Use htmlspecialchars() with charset argument, simplify some code

program/include/rcmail_output_html.php

@@ -1280,7 +1280,7 @@ EOF;
                         $value = $_SESSION[$name];
                         break;
                     case 'cookie':
-                        $value = htmlspecialchars($_COOKIE[$name]);
+                        $value = htmlspecialchars($_COOKIE[$name], ENT_COMPAT | ENT_HTML401, RCMAIL_CHARSET);
                         break;
                     case 'browser':
                         $value = $this->browser->{$name};

program/lib/Roundcube/html.php

@@ -375,16 +375,7 @@ class html
      */
     public static function quote($str)
     {
-        static $flags;
-
-        if (!$flags) {
-            $flags = ENT_COMPAT;
-            if (defined('ENT_SUBSTITUTE')) {
-                $flags |= ENT_SUBSTITUTE;
-            }
-        }
-
-        return @htmlspecialchars($str, $flags, RCUBE_CHARSET);
+        return @htmlspecialchars($str, ENT_COMPAT | ENT_SUBSTITUTE, RCUBE_CHARSET);
     }
 }
 

program/lib/Roundcube/rcube_html2text.php

@@ -636,7 +636,7 @@ class rcube_html2text
 
                     // Add citation markers and create <pre> block
                     $body = preg_replace_callback('/((?:^|\n)>*)([^\n]*)/', array($this, 'blockquote_citation_callback'), trim($body));
-                    $body = '<pre>' . htmlspecialchars($body) . '</pre>';
+                    $body = '<pre>' . htmlspecialchars($body, ENT_COMPAT | ENT_HTML401 | ENT_SUBSTITUTE, $this->charset) . '</pre>';
 
                     $text = substr_replace($text, $body . "\n", $start, $end + 13 - $start);
                     $offset = 0;

program/lib/Roundcube/rcube_washtml.php

@@ -256,7 +256,7 @@ class rcube_washtml
                     if (preg_match('/^url\(/i', $val)) {
                         if (preg_match('/^url\(\s*[\'"]?([^\'"\)]*)[\'"]?\s*\)/iu', $val, $match)) {
                             if ($url = $this->wash_uri($match[1])) {
-                                $value .= ' url(' . htmlspecialchars($url, ENT_QUOTES) . ')';
+                                $value .= ' url(' . htmlspecialchars($url, ENT_QUOTES, $this->config['charset']) . ')';
                             }
                         }
                     }
@@ -329,8 +329,9 @@ class rcube_washtml
                     if (preg_match('/^[a-z:]*url\(/i', $val)) {
                         if (preg_match('/^([a-z:]*url)\(\s*[\'"]?([^\'"\)]*)[\'"]?\s*\)/iu', $value, $match)) {
                             if ($url = $this->wash_uri($match[2])) {
-                                $result .= ' ' . $attr->nodeName . '="' . $match[1] . '(' . htmlspecialchars($url, ENT_QUOTES) . ')'
-                                     . substr($val, strlen($match[0])) . '"';
+                                $result .= ' ' . $attr->nodeName . '="' . $match[1]
+                                    . '(' . htmlspecialchars($url, ENT_QUOTES, $this->config['charset']) . ')'
+                                    . substr($val, strlen($match[0])) . '"';
                                 continue;
                             }
                         }
@@ -350,14 +351,14 @@ class rcube_washtml
                 }
 
                 if ($out !== null && $out !== '') {
-                    $result .= ' ' . $attr->nodeName . '="' . htmlspecialchars($out, ENT_QUOTES) . '"';
+                    $result .= ' ' . $attr->nodeName . '="' . htmlspecialchars($out, ENT_QUOTES | ENT_SUBSTITUTE, $this->config['charset']) . '"';
                 }
                 else if ($value) {
-                    $washed[] = htmlspecialchars($attr->nodeName, ENT_QUOTES);
+                    $washed[] = htmlspecialchars($attr->nodeName, ENT_QUOTES, $this->config['charset']);
                 }
             }
             else {
-                $washed[] = htmlspecialchars($attr->nodeName, ENT_QUOTES);
+                $washed[] = htmlspecialchars($attr->nodeName, ENT_QUOTES, $this->config['charset']);
             }
         }
 
@@ -490,7 +491,7 @@ class rcube_washtml
                         }
                     }
                     else if ($tagName == 'textarea' && strpos($content, '<') !== false) {
-                        $content = htmlspecialchars($content, ENT_QUOTES);
+                        $content = htmlspecialchars($content, ENT_QUOTES | ENT_SUBSTITUTE, $this->config['charset']);
                     }
 
                     $dump .= $this->wash_attribs($node);
@@ -503,10 +504,10 @@ class rcube_washtml
                     }
                 }
                 else if (isset($this->_ignore_elements[$tagName])) {
-                    $dump .= '<!-- ' . htmlspecialchars($node->nodeName, ENT_QUOTES) . ' not allowed -->';
+                    $dump .= '<!-- ' . htmlspecialchars($node->nodeName, ENT_QUOTES, $this->config['charset']) . ' not allowed -->';
                 }
                 else {
-                    $dump .= '<!-- ' . htmlspecialchars($node->nodeName, ENT_QUOTES) . ' ignored -->';
+                    $dump .= '<!-- ' . htmlspecialchars($node->nodeName, ENT_QUOTES, $this->config['charset']) . ' ignored -->';
                     $dump .= $this->dumpHtml($node, $level); // ignore tags not its content
                 }
                 break;
@@ -516,7 +517,7 @@ class rcube_washtml
                 break;
 
             case XML_TEXT_NODE:
-                $dump .= htmlspecialchars($node->nodeValue);
+                $dump .= htmlspecialchars($node->nodeValue, ENT_COMPAT | ENT_HTML401 | ENT_SUBSTITUTE, $this->config['charset']);
                 break;
 
             case XML_HTML_DOCUMENT_NODE:

program/steps/mail/headers.inc

@@ -34,7 +34,7 @@ if ($uid) {
 
     if ($source !== false) {
         $source = trim(rcube_charset::clean($source));
-        $source = htmlspecialchars($source);
+        $source = htmlspecialchars($source, ENT_COMPAT | ENT_HTML401, RCMAIL_CHARSET);
         $source = preg_replace(
             array(
                 '/\n[\t\s]+/',