githubFork/roundcubemail.git

parent: cfdf044d | patch | commit | ignore whitespace

New (strict) quoting for all kind of strings

thomascube

2006-12-20 2bca6e1da0e46f93297a7f60ff449b6c6ebac239

New (strict) quoting for all kind of strings

11 files modified

	program/include/main.inc	82 ●●●●● patch \| view \| raw \| blame \| history
	program/include/rcube_shared.inc	8 ●●●●● patch \| view \| raw \| blame \| history
	program/steps/addressbook/func.inc	2 ●●●●● patch \| view \| raw \| blame \| history
	program/steps/mail/compose.inc	53 ●●●●● patch \| view \| raw \| blame \| history
	program/steps/mail/func.inc	67 ●●●●● patch \| view \| raw \| blame \| history
	program/steps/mail/sendmail.inc	2 ●●●●● patch \| view \| raw \| blame \| history
	program/steps/mail/show.inc	9 ●●●●● patch \| view \| raw \| blame \| history
	program/steps/mail/upload.inc	10 ●●●●● patch \| view \| raw \| blame \| history
	program/steps/settings/edit_identity.inc	2 ●●●●● patch \| view \| raw \| blame \| history
	program/steps/settings/func.inc	18 ●●●●● patch \| view \| raw \| blame \| history
	program/steps/settings/manage_folders.inc	18 ●●●●● patch \| view \| raw \| blame \| history

 program/include/main.inc

@@ -734,7 +734,7 @@
  
  $framed = $GLOBALS['_framed'];
  $command = sprintf("display_message('%s', '%s');",
                     rep_specialchars_output(rcube_label(array('name' => $message, 'vars' => $vars)), 'js'),
                     JQ(rcube_label(array('name' => $message, 'vars' => $vars))),
                     $type);
                     
  if ($REMOTE_REQUEST)
@@ -854,7 +854,7 @@
    $OUTPUT->add_script(sprintf("%s.add_label('%s', '%s');",
                                $JS_OBJECT_NAME,
                                $name,
                                rep_specialchars_output(rcube_label($name), 'js')));  
                                JQ(rcube_label($name))));
  }


@@ -897,8 +897,15 @@
  }


// convert a string from one charset to another
// this function is not complete and not tested well
/**
 * Convert a string from one charset to another.
 * Uses mbstring and iconv functions if possible
 *
 * @param  string Input string
 * @param  string Suspected charset of the input string
 * @param  string Target charset to convert to; defaults to $GLOBALS['CHARSET']
 * @return Converted string
 */
function rcube_charset_convert($str, $from, $to=NULL)
  {
  global $MBSTRING;
@@ -953,12 +960,19 @@
  }



// replace specials characters to a specific encoding type
/**
 * Replacing specials characters to a specific encoding type
 *
 * @param  string  Input string
 * @param  string  Encoding type: text|html|xml|js|url
 * @param  string  Replace mode for tags: show|replace|remove
 * @param  boolean Convert newlines
 * @return The quoted string
 */
function rep_specialchars_output($str, $enctype='', $mode='', $newlines=TRUE)
  {
  global $OUTPUT_TYPE, $OUTPUT;
  static $html_encode_arr, $js_rep_table, $rtf_rep_table, $xml_rep_table;
  static $html_encode_arr, $js_rep_table, $xml_rep_table;

  if (!$enctype)
    $enctype = $GLOBALS['OUTPUT_TYPE'];
@@ -1000,21 +1014,18 @@
    return $newlines ? nl2br($out) : $out;
    }


  if ($enctype=='url')
    return rawurlencode($str);


  // if the replace tables for RTF, XML and JS are not yet defined
  // if the replace tables for XML and JS are not yet defined
  if (!$js_rep_table)
    {
    $js_rep_table = $rtf_rep_table = $xml_rep_table = array();
    $js_rep_tabl = $xml_rep_table = array();
    $xml_rep_table['&'] = '&amp;';

    for ($c=160; $c<256; $c++)  // can be increased to support more charsets
      {
      $hex = dechex($c);
      $rtf_rep_table[Chr($c)] = "\\'$hex";
      $xml_rep_table[Chr($c)] = "&#$c;";
      
      if ($OUTPUT->get_charset()=='ISO-8859-1')
@@ -1025,7 +1036,7 @@
    $xml_rep_table['"'] = '&quot;';
    }

  // encode for RTF
  // encode for XML
  if ($enctype=='xml')
    return strtr($str, $xml_rep_table);

@@ -1038,12 +1049,26 @@
    return addslashes(preg_replace(array("/\r\n/", "/\r/"), array('\n', '\n'), strtr($str, $js_rep_table)));
    }

  // encode for RTF
  if ($enctype=='rtf')
    return preg_replace("/\r\n/", "\par ", strtr($str, $rtf_rep_table));

  // no encoding given -> return original string
  return $str;
  }

/**
 * Quote a given string. Alias function for rep_specialchars_output
 * @see rep_specialchars_output
 */
function Q($str, $mode='strict', $newlines=TRUE)
  {
  return rep_specialchars_output($str, 'html', $mode, $newlines);
  }

/**
 * Quote a given string. Alias function for rep_specialchars_output
 * @see rep_specialchars_output
 */
function JQ($str, $mode='strict', $newlines=TRUE)
  {
  return rep_specialchars_output($str, 'js', $mode, $newlines);
  }


@@ -1248,7 +1273,7 @@
    // show a label
    case 'label':
      if ($attrib['name'] || $attrib['command'])
        return rep_specialchars_output(rcube_label($attrib));
        return Q(rcube_label($attrib));
      break;

    // create a menu item
@@ -1331,7 +1356,7 @@
      else if ($object=='productname')
        {
        $name = !empty($CONFIG['product_name']) ? $CONFIG['product_name'] : 'RoundCube Webmail';
        return rep_specialchars_output($name, 'html', 'all');
        return Q($name);
        }
      else if ($object=='version')
        {
@@ -1353,7 +1378,7 @@
        else
          $title .= ucfirst($task);
          
        return rep_specialchars_output($title, 'html', 'all');
        return Q($title);
        }

      break;
@@ -1419,12 +1444,12 @@

  // get localized text for labels and titles
  if ($attrib['title'])
    $attrib['title'] = rep_specialchars_output(rcube_label($attrib['title']));
    $attrib['title'] = Q(rcube_label($attrib['title']));
  if ($attrib['label'])
    $attrib['label'] = rep_specialchars_output(rcube_label($attrib['label']));
    $attrib['label'] = Q(rcube_label($attrib['label']));

  if ($attrib['alt'])
    $attrib['alt'] = rep_specialchars_output(rcube_label($attrib['alt']));
    $attrib['alt'] = Q(rcube_label($attrib['alt']));

  // set title to alt attribute for IE browsers
  if ($BROWSER['ie'] && $attrib['title'] && !$attrib['alt'])
@@ -1537,12 +1562,11 @@
  $table .= "<thead><tr>\n";

  foreach ($a_show_cols as $col)
    $table .= '<td class="'.$col.'">' . rep_specialchars_output(rcube_label($col)) . "</td>\n";
    $table .= '<td class="'.$col.'">' . Q(rcube_label($col)) . "</td>\n";

  $table .= "</tr></thead>\n<tbody>\n";
  
  $c = 0;

  if (!is_array($table_data)) 
    {
    while ($table_data && ($sql_arr = $DB->fetch_assoc($table_data)))
@@ -1554,8 +1578,8 @@
      // format each col
      foreach ($a_show_cols as $col)
        {
        $cont = rep_specialchars_output($sql_arr[$col]);
        $table .= '<td class="'.$col.'">' . $cont . "</td>\n";
        $cont = Q($sql_arr[$col]);
        $table .= '<td class="'.$col.'">' . $cont . "</td>\n";
        }

      $table .= "</tr>\n";
@@ -1573,8 +1597,8 @@
      // format each col
      foreach ($a_show_cols as $col)
        {
        $cont = rep_specialchars_output($row_data[$col]);
        $table .= '<td class="'.$col.'">' . $cont . "</td>\n";
        $cont = Q($row_data[$col]);
        $table .= '<td class="'.$col.'">' . $cont . "</td>\n";
        }

      $table .= "</tr>\n";

 program/include/rcube_shared.inc

@@ -133,7 +133,7 @@
      $this->title = 'RoundCube Mail';
  
    // replace specialchars in content
    $__page_title = rep_specialchars_output($this->title, 'html', 'show', FALSE);
    $__page_title = Q($this->title, 'show', FALSE);
    $__page_header = $__page_body = $__page_footer = '';
    
    
@@ -725,7 +725,7 @@

      // encode textarea content
      if ($key=='value')
        $value = rep_specialchars_output($value, 'html', 'replace', FALSE);
        $value = Q($value, 'strict', FALSE);

      // attributes with no value
      if (in_array($key, array('checked', 'multiple', 'disabled', 'selected')))
@@ -879,7 +879,7 @@
      unset($this->attrib['value']);

    if (strlen($value) && !isset($this->attrib['mce_editable']))
      $value = rep_specialchars_output($value, 'html', 'replace', FALSE);
      $value = Q($value, 'strict', FALSE);

    // return final tag
    return sprintf('<%s%s>%s</%s>%s',
@@ -1019,7 +1019,7 @@
                             $this->_conv_case('option', 'tag'),
                             strlen($option['value']) ? sprintf($value_str, $option['value']) : '',
                             $selected, 
                             rep_specialchars_output($option['text'], 'html', 'replace', FALSE),
                             Q($option['text'], 'strict', FALSE),
                             $this->_conv_case('option', 'tag'));
      }
                             

 program/steps/addressbook/func.inc

@@ -119,7 +119,7 @@
    // format each col
    foreach ($a_show_cols as $col)
      {
      $cont = rep_specialchars_output($sql_arr[$col]);
      $cont = Q($sql_arr[$col]);
      $a_row_cols[$col] = $cont;
      }
  

 program/steps/mail/compose.inc

@@ -447,25 +447,26 @@
      $lang_set = "googie.setLanguages(".array2js($CONFIG['spellcheck_languages']).");\n";
    
    $OUTPUT->include_script('googiespell.js');
    $OUTPUT->add_script(sprintf("var googie = new GoogieSpell('\$__skin_path/images/googiespell/','%s&_action=spell&lang=');\n".
                                "googie.lang_chck_spell = \"%s\";\n".
                                "googie.lang_rsm_edt = \"%s\";\n".
                                "googie.lang_close = \"%s\";\n".
                                "googie.lang_revert = \"%s\";\n".
                                "googie.lang_no_error_found = \"%s\";\n%s".
                                "googie.setCurrentLanguage('%s');\n".
                                "googie.decorateTextarea('%s');\n".
                                "%s.set_env('spellcheck', googie);",
                                $GLOBALS['COMM_PATH'],
                                rep_specialchars_output(rcube_label('checkspelling')),
                                rep_specialchars_output(rcube_label('resumeediting')),
                                rep_specialchars_output(rcube_label('close')),
                                rep_specialchars_output(rcube_label('revertto')),
                                rep_specialchars_output(rcube_label('nospellerrors')),
                                $lang_set,
                                substr($_SESSION['user_lang'], 0, 2),
                                $attrib['id'],
                                $JS_OBJECT_NAME), 'foot');
    $OUTPUT->add_script(sprintf(
      "var googie = new GoogieSpell('\$__skin_path/images/googiespell/','%s&_action=spell&lang=');\n".
      "googie.lang_chck_spell = \"%s\";\n".
      "googie.lang_rsm_edt = \"%s\";\n".
      "googie.lang_close = \"%s\";\n".
      "googie.lang_revert = \"%s\";\n".
      "googie.lang_no_error_found = \"%s\";\n%s".
      "googie.setCurrentLanguage('%s');\n".
      "googie.decorateTextarea('%s');\n".
      "%s.set_env('spellcheck', googie);",
      $GLOBALS['COMM_PATH'],
      JQ(Q(rcube_label('checkspelling'))),
      JQ(Q(rcube_label('resumeediting'))),
      JQ(Q(rcube_label('close'))),
      JQ(Q(rcube_label('revertto'))),
      JQ(Q(rcube_label('nospellerrors'))),
      $lang_set,
      substr($_SESSION['user_lang'], 0, 2),
      $attrib['id'],
      $JS_OBJECT_NAME), 'foot');

    rcube_add_label('checking');
    }
@@ -552,10 +553,10 @@
        "<tr><th align=\"right\" nowrap=\"nowrap\" valign=\"baseline\">From: </th><td>%s</td></tr>" .
        "<tr><th align=\"right\" nowrap=\"nowrap\" valign=\"baseline\">To: </th><td>%s</td></tr>" .
        "</tbody></table><br>",
                     rep_specialchars_output($MESSAGE['subject']),
                     rep_specialchars_output($MESSAGE['headers']->date),
                     rep_specialchars_output($IMAP->decode_header($MESSAGE['headers']->from)),
                     rep_specialchars_output($IMAP->decode_header($MESSAGE['headers']->to)));
                     Q($MESSAGE['subject']),
                     Q($MESSAGE['headers']->date),
                     Q($IMAP->decode_header($MESSAGE['headers']->from)),
                     Q($IMAP->decode_header($MESSAGE['headers']->to)));
  }

  // add attachments
@@ -692,9 +693,9 @@
                      $id,
                      $JS_OBJECT_NAME,
                      $id,
                      rcube_label('delete'), 
                      Q(rcube_label('delete')),
                      $button,
                      rep_specialchars_output($a_prop['name']));
                      Q($a_prop['name']));
    }

  $OUTPUT->add_script(sprintf("%s.gui_object('attachmentlist', '%s');", $JS_OBJECT_NAME, $attrib['id']));  
@@ -895,7 +896,7 @@
  $a_contacts = array();
  while ($sql_arr = $DB->fetch_assoc($sql_result))
    if ($sql_arr['email'])
      $a_contacts[] = format_email_recipient($sql_arr['email'], rep_specialchars_output($sql_arr['name'], 'js'));
      $a_contacts[] = format_email_recipient($sql_arr['email'], JQ($sql_arr['name']));
  
  $OUTPUT->add_script(sprintf("$JS_OBJECT_NAME.set_env('contacts', %s);", array2js($a_contacts)));
  }

 program/steps/mail/func.inc

@@ -51,7 +51,11 @@
  $_SESSION['sort_col'] = $CONFIG['message_sort_col'];
if (!isset($_SESSION['sort_order']))
  $_SESSION['sort_order'] = $CONFIG['message_sort_order'];
  

// set message set for search result
if (!empty($_GET['_search']) && isset($_SESSION['search'][$_GET['_search']]))
  $IMAP->set_search_set($_SESSION['search'][$_GET['_search']]);


// define url for getting message parts
if (strlen($_GET['_uid']))
@@ -193,7 +197,7 @@
        {
        $fname = abbrevate_string($foldername, $maxlength);
        if ($fname != $foldername)
          $title = ' title="'.rep_specialchars_output($foldername, 'html', 'all').'"';
          $title = ' title="'.Q($foldername).'"';
        $foldername = $fname;
        }
      }
@@ -215,7 +219,7 @@
    else if ($folder['id']==$CONFIG['junk_mbox'])
      $class_name = 'junk';

    $js_name = htmlspecialchars(rep_specialchars_output($folder['id'], 'js'));
    $js_name = htmlspecialchars(JQ($folder['id']));
    $out .= sprintf('<li id="rcmbx%s" class="mailbox %s %s%s%s"><a href="%s&amp;_mbox=%s"'.
                    ' onclick="return %s.command(\'list\',\'%s\')"'.
                    ' onmouseover="return %s.focus_mailbox(\'%s\')"' .            
@@ -237,7 +241,7 @@
                    $JS_OBJECT_NAME,
                    $js_name,
                    $title,
                    rep_specialchars_output($foldername, 'html', 'all'));
                    Q($foldername));

    if (!empty($folder['folders']))
      $out .= "\n<ul>\n" . rcmail_render_folder_tree_html($folder['folders'], $special, $mbox_name, $maxlength, $nestLevel+1) . "</ul>\n";
@@ -274,7 +278,7 @@
    $out .= sprintf('<option value="%s">%s%s</option>'."\n",
                    htmlspecialchars($folder['id']),
                    str_repeat('&nbsp;', $nestLevel*4),
                    rep_specialchars_output($foldername, 'html', 'all'));
                    Q($foldername));

    if (!empty($folder['folders']))
      $out .= rcmail_render_folder_tree_select($folder['folders'], $special, $mbox_name, $maxlength, $nestLevel+1);
@@ -340,7 +344,7 @@
  foreach ($a_show_cols as $col)
    {
    // get column name
    $col_name = rep_specialchars_output(rcube_label($col));
    $col_name = Q(rcube_label($col));

    // make sort links
    $sort = '';
@@ -394,10 +398,9 @@
  // no messages in this mailbox
  if (!sizeof($a_headers))
    {
    $out .= rep_specialchars_output(
                sprintf('<tr><td colspan="%d">%s</td></tr>',
                   sizeof($a_show_cols)+2,
                   rcube_label('nomessagesfound')));
    $out .= sprintf('<tr><td colspan="%d">%s</td></tr>',
                    sizeof($a_show_cols)+2,
                    Q(rcube_label('nomessagesfound')));
    }


@@ -443,10 +446,10 @@
    foreach ($a_show_cols as $col)
      {
      if ($col=='from' || $col=='to')
        $cont = rep_specialchars_output(rcmail_address_string($header->$col, 3, $attrib['addicon']));
        $cont = Q(rcmail_address_string($header->$col, 3, $attrib['addicon']), 'show');
      else if ($col=='subject')
        {
        $cont = rep_specialchars_output($IMAP->decode_header($header->$col), 'html', 'all');
        $cont = Q($IMAP->decode_header($header->$col));
        // firefox/mozilla temporary workaround to pad subject with content so that whitespace in rows responds to drag+drop
        $cont .= '<img src="./program/blank.gif" height="5" width="1000" alt="" />';
        }
@@ -455,9 +458,9 @@
      else if ($col=='date')
        $cont = format_date($header->date); //date('m.d.Y G:i:s', strtotime($header->date));
      else
        $cont = rep_specialchars_output($header->$col, 'html', 'all');
        $cont = Q($header->$col);
        
      $out .= '<td class="'.$col.'">' . $cont . "</td>\n";
      $out .= '<td class="'.$col.'">' . $cont . "</td>\n";
      }

    $out .= sprintf("<td class=\"icon\">%s</td>\n", $attach_icon ? sprintf($image_tag, $skin_path, $attach_icon, '') : '');
@@ -530,15 +533,15 @@
    foreach ($a_show_cols as $col)
      {
      if ($col=='from' || $col=='to')
        $cont = rep_specialchars_output(rcmail_address_string($header->$col, 3), 'html');
        $cont = Q(rcmail_address_string($header->$col, 3), 'show');
      else if ($col=='subject')
        $cont = rep_specialchars_output($IMAP->decode_header($header->$col), 'html', 'all');
        $cont = Q($IMAP->decode_header($header->$col));
      else if ($col=='size')
        $cont = show_bytes($header->$col);
      else if ($col=='date')
        $cont = format_date($header->date); //date('m.d.Y G:i:s', strtotime($header->date));
      else
        $cont = rep_specialchars_output($header->$col, 'html', 'all');
        $cont = Q($header->$col);
          
      $a_msg_cols[$col] = $cont;
      }
@@ -642,7 +645,7 @@
  $OUTPUT->add_script(sprintf("%s.gui_object('quotadisplay', '%s');", $JS_OBJECT_NAME, $attrib['id']));

  // allow the following attributes to be added to the <span> tag
  $attrib_str = create_attrib_string($attrib, array('style', 'class', 'id', 'display'));
  $attrib_str = create_attrib_string($attrib, array('style', 'class', 'id'));

  $out = '<span' . $attrib_str . '>';
  $out .= rcmail_quota_content($attrib['display']);
@@ -710,7 +713,7 @@
                                              'to'    => min($max, $start_msg + $IMAP->page_size - 1),
                                              'count' => $max)));

  return rep_specialchars_output($out);
  return Q($out);
  }


@@ -757,13 +760,13 @@
      $body = preg_replace($remote_patterns, $remote_replaces, $body);
      }

    return rep_specialchars_output($body, 'html', '', FALSE);
    return Q($body, 'show', FALSE);
    }

  // text/enriched
  if ($part->ctype_secondary=='enriched')
    {
    return rep_specialchars_output(enriched_to_html($body), 'html');
    return Q(enriched_to_html($body), 'show');
    }
  else
    {
@@ -812,7 +815,7 @@
        $quotation = str_repeat("</blockquote>", $quote_level);

      $quote_level = $q;
      $a_lines[$n] = $quotation . rep_specialchars_output($line, 'html', 'replace', FALSE);
      $a_lines[$n] = $quotation . Q($line, 'replace', FALSE);
      }

    // insert the links for urls and mailtos
@@ -1066,12 +1069,12 @@
    if ($hkey=='date' && !empty($headers[$hkey]))
      $header_value = format_date(strtotime($headers[$hkey]));
    else if (in_array($hkey, array('from', 'to', 'cc', 'bcc', 'reply-to')))
      $header_value = rep_specialchars_output(rcmail_address_string($headers[$hkey], NULL, $attrib['addicon']));
      $header_value = Q(rcmail_address_string($headers[$hkey], NULL, $attrib['addicon']), 'show');
    else
      $header_value = rep_specialchars_output($IMAP->decode_header($headers[$hkey]), '', 'all');
      $header_value = Q($IMAP->decode_header($headers[$hkey]));

    $out .= "\n<tr>\n";
    $out .= '<td class="header-title">'.rep_specialchars_output(rcube_label($hkey)).":&nbsp;</td>\n";
    $out .= '<td class="header-title">'.Q(rcube_label($hkey)).":&nbsp;</td>\n";
    $out .= '<td class="'.$hkey.'" width="90%">'.$header_value."</td>\n</tr>";
    $header_count++;
    }
@@ -1384,7 +1387,7 @@
    {
    $j++;
    if ($PRINT_MODE)
      $out .= sprintf('%s &lt;%s&gt;', rep_specialchars_output($part['name']), $part['mailto']);
      $out .= sprintf('%s &lt;%s&gt;', Q($part['name']), $part['mailto']);
    else if (preg_match($EMAIL_ADDRESS_PATTERN, $part['mailto']))
      {
      $out .= sprintf('<a href="mailto:%s" onclick="return %s.command(\'compose\',\'%s\',this)" class="rcmContactAddress" title="%s">%s</a>',
@@ -1392,7 +1395,7 @@
                      $JS_OBJECT_NAME,
                      $part['mailto'],
                      $part['mailto'],
                      rep_specialchars_output($part['name']));
                      Q($part['name']));
                      
      if ($addicon)
        $out .= sprintf('&nbsp;<a href="#add" onclick="return %s.command(\'add-contact\',\'%s\',this)" title="%s"><img src="%s%s" alt="add" border="0" /></a>',
@@ -1405,7 +1408,7 @@
    else
      {
      if ($part['name'])
        $out .= rep_specialchars_output($part['name']);
        $out .= Q($part['name']);
      if ($part['mailto'])
        $out .= (strlen($out) ? ' ' : '') . sprintf('&lt;%s&gt;', $part['mailto']);
      }
@@ -1442,15 +1445,15 @@
  if ($filename)
    {
    $out .= sprintf('<tr><td class="title">%s</td><td>%s</td><td>[<a href="./?%s">%s</a>]</tr>'."\n",
                    rcube_label('filename'),
                    rep_specialchars_output(rcube_imap::decode_mime_string($filename)),
                    Q(rcube_label('filename')),
                    Q(rcube_imap::decode_mime_string($filename)),
                    str_replace('_frame=', '_download=', $_SERVER['QUERY_STRING']),
                    rcube_label('download'));
                    Q(rcube_label('download')));
    }
    
  if ($filesize)
    $out .= sprintf('<tr><td class="title">%s</td><td>%s</td></tr>'."\n",
                    rcube_label('filesize'),
                    Q(rcube_label('filesize')),
                    show_bytes($filesize));
  
  $out .= "\n</table>";

 program/steps/mail/sendmail.inc

@@ -468,7 +468,7 @@

  rcmail_compose_cleanup();
  rcube_iframe_response(sprintf("parent.$JS_OBJECT_NAME.sent_successfully('%s');",
                                rep_specialchars_output(rcube_label('messagesent'), 'js')));
                                JQ(rcube_label('messagesent'))));
  }



 program/steps/mail/show.inc

@@ -150,11 +150,10 @@
  $attrib_str = create_attrib_string($attrib, array('style', 'class', 'id'));
  $out = '<div' . $attrib_str . ">";
  
  $out .= rep_specialchars_output(sprintf('%s&nbsp;<a href="#loadimages" onclick="%s.command(\'load-images\')" title="%s">%s</a>',
                                  rcube_label('blockedimages'),
                                  $JS_OBJECT_NAME,
                                  rcube_label('showimages'),
                                  rcube_label('showimages')));
  $out .= sprintf('%s&nbsp;<a href="#loadimages" onclick="%s.command(\'load-images\')">%s</a>',
                  Q(rcube_label('blockedimages')),
                  $JS_OBJECT_NAME,
                  Q(rcube_label('showimages')));
  
  $out .= '</div>';
  

 program/steps/mail/upload.inc

@@ -49,16 +49,16 @@
    if (is_file($CONFIG['skin_path'] . '/images/icons/remove-attachment.png'))
      $button = sprintf('<img src="%s/images/icons/remove-attachment.png" alt="%s" border="0" style="padding-right:2px;vertical-align:middle" />',
                        $CONFIG['skin_path'],
                        rcube_label('delete'));
                        Q(rcube_label('delete')));
    else
      $button = rcube_label('delete');
      $button = Q(rcube_label('delete'));

    $content = sprintf('<a href="#delete" onclick="return %s.command(\\\'remove-attachment\\\', \\\'rcmfile%d\\\', this)" title="%s">%s</a>%s',
                       $JS_OBJECT_NAME,
                       $id,
                       rcube_label('delete'),
                       $button,
                       rep_specialchars_output($_FILES['_attachments']['name'][$i], 'js'));
                       JQ(Q(rcube_label('delete'))),
                       JQ($button),
                       JQ(Q($_FILES['_attachments']['name'][$i])));

    $response .= sprintf('parent.%s.add2attachment_list(\'rcmfile%d\',\'%s\');',
                         $JS_OBJECT_NAME,

 program/steps/settings/edit_identity.inc

@@ -127,7 +127,7 @@

    $out .= sprintf("<tr><td class=\"title\"><label for=\"%s\">%s</label></td><td>%s</td></tr>\n",
                    $attrib['id'],
                    rep_specialchars_output(rcube_label($label)),
                    Q(rcube_label($label)),
                    $value);
    }


 program/steps/settings/func.inc

@@ -60,7 +60,7 @@
  
    $out .= sprintf("<tr><td class=\"title\"><label for=\"%s\">%s</label></td><td>%s</td></tr>\n",
                    $field_id,
                    rep_specialchars_output(rcube_label('language')),
                    Q(rcube_label('language')),
                    $select_lang->show($sess_user_lang));
    }

@@ -106,7 +106,7 @@
  
    $out .= sprintf("<tr><td class=\"title\"><label for=\"%s\">%s</label></td><td>%s</td></tr>\n",
                    $field_id,
                    rep_specialchars_output(rcube_label('timezone')),
                    Q(rcube_label('timezone')),
                    $select_timezone->show($CONFIG['timezone']));
    }

@@ -117,7 +117,7 @@
    $input_dst = new checkbox(array('name' => '_dst_active', 'id' => $field_id, 'value' => 1));
    $out .= sprintf("<tr><td class=\"title\"><label for=\"%s\">%s</label></td><td>%s</td></tr>\n",
                    $field_id,
                    rep_specialchars_output(rcube_label('dstactive')),
                    Q(rcube_label('dstactive')),
                    $input_dst->show($CONFIG['dst_active']));
    }

@@ -129,7 +129,7 @@

    $out .= sprintf("<tr><td class=\"title\"><label for=\"%s\">%s</label></td><td>%s</td></tr>\n",
                    $field_id,
                    rep_specialchars_output(rcube_label('pagesize')),
                    Q(rcube_label('pagesize')),
                    $input_pagesize->show($CONFIG['pagesize']));
    }

@@ -141,7 +141,7 @@

    $out .= sprintf("<tr><td class=\"title\"><label for=\"%s\">%s</label></td><td>%s</td></tr>\n",
                    $field_id,
                    rep_specialchars_output(rcube_label('prettydate')),
                    Q(rcube_label('prettydate')),
                    $input_prettydate->show($CONFIG['prettydate']?1:0));
    }

@@ -153,7 +153,7 @@

    $out .= sprintf("<tr><td class=\"title\"><label for=\"%s\">%s</label></td><td>%s</td></tr>\n",
                    $field_id,
                    rep_specialchars_output(rcube_label('preferhtml')),
                    Q(rcube_label('preferhtml')),
                    $input_pagesize->show($CONFIG['prefer_html']?1:0));
    }

@@ -164,7 +164,7 @@
    $input_htmleditor = new checkbox(array('name' => '_htmleditor', 'id' => $field_id, 'value' => 1));
    $out .= sprintf("<tr><td class=\"title\"><label for=\"%s\">%s</label></td><td>%s</td></tr>\n",
                    $field_id,
                    rep_specialchars_output(rcube_label('htmleditor')),
                    Q(rcube_label('htmleditor')),
                    $input_htmleditor->show($CONFIG['htmleditor']?1:0));
    }

@@ -175,7 +175,7 @@
    $input_preview = new checkbox(array('name' => '_preview_pane', 'id' => $field_id, 'value' => 1));
    $out .= sprintf("<tr><td class=\"title\"><label for=\"%s\">%s</label></td><td>%s</td></tr>\n",
                    $field_id,
                    rep_specialchars_output(rcube_label('previewpane')),
                    Q(rcube_label('previewpane')),
                    $input_preview->show($CONFIG['preview_pane']?1:0));
    }
                  
@@ -189,7 +189,7 @@

    $out .= sprintf("<tr><td class=\"title\"><label for=\"%s\">%s</label></td><td>%s</td></tr>\n",
                    $field_id,
                    rep_specialchars_output(rcube_label('autosavedraft')),
                    Q(rcube_label('autosavedraft')),
                    $select_autosave->show($CONFIG['draft_autosave']));
    }


 program/steps/settings/manage_folders.inc

@@ -52,8 +52,8 @@
  if ($create && $REMOTE_REQUEST)
    {
    $commands = sprintf("this.add_folder_row('%s','%s')",
                        rep_specialchars_output($create, 'js'),
                        rep_specialchars_output(rcube_charset_convert($create, 'UTF-7'), 'js'));
                        JQ($create),
                        JQ(rcube_charset_convert($create, 'UTF-7')));
    rcube_remote_response($commands);
    }
  else if (!$create && $REMOTE_REQUEST)
@@ -74,9 +74,9 @@
  if ($rename && $REMOTE_REQUEST)
    {
    $commands = sprintf("this.replace_folder_row('%s','%s','%s');\n",
                        rep_specialchars_output(get_input_value('_folder_oldname', RCUBE_INPUT_GET), 'js'),
                        rep_specialchars_output($rename, 'js'),
                        rep_specialchars_output(rcube_charset_convert($rename, 'UTF-7'), 'js'));
                        JQ(get_input_value('_folder_oldname', RCUBE_INPUT_GET)),
                        JQ($rename),
                        JQ(rcube_charset_convert($rename, 'UTF-7')));

    $commands .= "this.reset_folder_rename();\n";
                        
@@ -100,7 +100,7 @@

  if ($REMOTE_REQUEST && $deleted)
    {
    $commands = sprintf("this.remove_folder_row('%s');\n", rep_specialchars_output(get_input_value('_mboxes', RCUBE_INPUT_GET), 'js'));
    $commands = sprintf("this.remove_folder_row('%s');\n", JQ(get_input_value('_mboxes', RCUBE_INPUT_GET)));
    $commands .= show_message('folderdeleted', 'confirmation');
    rcube_remote_response($commands);
    }
@@ -165,8 +165,8 @@
    $subscribed = in_array($folder, $a_subscribed);
    $protected = ($CONFIG['protect_default_folders'] == TRUE && in_array($folder,$CONFIG['default_imap_folders']));
    $zebra_class = $i%2 ? 'even' : 'odd';
    $folder_js = rep_specialchars_output($folder, 'js');
    $folder_js_enc = rep_specialchars_output(rcube_charset_convert($folder, 'UTF-7'), 'js');
    $folder_js = JQ($folder);
    $folder_js_enc = JQ(rcube_charset_convert($folder, 'UTF-7'));
    $folder_html = $CONFIG['protect_default_folders'] && in_array($folder, $CONFIG['default_imap_folders']) ? rcube_label(strtolower($folder)) : rcube_charset_convert($folder, 'UTF-7');
    
    if (!$protected)
@@ -175,7 +175,7 @@
    $out .= sprintf('<tr id="rcmrow%d" class="%s"><td>%s</td>',
                    $i+1,
                    $zebra_class,
                    rep_specialchars_output($folder_html, 'html', 'all'));
                    Q($folder_html));
                    
    if ($protected)
      $out .= '<td>&nbsp;'.($subscribed ? '&#x2022;' : '-').'</td>';

			@@ -734,7 +734,7 @@

			$framed = $GLOBALS['_framed'];
			$command = sprintf("display_message('%s', '%s');",
			rep_specialchars_output(rcube_label(array('name' => $message, 'vars' => $vars)), 'js'),
			JQ(rcube_label(array('name' => $message, 'vars' => $vars))),
			$type);

			if ($REMOTE_REQUEST)
			@@ -854,7 +854,7 @@
			$OUTPUT->add_script(sprintf("%s.add_label('%s', '%s');",
			$JS_OBJECT_NAME,
			$name,
			rep_specialchars_output(rcube_label($name), 'js')));
			JQ(rcube_label($name))));
			}


			@@ -897,8 +897,15 @@
			}


			// convert a string from one charset to another
			// this function is not complete and not tested well
			/**
			* Convert a string from one charset to another.
			* Uses mbstring and iconv functions if possible
			*
			* @param string Input string
			* @param string Suspected charset of the input string
			* @param string Target charset to convert to; defaults to $GLOBALS['CHARSET']
			* @return Converted string
			*/
			function rcube_charset_convert($str, $from, $to=NULL)
			{
			global $MBSTRING;
			@@ -953,12 +960,19 @@
			}



			// replace specials characters to a specific encoding type
			/**
			* Replacing specials characters to a specific encoding type
			*
			* @param string Input string
			* @param string Encoding type: text\|html\|xml\|js\|url
			* @param string Replace mode for tags: show\|replace\|remove
			* @param boolean Convert newlines
			* @return The quoted string
			*/
			function rep_specialchars_output($str, $enctype='', $mode='', $newlines=TRUE)
			{
			global $OUTPUT_TYPE, $OUTPUT;
			static $html_encode_arr, $js_rep_table, $rtf_rep_table, $xml_rep_table;
			static $html_encode_arr, $js_rep_table, $xml_rep_table;

			if (!$enctype)
			$enctype = $GLOBALS['OUTPUT_TYPE'];
			@@ -1000,21 +1014,18 @@
			return $newlines ? nl2br($out) : $out;
			}


			if ($enctype=='url')
			return rawurlencode($str);


			// if the replace tables for RTF, XML and JS are not yet defined
			// if the replace tables for XML and JS are not yet defined
			if (!$js_rep_table)
			{
			$js_rep_table = $rtf_rep_table = $xml_rep_table = array();
			$js_rep_tabl = $xml_rep_table = array();
			$xml_rep_table['&'] = '&';

			for ($c=160; $c<256; $c++) // can be increased to support more charsets
			{
			$hex = dechex($c);
			$rtf_rep_table[Chr($c)] = "\\'$hex";
			$xml_rep_table[Chr($c)] = "&#$c;";

			if ($OUTPUT->get_charset()=='ISO-8859-1')
			@@ -1025,7 +1036,7 @@
			$xml_rep_table['"'] = '"';
			}

			// encode for RTF
			// encode for XML
			if ($enctype=='xml')
			return strtr($str, $xml_rep_table);

			@@ -1038,12 +1049,26 @@
			return addslashes(preg_replace(array("/\r\n/", "/\r/"), array('\n', '\n'), strtr($str, $js_rep_table)));
			}

			// encode for RTF
			if ($enctype=='rtf')
			return preg_replace("/\r\n/", "\par ", strtr($str, $rtf_rep_table));

			// no encoding given -> return original string
			return $str;
			}

			/**
			* Quote a given string. Alias function for rep_specialchars_output
			* @see rep_specialchars_output
			*/
			function Q($str, $mode='strict', $newlines=TRUE)
			{
			return rep_specialchars_output($str, 'html', $mode, $newlines);
			}

			/**
			* Quote a given string. Alias function for rep_specialchars_output
			* @see rep_specialchars_output
			*/
			function JQ($str, $mode='strict', $newlines=TRUE)
			{
			return rep_specialchars_output($str, 'js', $mode, $newlines);
			}


			@@ -1248,7 +1273,7 @@
			// show a label
			case 'label':
			if ($attrib['name'] \|\| $attrib['command'])
			return rep_specialchars_output(rcube_label($attrib));
			return Q(rcube_label($attrib));
			break;

			// create a menu item
			@@ -1331,7 +1356,7 @@
			else if ($object=='productname')
			{
			$name = !empty($CONFIG['product_name']) ? $CONFIG['product_name'] : 'RoundCube Webmail';
			return rep_specialchars_output($name, 'html', 'all');
			return Q($name);
			}
			else if ($object=='version')
			{
			@@ -1353,7 +1378,7 @@
			else
			$title .= ucfirst($task);

			return rep_specialchars_output($title, 'html', 'all');
			return Q($title);
			}

			break;
			@@ -1419,12 +1444,12 @@

			// get localized text for labels and titles
			if ($attrib['title'])
			$attrib['title'] = rep_specialchars_output(rcube_label($attrib['title']));
			$attrib['title'] = Q(rcube_label($attrib['title']));
			if ($attrib['label'])
			$attrib['label'] = rep_specialchars_output(rcube_label($attrib['label']));
			$attrib['label'] = Q(rcube_label($attrib['label']));

			if ($attrib['alt'])
			$attrib['alt'] = rep_specialchars_output(rcube_label($attrib['alt']));
			$attrib['alt'] = Q(rcube_label($attrib['alt']));

			// set title to alt attribute for IE browsers
			if ($BROWSER['ie'] && $attrib['title'] && !$attrib['alt'])
			@@ -1537,12 +1562,11 @@
			$table .= "<thead><tr>\n";

			foreach ($a_show_cols as $col)
			$table .= '<td class="'.$col.'">' . rep_specialchars_output(rcube_label($col)) . "</td>\n";
			$table .= '<td class="'.$col.'">' . Q(rcube_label($col)) . "</td>\n";

			$table .= "</tr></thead>\n<tbody>\n";

			$c = 0;

			if (!is_array($table_data))
			{
			while ($table_data && ($sql_arr = $DB->fetch_assoc($table_data)))
			@@ -1554,8 +1578,8 @@
			// format each col
			foreach ($a_show_cols as $col)
			{
			$cont = rep_specialchars_output($sql_arr[$col]);
			$table .= '<td class="'.$col.'">' . $cont . "</td>\n";
			$cont = Q($sql_arr[$col]);
			$table .= '<td class="'.$col.'">' . $cont . "</td>\n";
			}

			$table .= "</tr>\n";
			@@ -1573,8 +1597,8 @@
			// format each col
			foreach ($a_show_cols as $col)
			{
			$cont = rep_specialchars_output($row_data[$col]);
			$table .= '<td class="'.$col.'">' . $cont . "</td>\n";
			$cont = Q($row_data[$col]);
			$table .= '<td class="'.$col.'">' . $cont . "</td>\n";
			}

			$table .= "</tr>\n";

			@@ -133,7 +133,7 @@
			$this->title = 'RoundCube Mail';

			// replace specialchars in content
			$__page_title = rep_specialchars_output($this->title, 'html', 'show', FALSE);
			$__page_title = Q($this->title, 'show', FALSE);
			$__page_header = $__page_body = $__page_footer = '';


			@@ -725,7 +725,7 @@

			// encode textarea content
			if ($key=='value')
			$value = rep_specialchars_output($value, 'html', 'replace', FALSE);
			$value = Q($value, 'strict', FALSE);

			// attributes with no value
			if (in_array($key, array('checked', 'multiple', 'disabled', 'selected')))
			@@ -879,7 +879,7 @@
			unset($this->attrib['value']);

			if (strlen($value) && !isset($this->attrib['mce_editable']))
			$value = rep_specialchars_output($value, 'html', 'replace', FALSE);
			$value = Q($value, 'strict', FALSE);

			// return final tag
			return sprintf('<%s%s>%s</%s>%s',
			@@ -1019,7 +1019,7 @@
			$this->_conv_case('option', 'tag'),
			strlen($option['value']) ? sprintf($value_str, $option['value']) : '',
			$selected,
			rep_specialchars_output($option['text'], 'html', 'replace', FALSE),
			Q($option['text'], 'strict', FALSE),
			$this->_conv_case('option', 'tag'));
			}

			@@ -119,7 +119,7 @@
			// format each col
			foreach ($a_show_cols as $col)
			{
			$cont = rep_specialchars_output($sql_arr[$col]);
			$cont = Q($sql_arr[$col]);
			$a_row_cols[$col] = $cont;
			}

			@@ -447,25 +447,26 @@
			$lang_set = "googie.setLanguages(".array2js($CONFIG['spellcheck_languages']).");\n";

			$OUTPUT->include_script('googiespell.js');
			$OUTPUT->add_script(sprintf("var googie = new GoogieSpell('\$__skin_path/images/googiespell/','%s&_action=spell&lang=');\n".
			"googie.lang_chck_spell = \"%s\";\n".
			"googie.lang_rsm_edt = \"%s\";\n".
			"googie.lang_close = \"%s\";\n".
			"googie.lang_revert = \"%s\";\n".
			"googie.lang_no_error_found = \"%s\";\n%s".
			"googie.setCurrentLanguage('%s');\n".
			"googie.decorateTextarea('%s');\n".
			"%s.set_env('spellcheck', googie);",
			$GLOBALS['COMM_PATH'],
			rep_specialchars_output(rcube_label('checkspelling')),
			rep_specialchars_output(rcube_label('resumeediting')),
			rep_specialchars_output(rcube_label('close')),
			rep_specialchars_output(rcube_label('revertto')),
			rep_specialchars_output(rcube_label('nospellerrors')),
			$lang_set,
			substr($_SESSION['user_lang'], 0, 2),
			$attrib['id'],
			$JS_OBJECT_NAME), 'foot');
			$OUTPUT->add_script(sprintf(
			"var googie = new GoogieSpell('\$__skin_path/images/googiespell/','%s&_action=spell&lang=');\n".
			"googie.lang_chck_spell = \"%s\";\n".
			"googie.lang_rsm_edt = \"%s\";\n".
			"googie.lang_close = \"%s\";\n".
			"googie.lang_revert = \"%s\";\n".
			"googie.lang_no_error_found = \"%s\";\n%s".
			"googie.setCurrentLanguage('%s');\n".
			"googie.decorateTextarea('%s');\n".
			"%s.set_env('spellcheck', googie);",
			$GLOBALS['COMM_PATH'],
			JQ(Q(rcube_label('checkspelling'))),
			JQ(Q(rcube_label('resumeediting'))),
			JQ(Q(rcube_label('close'))),
			JQ(Q(rcube_label('revertto'))),
			JQ(Q(rcube_label('nospellerrors'))),
			$lang_set,
			substr($_SESSION['user_lang'], 0, 2),
			$attrib['id'],
			$JS_OBJECT_NAME), 'foot');

			rcube_add_label('checking');
			}
			@@ -552,10 +553,10 @@
			"<tr><th align=\"right\" nowrap=\"nowrap\" valign=\"baseline\">From: </th><td>%s</td></tr>" .
			"<tr><th align=\"right\" nowrap=\"nowrap\" valign=\"baseline\">To: </th><td>%s</td></tr>" .
			"</tbody></table><br>",
			rep_specialchars_output($MESSAGE['subject']),
			rep_specialchars_output($MESSAGE['headers']->date),
			rep_specialchars_output($IMAP->decode_header($MESSAGE['headers']->from)),
			rep_specialchars_output($IMAP->decode_header($MESSAGE['headers']->to)));
			Q($MESSAGE['subject']),
			Q($MESSAGE['headers']->date),
			Q($IMAP->decode_header($MESSAGE['headers']->from)),
			Q($IMAP->decode_header($MESSAGE['headers']->to)));
			}

			// add attachments
			@@ -692,9 +693,9 @@
			$id,
			$JS_OBJECT_NAME,
			$id,
			rcube_label('delete'),
			Q(rcube_label('delete')),
			$button,
			rep_specialchars_output($a_prop['name']));
			Q($a_prop['name']));
			}

			$OUTPUT->add_script(sprintf("%s.gui_object('attachmentlist', '%s');", $JS_OBJECT_NAME, $attrib['id']));
			@@ -895,7 +896,7 @@
			$a_contacts = array();
			while ($sql_arr = $DB->fetch_assoc($sql_result))
			if ($sql_arr['email'])
			$a_contacts[] = format_email_recipient($sql_arr['email'], rep_specialchars_output($sql_arr['name'], 'js'));
			$a_contacts[] = format_email_recipient($sql_arr['email'], JQ($sql_arr['name']));

			$OUTPUT->add_script(sprintf("$JS_OBJECT_NAME.set_env('contacts', %s);", array2js($a_contacts)));
			}

			@@ -51,7 +51,11 @@
			$_SESSION['sort_col'] = $CONFIG['message_sort_col'];
			if (!isset($_SESSION['sort_order']))
			$_SESSION['sort_order'] = $CONFIG['message_sort_order'];


			// set message set for search result
			if (!empty($_GET['_search']) && isset($_SESSION['search'][$_GET['_search']]))
			$IMAP->set_search_set($_SESSION['search'][$_GET['_search']]);


			// define url for getting message parts
			if (strlen($_GET['_uid']))
			@@ -193,7 +197,7 @@
			{
			$fname = abbrevate_string($foldername, $maxlength);
			if ($fname != $foldername)
			$title = ' title="'.rep_specialchars_output($foldername, 'html', 'all').'"';
			$title = ' title="'.Q($foldername).'"';
			$foldername = $fname;
			}
			}
			@@ -215,7 +219,7 @@
			else if ($folder['id']==$CONFIG['junk_mbox'])
			$class_name = 'junk';

			$js_name = htmlspecialchars(rep_specialchars_output($folder['id'], 'js'));
			$js_name = htmlspecialchars(JQ($folder['id']));
			$out .= sprintf('<li id="rcmbx%s" class="mailbox %s %s%s%s"><a href="%s&_mbox=%s"'.
			' onclick="return %s.command(\'list\',\'%s\')"'.
			' onmouseover="return %s.focus_mailbox(\'%s\')"' .
			@@ -237,7 +241,7 @@
			$JS_OBJECT_NAME,
			$js_name,
			$title,
			rep_specialchars_output($foldername, 'html', 'all'));
			Q($foldername));

			if (!empty($folder['folders']))
			$out .= "\n<ul>\n" . rcmail_render_folder_tree_html($folder['folders'], $special, $mbox_name, $maxlength, $nestLevel+1) . "</ul>\n";
			@@ -274,7 +278,7 @@
			$out .= sprintf('<option value="%s">%s%s</option>'."\n",
			htmlspecialchars($folder['id']),
			str_repeat(' ', $nestLevel*4),
			rep_specialchars_output($foldername, 'html', 'all'));
			Q($foldername));

			if (!empty($folder['folders']))
			$out .= rcmail_render_folder_tree_select($folder['folders'], $special, $mbox_name, $maxlength, $nestLevel+1);
			@@ -340,7 +344,7 @@
			foreach ($a_show_cols as $col)
			{
			// get column name
			$col_name = rep_specialchars_output(rcube_label($col));
			$col_name = Q(rcube_label($col));

			// make sort links
			$sort = '';
			@@ -394,10 +398,9 @@
			// no messages in this mailbox
			if (!sizeof($a_headers))
			{
			$out .= rep_specialchars_output(
			sprintf('<tr><td colspan="%d">%s</td></tr>',
			sizeof($a_show_cols)+2,
			rcube_label('nomessagesfound')));
			$out .= sprintf('<tr><td colspan="%d">%s</td></tr>',
			sizeof($a_show_cols)+2,
			Q(rcube_label('nomessagesfound')));
			}


			@@ -443,10 +446,10 @@
			foreach ($a_show_cols as $col)
			{
			if ($col=='from' \|\| $col=='to')
			$cont = rep_specialchars_output(rcmail_address_string($header->$col, 3, $attrib['addicon']));
			$cont = Q(rcmail_address_string($header->$col, 3, $attrib['addicon']), 'show');
			else if ($col=='subject')
			{
			$cont = rep_specialchars_output($IMAP->decode_header($header->$col), 'html', 'all');
			$cont = Q($IMAP->decode_header($header->$col));
			// firefox/mozilla temporary workaround to pad subject with content so that whitespace in rows responds to drag+drop
			$cont .= '<img src="./program/blank.gif" height="5" width="1000" alt="" />';
			}
			@@ -455,9 +458,9 @@
			else if ($col=='date')
			$cont = format_date($header->date); //date('m.d.Y G:i:s', strtotime($header->date));
			else
			$cont = rep_specialchars_output($header->$col, 'html', 'all');
			$cont = Q($header->$col);

			$out .= '<td class="'.$col.'">' . $cont . "</td>\n";
			$out .= '<td class="'.$col.'">' . $cont . "</td>\n";
			}

			$out .= sprintf("<td class=\"icon\">%s</td>\n", $attach_icon ? sprintf($image_tag, $skin_path, $attach_icon, '') : '');
			@@ -530,15 +533,15 @@
			foreach ($a_show_cols as $col)
			{
			if ($col=='from' \|\| $col=='to')
			$cont = rep_specialchars_output(rcmail_address_string($header->$col, 3), 'html');
			$cont = Q(rcmail_address_string($header->$col, 3), 'show');
			else if ($col=='subject')
			$cont = rep_specialchars_output($IMAP->decode_header($header->$col), 'html', 'all');
			$cont = Q($IMAP->decode_header($header->$col));
			else if ($col=='size')
			$cont = show_bytes($header->$col);
			else if ($col=='date')
			$cont = format_date($header->date); //date('m.d.Y G:i:s', strtotime($header->date));
			else
			$cont = rep_specialchars_output($header->$col, 'html', 'all');
			$cont = Q($header->$col);

			$a_msg_cols[$col] = $cont;
			}
			@@ -642,7 +645,7 @@
			$OUTPUT->add_script(sprintf("%s.gui_object('quotadisplay', '%s');", $JS_OBJECT_NAME, $attrib['id']));

			// allow the following attributes to be added to the <span> tag
			$attrib_str = create_attrib_string($attrib, array('style', 'class', 'id', 'display'));
			$attrib_str = create_attrib_string($attrib, array('style', 'class', 'id'));

			$out = '<span' . $attrib_str . '>';
			$out .= rcmail_quota_content($attrib['display']);
			@@ -710,7 +713,7 @@
			'to' => min($max, $start_msg + $IMAP->page_size - 1),
			'count' => $max)));

			return rep_specialchars_output($out);
			return Q($out);
			}


			@@ -757,13 +760,13 @@
			$body = preg_replace($remote_patterns, $remote_replaces, $body);
			}

			return rep_specialchars_output($body, 'html', '', FALSE);
			return Q($body, 'show', FALSE);
			}

			// text/enriched
			if ($part->ctype_secondary=='enriched')
			{
			return rep_specialchars_output(enriched_to_html($body), 'html');
			return Q(enriched_to_html($body), 'show');
			}
			else
			{
			@@ -812,7 +815,7 @@
			$quotation = str_repeat("</blockquote>", $quote_level);

			$quote_level = $q;
			$a_lines[$n] = $quotation . rep_specialchars_output($line, 'html', 'replace', FALSE);
			$a_lines[$n] = $quotation . Q($line, 'replace', FALSE);
			}

			// insert the links for urls and mailtos
			@@ -1066,12 +1069,12 @@
			if ($hkey=='date' && !empty($headers[$hkey]))
			$header_value = format_date(strtotime($headers[$hkey]));
			else if (in_array($hkey, array('from', 'to', 'cc', 'bcc', 'reply-to')))
			$header_value = rep_specialchars_output(rcmail_address_string($headers[$hkey], NULL, $attrib['addicon']));
			$header_value = Q(rcmail_address_string($headers[$hkey], NULL, $attrib['addicon']), 'show');
			else
			$header_value = rep_specialchars_output($IMAP->decode_header($headers[$hkey]), '', 'all');
			$header_value = Q($IMAP->decode_header($headers[$hkey]));

			$out .= "\n<tr>\n";
			$out .= '<td class="header-title">'.rep_specialchars_output(rcube_label($hkey)).": </td>\n";
			$out .= '<td class="header-title">'.Q(rcube_label($hkey)).": </td>\n";
			$out .= '<td class="'.$hkey.'" width="90%">'.$header_value."</td>\n</tr>";
			$header_count++;
			}
			@@ -1384,7 +1387,7 @@
			{
			$j++;
			if ($PRINT_MODE)
			$out .= sprintf('%s <%s>', rep_specialchars_output($part['name']), $part['mailto']);
			$out .= sprintf('%s <%s>', Q($part['name']), $part['mailto']);
			else if (preg_match($EMAIL_ADDRESS_PATTERN, $part['mailto']))
			{
			$out .= sprintf('<a href="mailto:%s" onclick="return %s.command(\'compose\',\'%s\',this)" class="rcmContactAddress" title="%s">%s</a>',
			@@ -1392,7 +1395,7 @@
			$JS_OBJECT_NAME,
			$part['mailto'],
			$part['mailto'],
			rep_specialchars_output($part['name']));
			Q($part['name']));

			if ($addicon)
			$out .= sprintf(' <a href="#add" onclick="return %s.command(\'add-contact\',\'%s\',this)" title="%s"><img src="%s%s" alt="add" border="0" /></a>',
			@@ -1405,7 +1408,7 @@
			else
			{
			if ($part['name'])
			$out .= rep_specialchars_output($part['name']);
			$out .= Q($part['name']);
			if ($part['mailto'])
			$out .= (strlen($out) ? ' ' : '') . sprintf('<%s>', $part['mailto']);
			}
			@@ -1442,15 +1445,15 @@
			if ($filename)
			{
			$out .= sprintf('<tr><td class="title">%s</td><td>%s</td><td>[<a href="./?%s">%s</a>]</tr>'."\n",
			rcube_label('filename'),
			rep_specialchars_output(rcube_imap::decode_mime_string($filename)),
			Q(rcube_label('filename')),
			Q(rcube_imap::decode_mime_string($filename)),
			str_replace('_frame=', '_download=', $_SERVER['QUERY_STRING']),
			rcube_label('download'));
			Q(rcube_label('download')));
			}

			if ($filesize)
			$out .= sprintf('<tr><td class="title">%s</td><td>%s</td></tr>'."\n",
			rcube_label('filesize'),
			Q(rcube_label('filesize')),
			show_bytes($filesize));

			$out .= "\n</table>";

			@@ -468,7 +468,7 @@

			rcmail_compose_cleanup();
			rcube_iframe_response(sprintf("parent.$JS_OBJECT_NAME.sent_successfully('%s');",
			rep_specialchars_output(rcube_label('messagesent'), 'js')));
			JQ(rcube_label('messagesent'))));
			}

			@@ -150,11 +150,10 @@
			$attrib_str = create_attrib_string($attrib, array('style', 'class', 'id'));
			$out = '<div' . $attrib_str . ">";

			$out .= rep_specialchars_output(sprintf('%s <a href="#loadimages" onclick="%s.command(\'load-images\')" title="%s">%s</a>',
			rcube_label('blockedimages'),
			$JS_OBJECT_NAME,
			rcube_label('showimages'),
			rcube_label('showimages')));
			$out .= sprintf('%s <a href="#loadimages" onclick="%s.command(\'load-images\')">%s</a>',
			Q(rcube_label('blockedimages')),
			$JS_OBJECT_NAME,
			Q(rcube_label('showimages')));

			$out .= '</div>';

			@@ -49,16 +49,16 @@
			if (is_file($CONFIG['skin_path'] . '/images/icons/remove-attachment.png'))
			$button = sprintf('<img src="%s/images/icons/remove-attachment.png" alt="%s" border="0" style="padding-right:2px;vertical-align:middle" />',
			$CONFIG['skin_path'],
			rcube_label('delete'));
			Q(rcube_label('delete')));
			else
			$button = rcube_label('delete');
			$button = Q(rcube_label('delete'));

			$content = sprintf('<a href="#delete" onclick="return %s.command(\\\'remove-attachment\\\', \\\'rcmfile%d\\\', this)" title="%s">%s</a>%s',
			$JS_OBJECT_NAME,
			$id,
			rcube_label('delete'),
			$button,
			rep_specialchars_output($_FILES['_attachments']['name'][$i], 'js'));
			JQ(Q(rcube_label('delete'))),
			JQ($button),
			JQ(Q($_FILES['_attachments']['name'][$i])));

			$response .= sprintf('parent.%s.add2attachment_list(\'rcmfile%d\',\'%s\');',
			$JS_OBJECT_NAME,

			@@ -127,7 +127,7 @@

			$out .= sprintf("<tr><td class=\"title\"><label for=\"%s\">%s</label></td><td>%s</td></tr>\n",
			$attrib['id'],
			rep_specialchars_output(rcube_label($label)),
			Q(rcube_label($label)),
			$value);
			}

			@@ -60,7 +60,7 @@

			$out .= sprintf("<tr><td class=\"title\"><label for=\"%s\">%s</label></td><td>%s</td></tr>\n",
			$field_id,
			rep_specialchars_output(rcube_label('language')),
			Q(rcube_label('language')),
			$select_lang->show($sess_user_lang));
			}

			@@ -106,7 +106,7 @@

			$out .= sprintf("<tr><td class=\"title\"><label for=\"%s\">%s</label></td><td>%s</td></tr>\n",
			$field_id,
			rep_specialchars_output(rcube_label('timezone')),
			Q(rcube_label('timezone')),
			$select_timezone->show($CONFIG['timezone']));
			}

			@@ -117,7 +117,7 @@
			$input_dst = new checkbox(array('name' => '_dst_active', 'id' => $field_id, 'value' => 1));
			$out .= sprintf("<tr><td class=\"title\"><label for=\"%s\">%s</label></td><td>%s</td></tr>\n",
			$field_id,
			rep_specialchars_output(rcube_label('dstactive')),
			Q(rcube_label('dstactive')),
			$input_dst->show($CONFIG['dst_active']));
			}

			@@ -129,7 +129,7 @@

			$out .= sprintf("<tr><td class=\"title\"><label for=\"%s\">%s</label></td><td>%s</td></tr>\n",
			$field_id,
			rep_specialchars_output(rcube_label('pagesize')),
			Q(rcube_label('pagesize')),
			$input_pagesize->show($CONFIG['pagesize']));
			}

			@@ -141,7 +141,7 @@

			$out .= sprintf("<tr><td class=\"title\"><label for=\"%s\">%s</label></td><td>%s</td></tr>\n",
			$field_id,
			rep_specialchars_output(rcube_label('prettydate')),
			Q(rcube_label('prettydate')),
			$input_prettydate->show($CONFIG['prettydate']?1:0));
			}

			@@ -153,7 +153,7 @@

			$out .= sprintf("<tr><td class=\"title\"><label for=\"%s\">%s</label></td><td>%s</td></tr>\n",
			$field_id,
			rep_specialchars_output(rcube_label('preferhtml')),
			Q(rcube_label('preferhtml')),
			$input_pagesize->show($CONFIG['prefer_html']?1:0));
			}

			@@ -164,7 +164,7 @@
			$input_htmleditor = new checkbox(array('name' => '_htmleditor', 'id' => $field_id, 'value' => 1));
			$out .= sprintf("<tr><td class=\"title\"><label for=\"%s\">%s</label></td><td>%s</td></tr>\n",
			$field_id,
			rep_specialchars_output(rcube_label('htmleditor')),
			Q(rcube_label('htmleditor')),
			$input_htmleditor->show($CONFIG['htmleditor']?1:0));
			}

			@@ -175,7 +175,7 @@
			$input_preview = new checkbox(array('name' => '_preview_pane', 'id' => $field_id, 'value' => 1));
			$out .= sprintf("<tr><td class=\"title\"><label for=\"%s\">%s</label></td><td>%s</td></tr>\n",
			$field_id,
			rep_specialchars_output(rcube_label('previewpane')),
			Q(rcube_label('previewpane')),
			$input_preview->show($CONFIG['preview_pane']?1:0));
			}

			@@ -189,7 +189,7 @@

			$out .= sprintf("<tr><td class=\"title\"><label for=\"%s\">%s</label></td><td>%s</td></tr>\n",
			$field_id,
			rep_specialchars_output(rcube_label('autosavedraft')),
			Q(rcube_label('autosavedraft')),
			$select_autosave->show($CONFIG['draft_autosave']));
			}

			@@ -52,8 +52,8 @@
			if ($create && $REMOTE_REQUEST)
			{
			$commands = sprintf("this.add_folder_row('%s','%s')",
			rep_specialchars_output($create, 'js'),
			rep_specialchars_output(rcube_charset_convert($create, 'UTF-7'), 'js'));
			JQ($create),
			JQ(rcube_charset_convert($create, 'UTF-7')));
			rcube_remote_response($commands);
			}
			else if (!$create && $REMOTE_REQUEST)
			@@ -74,9 +74,9 @@
			if ($rename && $REMOTE_REQUEST)
			{
			$commands = sprintf("this.replace_folder_row('%s','%s','%s');\n",
			rep_specialchars_output(get_input_value('_folder_oldname', RCUBE_INPUT_GET), 'js'),
			rep_specialchars_output($rename, 'js'),
			rep_specialchars_output(rcube_charset_convert($rename, 'UTF-7'), 'js'));
			JQ(get_input_value('_folder_oldname', RCUBE_INPUT_GET)),
			JQ($rename),
			JQ(rcube_charset_convert($rename, 'UTF-7')));

			$commands .= "this.reset_folder_rename();\n";

			@@ -100,7 +100,7 @@

			if ($REMOTE_REQUEST && $deleted)
			{
			$commands = sprintf("this.remove_folder_row('%s');\n", rep_specialchars_output(get_input_value('_mboxes', RCUBE_INPUT_GET), 'js'));
			$commands = sprintf("this.remove_folder_row('%s');\n", JQ(get_input_value('_mboxes', RCUBE_INPUT_GET)));
			$commands .= show_message('folderdeleted', 'confirmation');
			rcube_remote_response($commands);
			}
			@@ -165,8 +165,8 @@
			$subscribed = in_array($folder, $a_subscribed);
			$protected = ($CONFIG['protect_default_folders'] == TRUE && in_array($folder,$CONFIG['default_imap_folders']));
			$zebra_class = $i%2 ? 'even' : 'odd';
			$folder_js = rep_specialchars_output($folder, 'js');
			$folder_js_enc = rep_specialchars_output(rcube_charset_convert($folder, 'UTF-7'), 'js');
			$folder_js = JQ($folder);
			$folder_js_enc = JQ(rcube_charset_convert($folder, 'UTF-7'));
			$folder_html = $CONFIG['protect_default_folders'] && in_array($folder, $CONFIG['default_imap_folders']) ? rcube_label(strtolower($folder)) : rcube_charset_convert($folder, 'UTF-7');

			if (!$protected)
			@@ -175,7 +175,7 @@
			$out .= sprintf('<tr id="rcmrow%d" class="%s"><td>%s</td>',
			$i+1,
			$zebra_class,
			rep_specialchars_output($folder_html, 'html', 'all'));
			Q($folder_html));

			if ($protected)
			$out .= '<td> '.($subscribed ? '•' : '-').'</td>';