From 2b017e7f79be26563ab767bb9e97fee5d88a01f4 Mon Sep 17 00:00:00 2001
From: thomascube <thomas@roundcube.net>
Date: Fri, 09 Dec 2011 16:13:54 -0500
Subject: [PATCH] Allow clean background:url(...) styles in safe mode. This will make Roundcube pass the Email Standards Acid Test
---
program/include/rcube_template.php | 159 ++++++++++++++++++++++++++++++++++++++--------------
1 files changed, 115 insertions(+), 44 deletions(-)
diff --git a/program/include/rcube_template.php b/program/include/rcube_template.php
index fdfa15c..06503f2 100755
--- a/program/include/rcube_template.php
+++ b/program/include/rcube_template.php
@@ -35,9 +35,11 @@
private $pagetitle = '';
private $message = null;
private $js_env = array();
+ private $js_labels = array();
private $js_commands = array();
private $object_handlers = array();
private $plugin_skin_path;
+ private $template_name;
public $browser;
public $framed = false;
@@ -69,6 +71,7 @@
//$this->framed = $framed;
$this->set_env('task', $task);
+ $this->set_env('x_frame_options', $this->app->config->get('x_frame_options', 'sameorigin'));
// load the correct skin (in case user-defined)
$this->set_skin($this->config['skin']);
@@ -80,7 +83,7 @@
$this->add_script(JS_OBJECT_NAME.'.init();', 'docready');
$this->scripts_path = 'program/js/';
- $this->include_script('jquery-1.5.min.js');
+ $this->include_script('jquery.min.js');
$this->include_script('common.js');
$this->include_script('app.js');
@@ -91,6 +94,7 @@
'username' => array($this, 'current_username'),
'message' => array($this, 'message_container'),
'charsetselector' => array($this, 'charset_selector'),
+ 'aboutcontent' => array($this, 'about_content'),
));
}
@@ -109,7 +113,6 @@
}
}
-
/**
* Set page title variable
*/
@@ -117,7 +120,6 @@
{
$this->pagetitle = $title;
}
-
/**
* Getter for the current page title
@@ -138,7 +140,6 @@
return $title;
}
-
/**
* Set skin
@@ -218,10 +219,11 @@
public function command()
{
$cmd = func_get_args();
- if (strpos($cmd[0], 'plugin.') === false)
+ if (strpos($cmd[0], 'plugin.') !== false)
+ $this->js_commands[] = array('triggerEvent', $cmd[0], $cmd[1]);
+ else
$this->js_commands[] = $cmd;
}
-
/**
* Add a localized label to the client environment
@@ -233,29 +235,35 @@
$args = $args[0];
foreach ($args as $name) {
- $this->command('add_label', $name, rcube_label($name));
+ $this->js_labels[$name] = rcube_label($name);
}
}
-
/**
* Invoke display_message command
*
- * @param string Message to display
- * @param string Message type [notice|confirm|error]
- * @param array Key-value pairs to be replaced in localized text
- * @param boolean Override last set message
+ * @param string $message Message to display
+ * @param string $type Message type [notice|confirm|error]
+ * @param array $vars Key-value pairs to be replaced in localized text
+ * @param boolean $override Override last set message
+ * @param int $timeout Message display time in seconds
* @uses self::command()
*/
- public function show_message($message, $type='notice', $vars=null, $override=true)
+ public function show_message($message, $type='notice', $vars=null, $override=true, $timeout=0)
{
if ($override || !$this->message) {
+ if (rcube_label_exists($message)) {
+ if (!empty($vars))
+ $vars = array_map('Q', $vars);
+ $msgtext = rcube_label(array('name' => $message, 'vars' => $vars));
+ }
+ else
+ $msgtext = $message;
+
$this->message = $message;
- $msgtext = rcube_label_exists($message) ? rcube_label(array('name' => $message, 'vars' => $vars)) : $message;
- $this->command('display_message', $msgtext, $type);
+ $this->command('display_message', $msgtext, $type, $timeout * 1000);
}
}
-
/**
* Delete all stored env variables and commands
@@ -271,11 +279,11 @@
{
$this->env = array();
$this->js_env = array();
+ $this->js_labels = array();
$this->js_commands = array();
$this->object_handlers = array();
parent::reset();
}
-
/**
* Redirect to a certain url
@@ -289,7 +297,6 @@
header('Location: ' . $location);
exit;
}
-
/**
* Send the request output to the client.
@@ -334,7 +341,7 @@
public function write($template = '')
{
// unlock interface after iframe load
- $unlock = preg_replace('/[^a-z0-9]/i', '', $_GET['_unlock']);
+ $unlock = preg_replace('/[^a-z0-9]/i', '', $_REQUEST['_unlock']);
if ($this->framed) {
array_unshift($this->js_commands, array('set_busy', false, null, $unlock));
}
@@ -350,31 +357,33 @@
$js .= $this->get_js_commands() . ($this->framed ? ' }' : '');
$this->add_script($js, 'head_top');
- // make sure all <form> tags have a valid request token
- $template = preg_replace_callback('/<form\s+([^>]+)>/Ui', array($this, 'alter_form_tag'), $template);
- $this->footer = preg_replace_callback('/<form\s+([^>]+)>/Ui', array($this, 'alter_form_tag'), $this->footer);
+ // send clickjacking protection headers
+ $iframe = $this->framed || !empty($_REQUEST['_framed']);
+ if (!headers_sent() && ($xframe = $this->app->config->get('x_frame_options', 'sameorigin')))
+ header('X-Frame-Options: ' . ($iframe && $xframe == 'deny' ? 'sameorigin' : $xframe));
// call super method
parent::write($template, $this->config['skin_path']);
}
/**
- * Parse a specific skin template and deliver to stdout
- *
- * Either returns nothing, or exists hard (exit();)
+ * Parse a specific skin template and deliver to stdout (or return)
*
* @param string Template name
* @param boolean Exit script
- * @return void
+ * @param boolean Don't write to stdout, return parsed content instead
+ *
* @link http://php.net/manual/en/function.exit.php
*/
- private function parse($name = 'main', $exit = true)
+ function parse($name = 'main', $exit = true, $write = true)
{
$skin_path = $this->config['skin_path'];
$plugin = false;
$realname = $name;
$temp = explode('.', $name, 2);
+
$this->plugin_skin_path = null;
+ $this->template_name = $realname;
if (count($temp) > 1) {
$plugin = $temp[0];
@@ -426,21 +435,39 @@
// trigger generic hook where plugins can put additional content to the page
$hook = $this->app->plugins->exec_hook("render_page", array('template' => $realname, 'content' => $output));
- // add debug console
- if ($this->config['debug_level'] & 8) {
- $this->add_footer('<div id="console" style="position:absolute;top:5px;left:5px;width:405px;padding:2px;background:white;z-index:9000;">
- <a href="#toggle" onclick="con=$(\'#dbgconsole\');con[con.is(\':visible\')?\'hide\':\'show\']();return false">console</a>
- <textarea name="console" id="dbgconsole" rows="20" cols="40" wrap="off" style="display:none;width:400px;border:none;font-size:10px" spellcheck="false"></textarea></div>'
- );
+ // save some memory
+ $output = $hook['content'];
+ unset($hook['content']);
+
+ $output = $this->parse_with_globals($output);
+
+ // make sure all <form> tags have a valid request token
+ $output = preg_replace_callback('/<form\s+([^>]+)>/Ui', array($this, 'alter_form_tag'), $output);
+ $this->footer = preg_replace_callback('/<form\s+([^>]+)>/Ui', array($this, 'alter_form_tag'), $this->footer);
+
+ if ($write) {
+ // add debug console
+ if ($realname != 'error' && ($this->config['debug_level'] & 8)) {
+ $this->add_footer('<div id="console" style="position:absolute;top:5px;left:5px;width:405px;padding:2px;background:white;z-index:9000;display:none">
+ <a href="#toggle" onclick="con=$(\'#dbgconsole\');con[con.is(\':visible\')?\'hide\':\'show\']();return false">console</a>
+ <textarea name="console" id="dbgconsole" rows="20" cols="40" style="display:none;width:400px;border:none;font-size:10px" spellcheck="false"></textarea></div>'
+ );
+ $this->add_script(
+ "if (!window.console || !window.console.log) {\n".
+ " window.console = new rcube_console();\n".
+ " $('#console').show();\n".
+ "}", 'foot');
+ }
+ $this->write(trim($output));
+ }
+ else {
+ return $output;
}
- $output = $this->parse_with_globals($hook['content']);
- $this->write(trim($output));
if ($exit) {
exit;
}
}
-
/**
* Return executable javascript code for all registered commands
@@ -452,6 +479,9 @@
$out = '';
if (!$this->framed && !empty($this->js_env)) {
$out .= JS_OBJECT_NAME . '.set_env('.json_serialize($this->js_env).");\n";
+ }
+ if (!empty($this->js_labels)) {
+ $this->command('add_label', $this->js_labels);
}
foreach ($this->js_commands as $i => $args) {
$method = array_shift($args);
@@ -604,7 +634,8 @@
'/env:([a-z0-9_]+)/i',
'/request:([a-z0-9_]+)/i',
'/cookie:([a-z0-9_]+)/i',
- '/browser:([a-z0-9_]+)/i'
+ '/browser:([a-z0-9_]+)/i',
+ '/template:name/i',
),
array(
"\$_SESSION['\\1']",
@@ -612,7 +643,8 @@
"\$this->env['\\1']",
"get_input_value('\\1', RCUBE_INPUT_GPC)",
"\$_COOKIE['\\1']",
- "\$this->browser->{'\\1'}"
+ "\$this->browser->{'\\1'}",
+ $this->template_name,
),
$expression);
}
@@ -662,8 +694,10 @@
// show a label
case 'label':
if ($attrib['name'] || $attrib['command']) {
- $label = rcube_label($attrib + array('vars' => array('product' => $this->config['product_name'])));
- return !$attrbi['noshow'] ? Q($label) : '';
+ $vars = $attrib + array('product' => $this->config['product_name']);
+ unset($vars['name'], $vars['command']);
+ $label = rcube_label($attrib + array('vars' => $vars));
+ return !$attrib['noshow'] ? (get_boolean((string)$attrib['html']) ? $label : Q($label)) : '';
}
break;
@@ -714,6 +748,9 @@
else if (function_exists($handler)) {
$content = call_user_func($handler, $attrib);
}
+ else if ($object == 'doctype') {
+ $content = html::doctype($attrib['value']);
+ }
else if ($object == 'logo') {
$attrib += array('alt' => $this->xml_command(array('', 'object', 'name="productname"')));
if ($this->config['skin_logo'])
@@ -736,7 +773,12 @@
$content = Q($this->get_pagetitle());
}
else if ($object == 'pagetitle') {
- $title = !empty($this->config['product_name']) ? $this->config['product_name'].' :: ' : '';
+ if (!empty($this->config['devel_mode']) && !empty($_SESSION['username']))
+ $title = $_SESSION['username'].' :: ';
+ else if (!empty($this->config['product_name']))
+ $title = $this->config['product_name'].' :: ';
+ else
+ $title = '';
$title .= $this->get_pagetitle();
$content = Q($title);
}
@@ -882,6 +924,7 @@
// make valid href to specific buttons
if (in_array($attrib['command'], rcmail::$main_tasks)) {
$attrib['href'] = rcmail_url(null, null, $attrib['command']);
+ $attrib['onclick'] = sprintf("%s.switch_task('%s');return false", JS_OBJECT_NAME, $attrib['command']);
}
else if ($attrib['task'] && in_array($attrib['task'], rcmail::$main_tasks)) {
$attrib['href'] = rcmail_url($attrib['command'], null, $attrib['task']);
@@ -931,6 +974,8 @@
else if ($attrib['type']=='link') {
$btn_content = isset($attrib['content']) ? $attrib['content'] : ($attrib['label'] ? $attrib['label'] : $attrib['command']);
$link_attrib = array('href', 'onclick', 'title', 'id', 'class', 'style', 'tabindex', 'target');
+ if ($attrib['innerclass'])
+ $btn_content = html::span($attrib['innerclass'], $btn_content);
}
else if ($attrib['type']=='input') {
$attrib['type'] = 'button';
@@ -1074,6 +1119,7 @@
$input_task = new html_hiddenfield(array('name' => '_task', 'value' => 'login'));
$input_action = new html_hiddenfield(array('name' => '_action', 'value' => 'login'));
$input_tzone = new html_hiddenfield(array('name' => '_timezone', 'id' => 'rcmlogintz', 'value' => '_default_'));
+ $input_dst = new html_hiddenfield(array('name' => '_dstactive', 'id' => 'rcmlogindst', 'value' => '_default_'));
$input_url = new html_hiddenfield(array('name' => '_url', 'id' => 'rcmloginurl', 'value' => $url));
$input_user = new html_inputfield(array('name' => '_user', 'id' => 'rcmloginuser')
+ $attrib + $user_attrib);
@@ -1111,20 +1157,21 @@
$table = new html_table(array('cols' => 2));
$table->add('title', html::label('rcmloginuser', Q(rcube_label('username'))));
- $table->add(null, $input_user->show(get_input_value('_user', RCUBE_INPUT_GPC)));
+ $table->add('input', $input_user->show(get_input_value('_user', RCUBE_INPUT_GPC)));
$table->add('title', html::label('rcmloginpwd', Q(rcube_label('password'))));
- $table->add(null, $input_pass->show());
+ $table->add('input', $input_pass->show());
// add host selection row
if (is_object($input_host) && !$hide_host) {
$table->add('title', html::label('rcmloginhost', Q(rcube_label('server'))));
- $table->add(null, $input_host->show(get_input_value('_host', RCUBE_INPUT_GPC)));
+ $table->add('input', $input_host->show(get_input_value('_host', RCUBE_INPUT_GPC)));
}
$out = $input_task->show();
$out .= $input_action->show();
$out .= $input_tzone->show();
+ $out .= $input_dst->show();
$out .= $input_url->show();
$out .= $table->show();
@@ -1289,6 +1336,30 @@
return $select->show($set);
}
+ /**
+ * Include content from config/about.<LANG>.html if available
+ */
+ private function about_content($attrib)
+ {
+ $content = '';
+ $filenames = array(
+ 'about.' . $_SESSION['language'] . '.html',
+ 'about.' . substr($_SESSION['language'], 0, 2) . '.html',
+ 'about.html',
+ );
+ foreach ($filenames as $file) {
+ $fn = RCMAIL_CONFIG_DIR . '/' . $file;
+ if (is_readable($fn)) {
+ $content = file_get_contents($fn);
+ $content = $this->parse_conditions($content);
+ $content = $this->parse_xml($content);
+ break;
+ }
+ }
+
+ return $content;
+ }
+
} // end class rcube_template
--
Gitblit v1.9.1