Q(rcube_label('filesize')),
show_bytes($filesize));
$out .= "\n</table>";

@ -468,7 +468,7 @@ else
rcmail_compose_cleanup();
rcube_iframe_response(sprintf("parent.$JS_OBJECT_NAME.sent_successfully('%s');",
rep_specialchars_output(rcube_label('messagesent'), 'js')));
JQ(rcube_label('messagesent'))));
}

@ -150,11 +150,10 @@ function rcmail_remote_objects_msg($attrib)
$attrib_str = create_attrib_string($attrib, array('style', 'class', 'id'));
$out = '<div' . $attrib_str . ">";
$out .= rep_specialchars_output(sprintf('%s&nbsp;<a href="#loadimages" onclick="%s.command(\'load-images\')" title="%s">%s</a>',
rcube_label('blockedimages'),
$JS_OBJECT_NAME,
rcube_label('showimages'),
rcube_label('showimages')));
$out .= sprintf('%s&nbsp;<a href="#loadimages" onclick="%s.command(\'load-images\')">%s</a>',
Q(rcube_label('blockedimages')),
$JS_OBJECT_NAME,
Q(rcube_label('showimages')));
$out .= '</div>';

@ -49,16 +49,16 @@ foreach ($_FILES['_attachments']['tmp_name'] as $i => $filepath)
if (is_file($CONFIG['skin_path'] . '/images/icons/remove-attachment.png'))
$button = sprintf('<img src="%s/images/icons/remove-attachment.png" alt="%s" border="0" style="padding-right:2px;vertical-align:middle" />',
$CONFIG['skin_path'],
rcube_label('delete'));
Q(rcube_label('delete')));
else
$button = rcube_label('delete');
$button = Q(rcube_label('delete'));
$content = sprintf('<a href="#delete" onclick="return %s.command(\\\'remove-attachment\\\', \\\'rcmfile%d\\\', this)" title="%s">%s</a>%s',
$JS_OBJECT_NAME,
$id,
rcube_label('delete'),
$button,
rep_specialchars_output($_FILES['_attachments']['name'][$i], 'js'));
JQ(Q(rcube_label('delete'))),
JQ($button),
JQ(Q($_FILES['_attachments']['name'][$i])));
$response .= sprintf('parent.%s.add2attachment_list(\'rcmfile%d\',\'%s\');',
$JS_OBJECT_NAME,

@ -127,7 +127,7 @@ function rcube_identity_form($attrib)
$out .= sprintf("<tr><td class=\"title\"><label for=\"%s\">%s</label></td><td>%s</td></tr>\n",
$attrib['id'],
rep_specialchars_output(rcube_label($label)),
Q(rcube_label($label)),
$value);
}

@ -60,7 +60,7 @@ function rcmail_user_prefs_form($attrib)
$out .= sprintf("<tr><td class=\"title\"><label for=\"%s\">%s</label></td><td>%s</td></tr>\n",
$field_id,
rep_specialchars_output(rcube_label('language')),
Q(rcube_label('language')),
$select_lang->show($sess_user_lang));
}
@ -106,7 +106,7 @@ function rcmail_user_prefs_form($attrib)
$out .= sprintf("<tr><td class=\"title\"><label for=\"%s\">%s</label></td><td>%s</td></tr>\n",
$field_id,
rep_specialchars_output(rcube_label('timezone')),
Q(rcube_label('timezone')),
$select_timezone->show($CONFIG['timezone']));
}
@ -117,7 +117,7 @@ function rcmail_user_prefs_form($attrib)
$input_dst = new checkbox(array('name' => '_dst_active', 'id' => $field_id, 'value' => 1));
$out .= sprintf("<tr><td class=\"title\"><label for=\"%s\">%s</label></td><td>%s</td></tr>\n",
$field_id,
rep_specialchars_output(rcube_label('dstactive')),
Q(rcube_label('dstactive')),
$input_dst->show($CONFIG['dst_active']));
}
@ -129,7 +129,7 @@ function rcmail_user_prefs_form($attrib)
$out .= sprintf("<tr><td class=\"title\"><label for=\"%s\">%s</label></td><td>%s</td></tr>\n",
$field_id,
rep_specialchars_output(rcube_label('pagesize')),
Q(rcube_label('pagesize')),
$input_pagesize->show($CONFIG['pagesize']));
}
@ -141,7 +141,7 @@ function rcmail_user_prefs_form($attrib)
$out .= sprintf("<tr><td class=\"title\"><label for=\"%s\">%s</label></td><td>%s</td></tr>\n",
$field_id,
rep_specialchars_output(rcube_label('prettydate')),
Q(rcube_label('prettydate')),
$input_prettydate->show($CONFIG['prettydate']?1:0));
}
@ -153,7 +153,7 @@ function rcmail_user_prefs_form($attrib)
$out .= sprintf("<tr><td class=\"title\"><label for=\"%s\">%s</label></td><td>%s</td></tr>\n",
$field_id,
rep_specialchars_output(rcube_label('preferhtml')),
Q(rcube_label('preferhtml')),
$input_pagesize->show($CONFIG['prefer_html']?1:0));
}
@ -164,7 +164,7 @@ function rcmail_user_prefs_form($attrib)
$input_htmleditor = new checkbox(array('name' => '_htmleditor', 'id' => $field_id, 'value' => 1));
$out .= sprintf("<tr><td class=\"title\"><label for=\"%s\">%s</label></td><td>%s</td></tr>\n",
$field_id,
rep_specialchars_output(rcube_label('htmleditor')),
Q(rcube_label('htmleditor')),
$input_htmleditor->show($CONFIG['htmleditor']?1:0));
}
@ -175,7 +175,7 @@ function rcmail_user_prefs_form($attrib)
$input_preview = new checkbox(array('name' => '_preview_pane', 'id' => $field_id, 'value' => 1));
$out .= sprintf("<tr><td class=\"title\"><label for=\"%s\">%s</label></td><td>%s</td></tr>\n",
$field_id,
rep_specialchars_output(rcube_label('previewpane')),
Q(rcube_label('previewpane')),
$input_preview->show($CONFIG['preview_pane']?1:0));
}
@ -189,7 +189,7 @@ function rcmail_user_prefs_form($attrib)
$out .= sprintf("<tr><td class=\"title\"><label for=\"%s\">%s</label></td><td>%s</td></tr>\n",
$field_id,
rep_specialchars_output(rcube_label('autosavedraft')),
Q(rcube_label('autosavedraft')),
$select_autosave->show($CONFIG['draft_autosave']));
}

@ -52,8 +52,8 @@ else if ($_action=='create-folder')
if ($create && $REMOTE_REQUEST)
{
$commands = sprintf("this.add_folder_row('%s','%s')",
rep_specialchars_output($create, 'js'),
rep_specialchars_output(rcube_charset_convert($create, 'UTF-7'), 'js'));
JQ($create),
JQ(rcube_charset_convert($create, 'UTF-7')));
rcube_remote_response($commands);
}
else if (!$create && $REMOTE_REQUEST)
@ -74,9 +74,9 @@ else if ($_action=='rename-folder')
if ($rename && $REMOTE_REQUEST)
{
$commands = sprintf("this.replace_folder_row('%s','%s','%s');\n",
rep_specialchars_output(get_input_value('_folder_oldname', RCUBE_INPUT_GET), 'js'),
rep_specialchars_output($rename, 'js'),
rep_specialchars_output(rcube_charset_convert($rename, 'UTF-7'), 'js'));
JQ(get_input_value('_folder_oldname', RCUBE_INPUT_GET)),
JQ($rename),
JQ(rcube_charset_convert($rename, 'UTF-7')));
$commands .= "this.reset_folder_rename();\n";
@ -100,7 +100,7 @@ else if ($_action=='delete-folder')
if ($REMOTE_REQUEST && $deleted)
{
$commands = sprintf("this.remove_folder_row('%s');\n", rep_specialchars_output(get_input_value('_mboxes', RCUBE_INPUT_GET), 'js'));
$commands = sprintf("this.remove_folder_row('%s');\n", JQ(get_input_value('_mboxes', RCUBE_INPUT_GET)));
$commands .= show_message('folderdeleted', 'confirmation');
rcube_remote_response($commands);
}
@ -165,8 +165,8 @@ function rcube_subscription_form($attrib)
$subscribed = in_array($folder, $a_subscribed);
$protected = ($CONFIG['protect_default_folders'] == TRUE && in_array($folder,$CONFIG['default_imap_folders']));
$zebra_class = $i%2 ? 'even' : 'odd';
$folder_js = rep_specialchars_output($folder, 'js');
$folder_js_enc = rep_specialchars_output(rcube_charset_convert($folder, 'UTF-7'), 'js');
$folder_js = JQ($folder);
$folder_js_enc = JQ(rcube_charset_convert($folder, 'UTF-7'));
$folder_html = $CONFIG['protect_default_folders'] && in_array($folder, $CONFIG['default_imap_folders']) ? rcube_label(strtolower($folder)) : rcube_charset_convert($folder, 'UTF-7');
if (!$protected)
@ -175,7 +175,7 @@ function rcube_subscription_form($attrib)
$out .= sprintf('<tr id="rcmrow%d" class="%s"><td>%s</td>',
$i+1,
$zebra_class,
rep_specialchars_output($folder_html, 'html', 'all'));
Q($folder_html));
if ($protected)
$out .= '<td>&nbsp;'.($subscribed ? '&#x2022;' : '-').'</td>';

Loading…
Cancel
Save