Added more XSS protection (Bug #1308236) and some visual enhancements
| | |
| | | if (this.gui_objects.mailboxlist) |
| | | { |
| | | var item, reg, text_obj; |
| | | var s_current = this.env.mailbox.toLowerCase().replace(this.mbox_expression, ''); |
| | | var s_mbox = String(mbox).toLowerCase().replace(this.mbox_expression, ''); |
| | | var s_current = this.env.mailbox.toLowerCase().replace(this.mbox_expression, ''); |
| | | var nodes = this.gui_objects.mailboxlist.getElementsByTagName('LI'); |
| | | |
| | | for (var n=0; n<nodes.length; n++) |
| | | { |
| | | item = nodes[n]; |
| | | if (item.className && item.className.indexOf('mailbox '+s_mbox+' ')>=0) |
| | | this.set_classname(item, 'selected', true); |
| | | else if (item.className && item.className.indexOf('mailbox '+s_current)>=0) |
| | | this.set_classname(item, 'selected', false); |
| | | } |
| | | var current_li = document.getElementById('rcmbx'+s_current); |
| | | var mbox_li = document.getElementById('rcmbx'+s_mbox); |
| | | |
| | | if (current_li) |
| | | this.set_classname(current_li, 'selected', false); |
| | | if (mbox_li) |
| | | this.set_classname(mbox_li, 'selected', true); |
| | | } |
| | | |
| | | this.env.mailbox = mbox; |
| | |
| | | } |
| | | |
| | | |
| | | // set default sort col/order to session |
| | | if (!isset($_SESSION['sort_col'])) |
| | | $_SESSION['sort_col'] = $CONFIG['message_sort_col']; |
| | | if (!isset($_SESSION['sort_order'])) |
| | | $_SESSION['sort_order'] = $CONFIG['message_sort_order']; |
| | | |
| | | |
| | | // define url for getting message parts |
| | | if (strlen($_GET['_uid'])) |
| | | $GET_URL = sprintf('%s&_action=get&_mbox=%s&_uid=%d', $COMM_PATH, $IMAP->get_mailbox_name(), $_GET['_uid']); |
| | |
| | | // return html for a structured list <ul> for the mailbox tree |
| | | function rcmail_render_folder_tree_html(&$arrFolders, &$special, &$mbox, $maxlength, $nestLevel=0) |
| | | { |
| | | global $JS_OBJECT_NAME, $IMAP; |
| | | global $JS_OBJECT_NAME, $IMAP, $CONFIG; |
| | | |
| | | $idx = 0; |
| | | $out = ''; |
| | |
| | | // add unread message count display |
| | | if ($unread_count = $IMAP->messagecount($folder['id'], 'UNSEEN', ($folder['id']==$mbox))) |
| | | $foldername .= sprintf(' (%d)', $unread_count); |
| | | |
| | | // make folder name safe for ids and class names |
| | | $folder_css = $class_name = preg_replace('/[^a-z0-9\-_]/', '', $folder_lc); |
| | | |
| | | $out .= sprintf('<li class="mailbox %s %s%s%s"><a href="#%s" onclick="return %s.command(\'list\',\'%s\')" onmouseup="return %s.mbox_mouse_up(\'%s\')">%s</a>'."\n", |
| | | preg_replace('/[^a-z0-9\-_]/', '', $folder_lc), |
| | | // set special class for Sent, Drafts, Trash and Junk |
| | | if ($folder['id']==$CONFIG['sent_mbox']) |
| | | $class_name = 'sent'; |
| | | else if ($folder['id']==$CONFIG['drafts_mbox']) |
| | | $class_name = 'drafts'; |
| | | else if ($folder['id']==$CONFIG['trash_mbox']) |
| | | $class_name = 'trash'; |
| | | else if ($folder['id']==$CONFIG['junk_mbox']) |
| | | $class_name = 'junk'; |
| | | |
| | | $out .= sprintf('<li id="rcmbx%s" class="mailbox %s %s%s%s"><a href="./#%s" onclick="return %s.command(\'list\',\'%s\')" onmouseup="return %s.mbox_mouse_up(\'%s\')">%s</a>', |
| | | $folder_css, |
| | | $class_name, |
| | | $zebra_class, |
| | | $unread_count ? ' unread' : '', |
| | | $folder['id']==$mbox ? ' selected' : '', |
| | |
| | | rep_specialchars_output($foldername, 'html', 'all')); |
| | | |
| | | if (!empty($folder['folders'])) |
| | | $out .= '<ul>' . rcmail_render_folder_tree_html($folder['folders'], $special, $mbox, $maxlength, $nestLevel+1) . "</ul>\n"; |
| | | $out .= "\n<ul>\n" . rcmail_render_folder_tree_html($folder['folders'], $special, $mbox, $maxlength, $nestLevel+1) . "</ul>\n"; |
| | | |
| | | $out .= "</li>\n"; |
| | | $idx++; |
| | |
| | | $image_tag = '<img src="%s%s" alt="%s" border="0" />'; |
| | | |
| | | // check to see if we have some settings for sorting |
| | | $sort_col = isset($_SESSION['sort_col']) ? $_SESSION['sort_col'] : $CONFIG['message_sort_col']; |
| | | $sort_order = isset($_SESSION['sort_order']) ? $_SESSION['sort_order'] : $CONFIG['message_sort_order']; |
| | | $sort_col = $_SESSION['sort_col']; |
| | | $sort_order = $_SESSION['sort_order']; |
| | | |
| | | // get message headers |
| | | $a_headers = $IMAP->list_headers('', '', $sort_col, $sort_order); |
| | |
| | | |
| | | |
| | | // remove SCRIPT tags |
| | | while (($pos = strpos($body_lc, '<script')) && ($pos2 = strpos($body_lc, '</script>', $pos))) |
| | | foreach (array('script', 'applet', 'object', 'embed', 'iframe') as $tag) |
| | | { |
| | | $pos2 += 8; |
| | | $body = substr($body, 0, $pos) . substr($body, $pos2, strlen($body)-$pos2); |
| | | $body_lc = strtolower($body); |
| | | while (($pos = strpos($body_lc, '<'.$tag)) && ($pos2 = strpos($body_lc, '</'.$tag.'>', $pos))) |
| | | { |
| | | $pos2 += 8; |
| | | $body = substr($body, 0, $pos) . substr($body, $pos2, strlen($body)-$pos2); |
| | | $body_lc = strtolower($body); |
| | | } |
| | | } |
| | | |
| | | |
| | | // replace event handlers on any object |
| | | $body = preg_replace('/\s(on[a-z]+)=/im', ' __removed=', $body); |
| | | |
| | | // resolve <base href> |
| | | $base_reg = '/(<base.*href=["\']?)([hftps]{3,5}:\/{2}[^"\'\s]+)([^<]*>)/i'; |
| | |
| | | $body = preg_replace('/(url\s*\()(["\']?)([\.\/]+[^"\'\)\s]+)(\2)\)/Uie', "'\\1\''.make_absolute_url('\\3', '$base_url').'\')'", $body); |
| | | $body = preg_replace($base_reg, '', $body); |
| | | } |
| | | |
| | | |
| | | // add comments arround html and other tags |
| | | $out = preg_replace(array('/(<\/?html[^>]*>)/i', |
| | |
| | | /****** check submission and compose message ********/ |
| | | |
| | | |
| | | $mailto_regexp = '/,\s*$/'; |
| | | $mailto_regexp = array('/,\s*[\r\n]+/', '/[\r\n]+/', '/,\s*$/m'); |
| | | $mailto_replace = array(' ', ', ', ''); |
| | | |
| | | // trip ending ', ' from |
| | | $mailto = preg_replace($mailto_regexp, '', $_POST['_to']); |
| | | // repalce new lines and strip ending ', ' |
| | | $mailto = preg_replace($mailto_regexp, $mailto_replace, stripslashes($_POST['_to'])); |
| | | |
| | | // decode address strings |
| | | $to_address_arr = $IMAP->decode_address_list($mailto); |
| | |
| | | |
| | | // additional recipients |
| | | if ($_POST['_cc']) |
| | | $headers['Cc'] = preg_replace($mailto_regexp, '', $_POST['_cc']); |
| | | $headers['Cc'] = preg_replace($mailto_regexp, $mailto_replace, stripslashes($_POST['_cc'])); |
| | | |
| | | if ($_POST['_bcc']) |
| | | $headers['Bcc'] = preg_replace($mailto_regexp, '', $_POST['_bcc']); |
| | | $headers['Bcc'] = preg_replace($mailto_regexp, $mailto_replace, stripslashes($_POST['_bcc'])); |
| | | |
| | | if (strlen($identity_arr['bcc'])) |
| | | $headers['Bcc'] = ($headers['Bcc'] ? $headers['Bcc'].', ' : '') . $identity_arr['bcc']; |
| | |
| | | position: absolute; |
| | | top: 60px; |
| | | right: 40px; |
| | | width: 250px; |
| | | width: 200px; |
| | | height: 20px; |
| | | text-align: right; |
| | | } |
| | |
| | | top: 85px; |
| | | left: 200px; |
| | | right: 40px; |
| | | bottom: 40px; |
| | | border: 1px solid #cccccc; |
| | | background-color: #FFFFFF; |
| | | overflow: auto; |
| | | /* css hack for IE */ |
| | | margin-bottom: 10px; |
| | | width: expression(document.body.clientWidth-240); |
| | | /* margin-bottom: 10px; */ |
| | | width: expression((parseInt(document.documentElement.clientWidth)-240)+'px'); |
| | | height: expression((parseInt(document.documentElement.clientHeight)-125)+'px'); |
| | | } |
| | | |
| | | table.headers-table |
| | |
| | | |
| | | table.headers-table td.header-title |
| | | { |
| | | width: 70px; |
| | | width: 80px; |
| | | color: #666666; |
| | | font-weight: bold; |
| | | text-align: right; |
| | | white-space: nowrap; |
| | | padding-right: 4px; |
| | | } |
| | | |
| | |
| | | #messagebody |
| | | { |
| | | min-height: 300px; |
| | | margin-top: 10px; |
| | | margin-bottom: 10px; |
| | | padding-top: 10px; |
| | | padding-bottom: 10px; |
| | | background-color: #FFFFFF; |
| | | border: 1px solid #cccccc; |
| | | border-top: none; |
| | | } |
| | | |
| | | div.message-part |
| | | { |
| | | padding: 8px; |
| | | padding-top: 10px; |
| | | border-top: 1px solid #cccccc; |
| | | overflow: hidden; |
| | | } |
| | | |
| | |
| | | display: none; |
| | | height: 20px; |
| | | min-height: 20px; |
| | | margin: 8px 8px 0px 8px; |
| | | padding: 10px 10px 6px 46px; |
| | | margin-top: 8px; |
| | | } |
| | | |
| | | #remote-objects-message a |
| | |
| | | top: 90px; |
| | | left: 200px; |
| | | right: 40px; |
| | | bottom: 20px; |
| | | bottom: 40px; |
| | | padding: 0px; |
| | | margin: 0px; |
| | | /* css hack for IE */ |
| | | width: expression(document.documentElement.clientWidth-240); |
| | | /* height: expression((parseInt(document.documentElement.clientHeight)-130)+'px'); */ |
| | | height: expression((parseInt(document.documentElement.clientHeight)-130)+'px'); |
| | | } |
| | | |
| | | /* |
| | |
| | | #compose-body |
| | | { |
| | | margin-top: 10px; |
| | | width: 100% !important; |
| | | width: 99% !important; |
| | | width: 95%; |
| | | height: 95%; |
| | | min-height: 400px; |
| | | min-height: 300px; |
| | | font-size: 9pt; |
| | | font-family: "Courier New", Courier, monospace; |
| | | } |
| | |
| | | |
| | | </tr><tr> |
| | | |
| | | <td style="width:100%; height:100%;"> |
| | | <td style="width:100%; height:100%; vertical-align:top;"> |
| | | <roundcube:object name="composeBody" id="compose-body" form="form" cols="80" rows="20" warp="virtual" /> |
| | | </td> |
| | | |
| | |
| | | <roundcube:include file="/includes/taskbar.html" /> |
| | | <roundcube:include file="/includes/header.html" /> |
| | | |
| | | <div id="messagecountbar"> |
| | | <roundcube:button command="previousmessage" imageAct="/images/buttons/previous_act.png" imagePas="/images/buttons/previous_pas.png" width="11" height="11" title="previousmessages" /> |
| | | <roundcube:object name="messageCountDisplay" /> |
| | | <roundcube:button command="nextmessage" imageAct="/images/buttons/next_act.png" imagePas="/images/buttons/next_pas.png" width="11" height="11" title="nextmessages" /> |
| | | </div> |
| | | |
| | | <div id="messagetoolbar"> |
| | | <roundcube:button command="list" image="/images/buttons/back_act.png" width="32" height="32" title="backtolist" /> |
| | | <roundcube:button command="reply" imageAct="/images/buttons/reply_act.png" imagePas="/images/buttons/reply_pas.png" width="32" height="32" title="replytomessage" /> |
| | |
| | | <roundcube:button command="print" imageAct="/images/buttons/print_act.png" imagePas="/images/buttons/print_pas.png" width="32" height="32" title="printmessage" /> |
| | | <roundcube:button command="viewsource" imageAct="/images/buttons/source_act.png" imagePas="/images/buttons/source_pas.png" width="32" height="32" title="viewsource" /> |
| | | <roundcube:object name="mailboxlist" type="select" noSelection="moveto" maxlength="25" onchange="rcmail.command('moveto', this.options[this.selectedIndex].value)" class="mboxlist" /> |
| | | </div> |
| | | |
| | | <div id="messagecountbar"> |
| | | <roundcube:button command="previousmessage" imageAct="/images/buttons/previous_act.png" imagePas="/images/buttons/previous_pas.png" width="11" height="11" title="previousmessages" /> |
| | | <roundcube:object name="messageCountDisplay" /> |
| | | <roundcube:button command="nextmessage" imageAct="/images/buttons/next_act.png" imagePas="/images/buttons/next_pas.png" width="11" height="11" title="nextmessages" /> |
| | | </div> |
| | | |
| | | <div id="mailboxlist-header"><roundcube:label name="mailboxlist" /></div> |