diff --git a/program/include/rcmail_output_html.php b/program/include/rcmail_output_html.php index 36a2a1d9d..c51067279 100644 --- a/program/include/rcmail_output_html.php +++ b/program/include/rcmail_output_html.php @@ -1280,7 +1280,7 @@ EOF; $value = $_SESSION[$name]; break; case 'cookie': - $value = htmlspecialchars($_COOKIE[$name]); + $value = htmlspecialchars($_COOKIE[$name], ENT_COMPAT | ENT_HTML401, RCMAIL_CHARSET); break; case 'browser': $value = $this->browser->{$name}; diff --git a/program/lib/Roundcube/html.php b/program/lib/Roundcube/html.php index 84a26d68e..e129750cb 100644 --- a/program/lib/Roundcube/html.php +++ b/program/lib/Roundcube/html.php @@ -375,16 +375,7 @@ class html */ public static function quote($str) { - static $flags; - - if (!$flags) { - $flags = ENT_COMPAT; - if (defined('ENT_SUBSTITUTE')) { - $flags |= ENT_SUBSTITUTE; - } - } - - return @htmlspecialchars($str, $flags, RCUBE_CHARSET); + return @htmlspecialchars($str, ENT_COMPAT | ENT_SUBSTITUTE, RCUBE_CHARSET); } } diff --git a/program/lib/Roundcube/rcube_html2text.php b/program/lib/Roundcube/rcube_html2text.php index ab48d3d98..6562de8cc 100644 --- a/program/lib/Roundcube/rcube_html2text.php +++ b/program/lib/Roundcube/rcube_html2text.php @@ -636,7 +636,7 @@ class rcube_html2text // Add citation markers and create 
 block
                     $body = preg_replace_callback('/((?:^|\n)>*)([^\n]*)/', array($this, 'blockquote_citation_callback'), trim($body));
-                    $body = '
' . htmlspecialchars($body) . '
';
+                    $body = '
' . htmlspecialchars($body, ENT_COMPAT | ENT_HTML401 | ENT_SUBSTITUTE, $this->charset) . '
';
 
                     $text = substr_replace($text, $body . "\n", $start, $end + 13 - $start);
                     $offset = 0;
diff --git a/program/lib/Roundcube/rcube_washtml.php b/program/lib/Roundcube/rcube_washtml.php
index 7a4876c5d..fed11678c 100644
--- a/program/lib/Roundcube/rcube_washtml.php
+++ b/program/lib/Roundcube/rcube_washtml.php
@@ -256,7 +256,7 @@ class rcube_washtml
                     if (preg_match('/^url\(/i', $val)) {
                         if (preg_match('/^url\(\s*[\'"]?([^\'"\)]*)[\'"]?\s*\)/iu', $val, $match)) {
                             if ($url = $this->wash_uri($match[1])) {
-                                $value .= ' url(' . htmlspecialchars($url, ENT_QUOTES) . ')';
+                                $value .= ' url(' . htmlspecialchars($url, ENT_QUOTES, $this->config['charset']) . ')';
                             }
                         }
                     }
@@ -329,8 +329,9 @@ class rcube_washtml
                     if (preg_match('/^[a-z:]*url\(/i', $val)) {
                         if (preg_match('/^([a-z:]*url)\(\s*[\'"]?([^\'"\)]*)[\'"]?\s*\)/iu', $value, $match)) {
                             if ($url = $this->wash_uri($match[2])) {
-                                $result .= ' ' . $attr->nodeName . '="' . $match[1] . '(' . htmlspecialchars($url, ENT_QUOTES) . ')'
-                                     . substr($val, strlen($match[0])) . '"';
+                                $result .= ' ' . $attr->nodeName . '="' . $match[1]
+                                    . '(' . htmlspecialchars($url, ENT_QUOTES, $this->config['charset']) . ')'
+                                    . substr($val, strlen($match[0])) . '"';
                                 continue;
                             }
                         }
@@ -350,14 +351,14 @@ class rcube_washtml
                 }
 
                 if ($out !== null && $out !== '') {
-                    $result .= ' ' . $attr->nodeName . '="' . htmlspecialchars($out, ENT_QUOTES) . '"';
+                    $result .= ' ' . $attr->nodeName . '="' . htmlspecialchars($out, ENT_QUOTES | ENT_SUBSTITUTE, $this->config['charset']) . '"';
                 }
                 else if ($value) {
-                    $washed[] = htmlspecialchars($attr->nodeName, ENT_QUOTES);
+                    $washed[] = htmlspecialchars($attr->nodeName, ENT_QUOTES, $this->config['charset']);
                 }
             }
             else {
-                $washed[] = htmlspecialchars($attr->nodeName, ENT_QUOTES);
+                $washed[] = htmlspecialchars($attr->nodeName, ENT_QUOTES, $this->config['charset']);
             }
         }
 
@@ -490,7 +491,7 @@ class rcube_washtml
                         }
                     }
                     else if ($tagName == 'textarea' && strpos($content, '<') !== false) {
-                        $content = htmlspecialchars($content, ENT_QUOTES);
+                        $content = htmlspecialchars($content, ENT_QUOTES | ENT_SUBSTITUTE, $this->config['charset']);
                     }
 
                     $dump .= $this->wash_attribs($node);
@@ -503,10 +504,10 @@ class rcube_washtml
                     }
                 }
                 else if (isset($this->_ignore_elements[$tagName])) {
-                    $dump .= '';
+                    $dump .= '';
                 }
                 else {
-                    $dump .= '';
+                    $dump .= '';
                     $dump .= $this->dumpHtml($node, $level); // ignore tags not its content
                 }
                 break;
@@ -516,7 +517,7 @@ class rcube_washtml
                 break;
 
             case XML_TEXT_NODE:
-                $dump .= htmlspecialchars($node->nodeValue);
+                $dump .= htmlspecialchars($node->nodeValue, ENT_COMPAT | ENT_HTML401 | ENT_SUBSTITUTE, $this->config['charset']);
                 break;
 
             case XML_HTML_DOCUMENT_NODE:
diff --git a/program/steps/mail/headers.inc b/program/steps/mail/headers.inc
index 7c2a320c9..093401160 100644
--- a/program/steps/mail/headers.inc
+++ b/program/steps/mail/headers.inc
@@ -34,7 +34,7 @@ if ($uid) {
 
     if ($source !== false) {
         $source = trim(rcube_charset::clean($source));
-        $source = htmlspecialchars($source);
+        $source = htmlspecialchars($source, ENT_COMPAT | ENT_HTML401, RCMAIL_CHARSET);
         $source = preg_replace(
             array(
                 '/\n[\t\s]+/',