From 2bca6e1da0e46f93297a7f60ff449b6c6ebac239 Mon Sep 17 00:00:00 2001
From: thomascube <thomas@roundcube.net>
Date: Wed, 20 Dec 2006 09:06:33 -0500
Subject: [PATCH] New (strict) quoting for all kind of strings

---
 program/include/rcube_shared.inc          |    8 
 program/steps/mail/upload.inc             |   10 +-
 program/include/main.inc                  |   82 ++++++++++-----
 program/steps/mail/compose.inc            |   53 +++++-----
 program/steps/addressbook/func.inc        |    2 
 program/steps/mail/func.inc               |   67 +++++++------
 program/steps/settings/func.inc           |   18 +-
 program/steps/mail/show.inc               |    9 -
 program/steps/mail/sendmail.inc           |    2 
 program/steps/settings/manage_folders.inc |   18 +-
 program/steps/settings/edit_identity.inc  |    2 
 11 files changed, 149 insertions(+), 122 deletions(-)

diff --git a/program/include/main.inc b/program/include/main.inc
index 10436ca..1abd84a 100644
--- a/program/include/main.inc
+++ b/program/include/main.inc
@@ -734,7 +734,7 @@
   
   $framed = $GLOBALS['_framed'];
   $command = sprintf("display_message('%s', '%s');",
-                     rep_specialchars_output(rcube_label(array('name' => $message, 'vars' => $vars)), 'js'),
+                     JQ(rcube_label(array('name' => $message, 'vars' => $vars))),
                      $type);
                      
   if ($REMOTE_REQUEST)
@@ -854,7 +854,7 @@
     $OUTPUT->add_script(sprintf("%s.add_label('%s', '%s');",
                                 $JS_OBJECT_NAME,
                                 $name,
-                                rep_specialchars_output(rcube_label($name), 'js')));  
+                                JQ(rcube_label($name))));
   }
 
 
@@ -897,8 +897,15 @@
   }
 
 
-// convert a string from one charset to another
-// this function is not complete and not tested well
+/**
+ * Convert a string from one charset to another.
+ * Uses mbstring and iconv functions if possible
+ *
+ * @param  string Input string
+ * @param  string Suspected charset of the input string
+ * @param  string Target charset to convert to; defaults to $GLOBALS['CHARSET']
+ * @return Converted string
+ */
 function rcube_charset_convert($str, $from, $to=NULL)
   {
   global $MBSTRING;
@@ -953,12 +960,19 @@
   }
 
 
-
-// replace specials characters to a specific encoding type
+/**
+ * Replacing specials characters to a specific encoding type
+ *
+ * @param  string  Input string
+ * @param  string  Encoding type: text|html|xml|js|url
+ * @param  string  Replace mode for tags: show|replace|remove
+ * @param  boolean Convert newlines
+ * @return The quoted string
+ */
 function rep_specialchars_output($str, $enctype='', $mode='', $newlines=TRUE)
   {
   global $OUTPUT_TYPE, $OUTPUT;
-  static $html_encode_arr, $js_rep_table, $rtf_rep_table, $xml_rep_table;
+  static $html_encode_arr, $js_rep_table, $xml_rep_table;
 
   if (!$enctype)
     $enctype = $GLOBALS['OUTPUT_TYPE'];
@@ -1000,21 +1014,18 @@
     return $newlines ? nl2br($out) : $out;
     }
 
-
   if ($enctype=='url')
     return rawurlencode($str);
 
-
-  // if the replace tables for RTF, XML and JS are not yet defined
+  // if the replace tables for XML and JS are not yet defined
   if (!$js_rep_table)
     {
-    $js_rep_table = $rtf_rep_table = $xml_rep_table = array();
+    $js_rep_tabl = $xml_rep_table = array();
     $xml_rep_table['&'] = '&amp;';
 
     for ($c=160; $c<256; $c++)  // can be increased to support more charsets
       {
       $hex = dechex($c);
-      $rtf_rep_table[Chr($c)] = "\\'$hex";
       $xml_rep_table[Chr($c)] = "&#$c;";
       
       if ($OUTPUT->get_charset()=='ISO-8859-1')
@@ -1025,7 +1036,7 @@
     $xml_rep_table['"'] = '&quot;';
     }
 
-  // encode for RTF
+  // encode for XML
   if ($enctype=='xml')
     return strtr($str, $xml_rep_table);
 
@@ -1038,12 +1049,26 @@
     return addslashes(preg_replace(array("/\r\n/", "/\r/"), array('\n', '\n'), strtr($str, $js_rep_table)));
     }
 
-  // encode for RTF
-  if ($enctype=='rtf')
-    return preg_replace("/\r\n/", "\par ", strtr($str, $rtf_rep_table));
-
   // no encoding given -> return original string
   return $str;
+  }
+
+/**
+ * Quote a given string. Alias function for rep_specialchars_output
+ * @see rep_specialchars_output
+ */
+function Q($str, $mode='strict', $newlines=TRUE)
+  {
+  return rep_specialchars_output($str, 'html', $mode, $newlines);
+  }
+
+/**
+ * Quote a given string. Alias function for rep_specialchars_output
+ * @see rep_specialchars_output
+ */
+function JQ($str, $mode='strict', $newlines=TRUE)
+  {
+  return rep_specialchars_output($str, 'js', $mode, $newlines);
   }
 
 
@@ -1248,7 +1273,7 @@
     // show a label
     case 'label':
       if ($attrib['name'] || $attrib['command'])
-        return rep_specialchars_output(rcube_label($attrib));
+        return Q(rcube_label($attrib));
       break;
 
     // create a menu item
@@ -1331,7 +1356,7 @@
       else if ($object=='productname')
         {
         $name = !empty($CONFIG['product_name']) ? $CONFIG['product_name'] : 'RoundCube Webmail';
-        return rep_specialchars_output($name, 'html', 'all');
+        return Q($name);
         }
       else if ($object=='version')
         {
@@ -1353,7 +1378,7 @@
         else
           $title .= ucfirst($task);
           
-        return rep_specialchars_output($title, 'html', 'all');
+        return Q($title);
         }
 
       break;
@@ -1419,12 +1444,12 @@
 
   // get localized text for labels and titles
   if ($attrib['title'])
-    $attrib['title'] = rep_specialchars_output(rcube_label($attrib['title']));
+    $attrib['title'] = Q(rcube_label($attrib['title']));
   if ($attrib['label'])
-    $attrib['label'] = rep_specialchars_output(rcube_label($attrib['label']));
+    $attrib['label'] = Q(rcube_label($attrib['label']));
 
   if ($attrib['alt'])
-    $attrib['alt'] = rep_specialchars_output(rcube_label($attrib['alt']));
+    $attrib['alt'] = Q(rcube_label($attrib['alt']));
 
   // set title to alt attribute for IE browsers
   if ($BROWSER['ie'] && $attrib['title'] && !$attrib['alt'])
@@ -1537,12 +1562,11 @@
   $table .= "<thead><tr>\n";
 
   foreach ($a_show_cols as $col)
-    $table .= '<td class="'.$col.'">' . rep_specialchars_output(rcube_label($col)) . "</td>\n";
+    $table .= '<td class="'.$col.'">' . Q(rcube_label($col)) . "</td>\n";
 
   $table .= "</tr></thead>\n<tbody>\n";
   
   $c = 0;
-
   if (!is_array($table_data)) 
     {
     while ($table_data && ($sql_arr = $DB->fetch_assoc($table_data)))
@@ -1554,8 +1578,8 @@
       // format each col
       foreach ($a_show_cols as $col)
         {
-        $cont = rep_specialchars_output($sql_arr[$col]);
-	    $table .= '<td class="'.$col.'">' . $cont . "</td>\n";
+        $cont = Q($sql_arr[$col]);
+        $table .= '<td class="'.$col.'">' . $cont . "</td>\n";
         }
 
       $table .= "</tr>\n";
@@ -1573,8 +1597,8 @@
       // format each col
       foreach ($a_show_cols as $col)
         {
-        $cont = rep_specialchars_output($row_data[$col]);
-	    $table .= '<td class="'.$col.'">' . $cont . "</td>\n";
+        $cont = Q($row_data[$col]);
+        $table .= '<td class="'.$col.'">' . $cont . "</td>\n";
         }
 
       $table .= "</tr>\n";
diff --git a/program/include/rcube_shared.inc b/program/include/rcube_shared.inc
index 2ac3f3c..4200a91 100644
--- a/program/include/rcube_shared.inc
+++ b/program/include/rcube_shared.inc
@@ -133,7 +133,7 @@
       $this->title = 'RoundCube Mail';
   
     // replace specialchars in content
-    $__page_title = rep_specialchars_output($this->title, 'html', 'show', FALSE);
+    $__page_title = Q($this->title, 'show', FALSE);
     $__page_header = $__page_body = $__page_footer = '';
     
     
@@ -725,7 +725,7 @@
 
       // encode textarea content
       if ($key=='value')
-        $value = rep_specialchars_output($value, 'html', 'replace', FALSE);
+        $value = Q($value, 'strict', FALSE);
 
       // attributes with no value
       if (in_array($key, array('checked', 'multiple', 'disabled', 'selected')))
@@ -879,7 +879,7 @@
       unset($this->attrib['value']);
 
     if (strlen($value) && !isset($this->attrib['mce_editable']))
-      $value = rep_specialchars_output($value, 'html', 'replace', FALSE);
+      $value = Q($value, 'strict', FALSE);
 
     // return final tag
     return sprintf('<%s%s>%s</%s>%s',
@@ -1019,7 +1019,7 @@
                              $this->_conv_case('option', 'tag'),
                              strlen($option['value']) ? sprintf($value_str, $option['value']) : '',
                              $selected, 
-                             rep_specialchars_output($option['text'], 'html', 'replace', FALSE),
+                             Q($option['text'], 'strict', FALSE),
                              $this->_conv_case('option', 'tag'));
       }
                              
diff --git a/program/steps/addressbook/func.inc b/program/steps/addressbook/func.inc
index 0df6df3..1f993a9 100644
--- a/program/steps/addressbook/func.inc
+++ b/program/steps/addressbook/func.inc
@@ -119,7 +119,7 @@
     // format each col
     foreach ($a_show_cols as $col)
       {
-      $cont = rep_specialchars_output($sql_arr[$col]);
+      $cont = Q($sql_arr[$col]);
       $a_row_cols[$col] = $cont;
       }
   
diff --git a/program/steps/mail/compose.inc b/program/steps/mail/compose.inc
index ddc8610..a50b1ec 100644
--- a/program/steps/mail/compose.inc
+++ b/program/steps/mail/compose.inc
@@ -447,25 +447,26 @@
       $lang_set = "googie.setLanguages(".array2js($CONFIG['spellcheck_languages']).");\n";
     
     $OUTPUT->include_script('googiespell.js');
-    $OUTPUT->add_script(sprintf("var googie = new GoogieSpell('\$__skin_path/images/googiespell/','%s&_action=spell&lang=');\n".
-                                "googie.lang_chck_spell = \"%s\";\n".
-                                "googie.lang_rsm_edt = \"%s\";\n".
-                                "googie.lang_close = \"%s\";\n".
-                                "googie.lang_revert = \"%s\";\n".
-                                "googie.lang_no_error_found = \"%s\";\n%s".
-                                "googie.setCurrentLanguage('%s');\n".
-                                "googie.decorateTextarea('%s');\n".
-                                "%s.set_env('spellcheck', googie);",
-                                $GLOBALS['COMM_PATH'],
-                                rep_specialchars_output(rcube_label('checkspelling')),
-                                rep_specialchars_output(rcube_label('resumeediting')),
-                                rep_specialchars_output(rcube_label('close')),
-                                rep_specialchars_output(rcube_label('revertto')),
-                                rep_specialchars_output(rcube_label('nospellerrors')),
-                                $lang_set,
-                                substr($_SESSION['user_lang'], 0, 2),
-                                $attrib['id'],
-                                $JS_OBJECT_NAME), 'foot');
+    $OUTPUT->add_script(sprintf(
+      "var googie = new GoogieSpell('\$__skin_path/images/googiespell/','%s&_action=spell&lang=');\n".
+      "googie.lang_chck_spell = \"%s\";\n".
+      "googie.lang_rsm_edt = \"%s\";\n".
+      "googie.lang_close = \"%s\";\n".
+      "googie.lang_revert = \"%s\";\n".
+      "googie.lang_no_error_found = \"%s\";\n%s".
+      "googie.setCurrentLanguage('%s');\n".
+      "googie.decorateTextarea('%s');\n".
+      "%s.set_env('spellcheck', googie);",
+      $GLOBALS['COMM_PATH'],
+      JQ(Q(rcube_label('checkspelling'))),
+      JQ(Q(rcube_label('resumeediting'))),
+      JQ(Q(rcube_label('close'))),
+      JQ(Q(rcube_label('revertto'))),
+      JQ(Q(rcube_label('nospellerrors'))),
+      $lang_set,
+      substr($_SESSION['user_lang'], 0, 2),
+      $attrib['id'],
+      $JS_OBJECT_NAME), 'foot');
 
     rcube_add_label('checking');
     }
@@ -552,10 +553,10 @@
         "<tr><th align=\"right\" nowrap=\"nowrap\" valign=\"baseline\">From: </th><td>%s</td></tr>" .
         "<tr><th align=\"right\" nowrap=\"nowrap\" valign=\"baseline\">To: </th><td>%s</td></tr>" .
         "</tbody></table><br>",
-                     rep_specialchars_output($MESSAGE['subject']),
-                     rep_specialchars_output($MESSAGE['headers']->date),
-                     rep_specialchars_output($IMAP->decode_header($MESSAGE['headers']->from)),
-                     rep_specialchars_output($IMAP->decode_header($MESSAGE['headers']->to)));
+                     Q($MESSAGE['subject']),
+                     Q($MESSAGE['headers']->date),
+                     Q($IMAP->decode_header($MESSAGE['headers']->from)),
+                     Q($IMAP->decode_header($MESSAGE['headers']->to)));
   }
 
   // add attachments
@@ -692,9 +693,9 @@
                       $id,
                       $JS_OBJECT_NAME,
                       $id,
-                      rcube_label('delete'), 
+                      Q(rcube_label('delete')),
                       $button,
-                      rep_specialchars_output($a_prop['name']));
+                      Q($a_prop['name']));
     }
 
   $OUTPUT->add_script(sprintf("%s.gui_object('attachmentlist', '%s');", $JS_OBJECT_NAME, $attrib['id']));  
@@ -895,7 +896,7 @@
   $a_contacts = array();
   while ($sql_arr = $DB->fetch_assoc($sql_result))
     if ($sql_arr['email'])
-      $a_contacts[] = format_email_recipient($sql_arr['email'], rep_specialchars_output($sql_arr['name'], 'js'));
+      $a_contacts[] = format_email_recipient($sql_arr['email'], JQ($sql_arr['name']));
   
   $OUTPUT->add_script(sprintf("$JS_OBJECT_NAME.set_env('contacts', %s);", array2js($a_contacts)));
   }
diff --git a/program/steps/mail/func.inc b/program/steps/mail/func.inc
index 0f06215..f01e95b 100644
--- a/program/steps/mail/func.inc
+++ b/program/steps/mail/func.inc
@@ -51,7 +51,11 @@
   $_SESSION['sort_col'] = $CONFIG['message_sort_col'];
 if (!isset($_SESSION['sort_order']))
   $_SESSION['sort_order'] = $CONFIG['message_sort_order'];
-  
+
+// set message set for search result
+if (!empty($_GET['_search']) && isset($_SESSION['search'][$_GET['_search']]))
+  $IMAP->set_search_set($_SESSION['search'][$_GET['_search']]);
+
 
 // define url for getting message parts
 if (strlen($_GET['_uid']))
@@ -193,7 +197,7 @@
         {
         $fname = abbrevate_string($foldername, $maxlength);
         if ($fname != $foldername)
-          $title = ' title="'.rep_specialchars_output($foldername, 'html', 'all').'"';
+          $title = ' title="'.Q($foldername).'"';
         $foldername = $fname;
         }
       }
@@ -215,7 +219,7 @@
     else if ($folder['id']==$CONFIG['junk_mbox'])
       $class_name = 'junk';
 
-    $js_name = htmlspecialchars(rep_specialchars_output($folder['id'], 'js'));
+    $js_name = htmlspecialchars(JQ($folder['id']));
     $out .= sprintf('<li id="rcmbx%s" class="mailbox %s %s%s%s"><a href="%s&amp;_mbox=%s"'.
                     ' onclick="return %s.command(\'list\',\'%s\')"'.
                     ' onmouseover="return %s.focus_mailbox(\'%s\')"' .            
@@ -237,7 +241,7 @@
                     $JS_OBJECT_NAME,
                     $js_name,
                     $title,
-                    rep_specialchars_output($foldername, 'html', 'all'));
+                    Q($foldername));
 
     if (!empty($folder['folders']))
       $out .= "\n<ul>\n" . rcmail_render_folder_tree_html($folder['folders'], $special, $mbox_name, $maxlength, $nestLevel+1) . "</ul>\n";
@@ -274,7 +278,7 @@
     $out .= sprintf('<option value="%s">%s%s</option>'."\n",
                     htmlspecialchars($folder['id']),
                     str_repeat('&nbsp;', $nestLevel*4),
-                    rep_specialchars_output($foldername, 'html', 'all'));
+                    Q($foldername));
 
     if (!empty($folder['folders']))
       $out .= rcmail_render_folder_tree_select($folder['folders'], $special, $mbox_name, $maxlength, $nestLevel+1);
@@ -340,7 +344,7 @@
   foreach ($a_show_cols as $col)
     {
     // get column name
-    $col_name = rep_specialchars_output(rcube_label($col));
+    $col_name = Q(rcube_label($col));
 
     // make sort links
     $sort = '';
@@ -394,10 +398,9 @@
   // no messages in this mailbox
   if (!sizeof($a_headers))
     {
-    $out .= rep_specialchars_output(
-				sprintf('<tr><td colspan="%d">%s</td></tr>',
-                   sizeof($a_show_cols)+2,
-                   rcube_label('nomessagesfound')));
+    $out .= sprintf('<tr><td colspan="%d">%s</td></tr>',
+                    sizeof($a_show_cols)+2,
+                    Q(rcube_label('nomessagesfound')));
     }
 
 
@@ -443,10 +446,10 @@
     foreach ($a_show_cols as $col)
       {
       if ($col=='from' || $col=='to')
-        $cont = rep_specialchars_output(rcmail_address_string($header->$col, 3, $attrib['addicon']));
+        $cont = Q(rcmail_address_string($header->$col, 3, $attrib['addicon']), 'show');
       else if ($col=='subject')
         {
-        $cont = rep_specialchars_output($IMAP->decode_header($header->$col), 'html', 'all');
+        $cont = Q($IMAP->decode_header($header->$col));
         // firefox/mozilla temporary workaround to pad subject with content so that whitespace in rows responds to drag+drop
         $cont .= '<img src="./program/blank.gif" height="5" width="1000" alt="" />';
         }
@@ -455,9 +458,9 @@
       else if ($col=='date')
         $cont = format_date($header->date); //date('m.d.Y G:i:s', strtotime($header->date));
       else
-        $cont = rep_specialchars_output($header->$col, 'html', 'all');
+        $cont = Q($header->$col);
         
-	  $out .= '<td class="'.$col.'">' . $cont . "</td>\n";
+      $out .= '<td class="'.$col.'">' . $cont . "</td>\n";
       }
 
     $out .= sprintf("<td class=\"icon\">%s</td>\n", $attach_icon ? sprintf($image_tag, $skin_path, $attach_icon, '') : '');
@@ -530,15 +533,15 @@
     foreach ($a_show_cols as $col)
       {
       if ($col=='from' || $col=='to')
-        $cont = rep_specialchars_output(rcmail_address_string($header->$col, 3), 'html');
+        $cont = Q(rcmail_address_string($header->$col, 3), 'show');
       else if ($col=='subject')
-        $cont = rep_specialchars_output($IMAP->decode_header($header->$col), 'html', 'all');
+        $cont = Q($IMAP->decode_header($header->$col));
       else if ($col=='size')
         $cont = show_bytes($header->$col);
       else if ($col=='date')
         $cont = format_date($header->date); //date('m.d.Y G:i:s', strtotime($header->date));
       else
-        $cont = rep_specialchars_output($header->$col, 'html', 'all');
+        $cont = Q($header->$col);
           
       $a_msg_cols[$col] = $cont;
       }
@@ -642,7 +645,7 @@
   $OUTPUT->add_script(sprintf("%s.gui_object('quotadisplay', '%s');", $JS_OBJECT_NAME, $attrib['id']));
 
   // allow the following attributes to be added to the <span> tag
-  $attrib_str = create_attrib_string($attrib, array('style', 'class', 'id', 'display'));
+  $attrib_str = create_attrib_string($attrib, array('style', 'class', 'id'));
 
   $out = '<span' . $attrib_str . '>';
   $out .= rcmail_quota_content($attrib['display']);
@@ -710,7 +713,7 @@
                                               'to'    => min($max, $start_msg + $IMAP->page_size - 1),
                                               'count' => $max)));
 
-  return rep_specialchars_output($out);
+  return Q($out);
   }
 
 
@@ -757,13 +760,13 @@
       $body = preg_replace($remote_patterns, $remote_replaces, $body);
       }
 
-    return rep_specialchars_output($body, 'html', '', FALSE);
+    return Q($body, 'show', FALSE);
     }
 
   // text/enriched
   if ($part->ctype_secondary=='enriched')
     {
-    return rep_specialchars_output(enriched_to_html($body), 'html');
+    return Q(enriched_to_html($body), 'show');
     }
   else
     {
@@ -812,7 +815,7 @@
         $quotation = str_repeat("</blockquote>", $quote_level);
 
       $quote_level = $q;
-      $a_lines[$n] = $quotation . rep_specialchars_output($line, 'html', 'replace', FALSE);
+      $a_lines[$n] = $quotation . Q($line, 'replace', FALSE);
       }
 
     // insert the links for urls and mailtos
@@ -1066,12 +1069,12 @@
     if ($hkey=='date' && !empty($headers[$hkey]))
       $header_value = format_date(strtotime($headers[$hkey]));
     else if (in_array($hkey, array('from', 'to', 'cc', 'bcc', 'reply-to')))
-      $header_value = rep_specialchars_output(rcmail_address_string($headers[$hkey], NULL, $attrib['addicon']));
+      $header_value = Q(rcmail_address_string($headers[$hkey], NULL, $attrib['addicon']), 'show');
     else
-      $header_value = rep_specialchars_output($IMAP->decode_header($headers[$hkey]), '', 'all');
+      $header_value = Q($IMAP->decode_header($headers[$hkey]));
 
     $out .= "\n<tr>\n";
-    $out .= '<td class="header-title">'.rep_specialchars_output(rcube_label($hkey)).":&nbsp;</td>\n";
+    $out .= '<td class="header-title">'.Q(rcube_label($hkey)).":&nbsp;</td>\n";
     $out .= '<td class="'.$hkey.'" width="90%">'.$header_value."</td>\n</tr>";
     $header_count++;
     }
@@ -1384,7 +1387,7 @@
     {
     $j++;
     if ($PRINT_MODE)
-      $out .= sprintf('%s &lt;%s&gt;', rep_specialchars_output($part['name']), $part['mailto']);
+      $out .= sprintf('%s &lt;%s&gt;', Q($part['name']), $part['mailto']);
     else if (preg_match($EMAIL_ADDRESS_PATTERN, $part['mailto']))
       {
       $out .= sprintf('<a href="mailto:%s" onclick="return %s.command(\'compose\',\'%s\',this)" class="rcmContactAddress" title="%s">%s</a>',
@@ -1392,7 +1395,7 @@
                       $JS_OBJECT_NAME,
                       $part['mailto'],
                       $part['mailto'],
-                      rep_specialchars_output($part['name']));
+                      Q($part['name']));
                       
       if ($addicon)
         $out .= sprintf('&nbsp;<a href="#add" onclick="return %s.command(\'add-contact\',\'%s\',this)" title="%s"><img src="%s%s" alt="add" border="0" /></a>',
@@ -1405,7 +1408,7 @@
     else
       {
       if ($part['name'])
-        $out .= rep_specialchars_output($part['name']);
+        $out .= Q($part['name']);
       if ($part['mailto'])
         $out .= (strlen($out) ? ' ' : '') . sprintf('&lt;%s&gt;', $part['mailto']);
       }
@@ -1442,15 +1445,15 @@
   if ($filename)
     {
     $out .= sprintf('<tr><td class="title">%s</td><td>%s</td><td>[<a href="./?%s">%s</a>]</tr>'."\n",
-                    rcube_label('filename'),
-                    rep_specialchars_output(rcube_imap::decode_mime_string($filename)),
+                    Q(rcube_label('filename')),
+                    Q(rcube_imap::decode_mime_string($filename)),
                     str_replace('_frame=', '_download=', $_SERVER['QUERY_STRING']),
-                    rcube_label('download'));
+                    Q(rcube_label('download')));
     }
     
   if ($filesize)
     $out .= sprintf('<tr><td class="title">%s</td><td>%s</td></tr>'."\n",
-                    rcube_label('filesize'),
+                    Q(rcube_label('filesize')),
                     show_bytes($filesize));
   
   $out .= "\n</table>";
diff --git a/program/steps/mail/sendmail.inc b/program/steps/mail/sendmail.inc
index 98f413c..716072a 100644
--- a/program/steps/mail/sendmail.inc
+++ b/program/steps/mail/sendmail.inc
@@ -468,7 +468,7 @@
 
   rcmail_compose_cleanup();
   rcube_iframe_response(sprintf("parent.$JS_OBJECT_NAME.sent_successfully('%s');",
-                                rep_specialchars_output(rcube_label('messagesent'), 'js')));
+                                JQ(rcube_label('messagesent'))));
   }
 
 
diff --git a/program/steps/mail/show.inc b/program/steps/mail/show.inc
index fd82345..aa5b373 100644
--- a/program/steps/mail/show.inc
+++ b/program/steps/mail/show.inc
@@ -150,11 +150,10 @@
   $attrib_str = create_attrib_string($attrib, array('style', 'class', 'id'));
   $out = '<div' . $attrib_str . ">";
   
-  $out .= rep_specialchars_output(sprintf('%s&nbsp;<a href="#loadimages" onclick="%s.command(\'load-images\')" title="%s">%s</a>',
-                                  rcube_label('blockedimages'),
-                                  $JS_OBJECT_NAME,
-                                  rcube_label('showimages'),
-                                  rcube_label('showimages')));
+  $out .= sprintf('%s&nbsp;<a href="#loadimages" onclick="%s.command(\'load-images\')">%s</a>',
+                  Q(rcube_label('blockedimages')),
+                  $JS_OBJECT_NAME,
+                  Q(rcube_label('showimages')));
   
   $out .= '</div>';
   
diff --git a/program/steps/mail/upload.inc b/program/steps/mail/upload.inc
index cde4ed2..50a6dba 100644
--- a/program/steps/mail/upload.inc
+++ b/program/steps/mail/upload.inc
@@ -49,16 +49,16 @@
     if (is_file($CONFIG['skin_path'] . '/images/icons/remove-attachment.png'))
       $button = sprintf('<img src="%s/images/icons/remove-attachment.png" alt="%s" border="0" style="padding-right:2px;vertical-align:middle" />',
                         $CONFIG['skin_path'],
-                        rcube_label('delete'));
+                        Q(rcube_label('delete')));
     else
-      $button = rcube_label('delete');
+      $button = Q(rcube_label('delete'));
 
     $content = sprintf('<a href="#delete" onclick="return %s.command(\\\'remove-attachment\\\', \\\'rcmfile%d\\\', this)" title="%s">%s</a>%s',
                        $JS_OBJECT_NAME,
                        $id,
-                       rcube_label('delete'),
-                       $button,
-                       rep_specialchars_output($_FILES['_attachments']['name'][$i], 'js'));
+                       JQ(Q(rcube_label('delete'))),
+                       JQ($button),
+                       JQ(Q($_FILES['_attachments']['name'][$i])));
 
     $response .= sprintf('parent.%s.add2attachment_list(\'rcmfile%d\',\'%s\');',
                          $JS_OBJECT_NAME,
diff --git a/program/steps/settings/edit_identity.inc b/program/steps/settings/edit_identity.inc
index 1ea8947..5fa531a 100644
--- a/program/steps/settings/edit_identity.inc
+++ b/program/steps/settings/edit_identity.inc
@@ -127,7 +127,7 @@
 
     $out .= sprintf("<tr><td class=\"title\"><label for=\"%s\">%s</label></td><td>%s</td></tr>\n",
                     $attrib['id'],
-                    rep_specialchars_output(rcube_label($label)),
+                    Q(rcube_label($label)),
                     $value);
     }
 
diff --git a/program/steps/settings/func.inc b/program/steps/settings/func.inc
index 91f2f90..e51f683 100644
--- a/program/steps/settings/func.inc
+++ b/program/steps/settings/func.inc
@@ -60,7 +60,7 @@
   
     $out .= sprintf("<tr><td class=\"title\"><label for=\"%s\">%s</label></td><td>%s</td></tr>\n",
                     $field_id,
-                    rep_specialchars_output(rcube_label('language')),
+                    Q(rcube_label('language')),
                     $select_lang->show($sess_user_lang));
     }
 
@@ -106,7 +106,7 @@
   
     $out .= sprintf("<tr><td class=\"title\"><label for=\"%s\">%s</label></td><td>%s</td></tr>\n",
                     $field_id,
-                    rep_specialchars_output(rcube_label('timezone')),
+                    Q(rcube_label('timezone')),
                     $select_timezone->show($CONFIG['timezone']));
     }
 
@@ -117,7 +117,7 @@
     $input_dst = new checkbox(array('name' => '_dst_active', 'id' => $field_id, 'value' => 1));
     $out .= sprintf("<tr><td class=\"title\"><label for=\"%s\">%s</label></td><td>%s</td></tr>\n",
                     $field_id,
-                    rep_specialchars_output(rcube_label('dstactive')),
+                    Q(rcube_label('dstactive')),
                     $input_dst->show($CONFIG['dst_active']));
     }
 
@@ -129,7 +129,7 @@
 
     $out .= sprintf("<tr><td class=\"title\"><label for=\"%s\">%s</label></td><td>%s</td></tr>\n",
                     $field_id,
-                    rep_specialchars_output(rcube_label('pagesize')),
+                    Q(rcube_label('pagesize')),
                     $input_pagesize->show($CONFIG['pagesize']));
     }
 
@@ -141,7 +141,7 @@
 
     $out .= sprintf("<tr><td class=\"title\"><label for=\"%s\">%s</label></td><td>%s</td></tr>\n",
                     $field_id,
-                    rep_specialchars_output(rcube_label('prettydate')),
+                    Q(rcube_label('prettydate')),
                     $input_prettydate->show($CONFIG['prettydate']?1:0));
     }
 
@@ -153,7 +153,7 @@
 
     $out .= sprintf("<tr><td class=\"title\"><label for=\"%s\">%s</label></td><td>%s</td></tr>\n",
                     $field_id,
-                    rep_specialchars_output(rcube_label('preferhtml')),
+                    Q(rcube_label('preferhtml')),
                     $input_pagesize->show($CONFIG['prefer_html']?1:0));
     }
 
@@ -164,7 +164,7 @@
     $input_htmleditor = new checkbox(array('name' => '_htmleditor', 'id' => $field_id, 'value' => 1));
     $out .= sprintf("<tr><td class=\"title\"><label for=\"%s\">%s</label></td><td>%s</td></tr>\n",
                     $field_id,
-                    rep_specialchars_output(rcube_label('htmleditor')),
+                    Q(rcube_label('htmleditor')),
                     $input_htmleditor->show($CONFIG['htmleditor']?1:0));
     }
 
@@ -175,7 +175,7 @@
     $input_preview = new checkbox(array('name' => '_preview_pane', 'id' => $field_id, 'value' => 1));
     $out .= sprintf("<tr><td class=\"title\"><label for=\"%s\">%s</label></td><td>%s</td></tr>\n",
                     $field_id,
-                    rep_specialchars_output(rcube_label('previewpane')),
+                    Q(rcube_label('previewpane')),
                     $input_preview->show($CONFIG['preview_pane']?1:0));
     }
                   
@@ -189,7 +189,7 @@
 
     $out .= sprintf("<tr><td class=\"title\"><label for=\"%s\">%s</label></td><td>%s</td></tr>\n",
                     $field_id,
-                    rep_specialchars_output(rcube_label('autosavedraft')),
+                    Q(rcube_label('autosavedraft')),
                     $select_autosave->show($CONFIG['draft_autosave']));
     }
 
diff --git a/program/steps/settings/manage_folders.inc b/program/steps/settings/manage_folders.inc
index 5f2da4e..8abd2c3 100644
--- a/program/steps/settings/manage_folders.inc
+++ b/program/steps/settings/manage_folders.inc
@@ -52,8 +52,8 @@
   if ($create && $REMOTE_REQUEST)
     {
     $commands = sprintf("this.add_folder_row('%s','%s')",
-                        rep_specialchars_output($create, 'js'),
-                        rep_specialchars_output(rcube_charset_convert($create, 'UTF-7'), 'js'));
+                        JQ($create),
+                        JQ(rcube_charset_convert($create, 'UTF-7')));
     rcube_remote_response($commands);
     }
   else if (!$create && $REMOTE_REQUEST)
@@ -74,9 +74,9 @@
   if ($rename && $REMOTE_REQUEST)
     {
     $commands = sprintf("this.replace_folder_row('%s','%s','%s');\n",
-                        rep_specialchars_output(get_input_value('_folder_oldname', RCUBE_INPUT_GET), 'js'),
-                        rep_specialchars_output($rename, 'js'),
-                        rep_specialchars_output(rcube_charset_convert($rename, 'UTF-7'), 'js'));
+                        JQ(get_input_value('_folder_oldname', RCUBE_INPUT_GET)),
+                        JQ($rename),
+                        JQ(rcube_charset_convert($rename, 'UTF-7')));
 
     $commands .= "this.reset_folder_rename();\n";
                         
@@ -100,7 +100,7 @@
 
   if ($REMOTE_REQUEST && $deleted)
     {
-    $commands = sprintf("this.remove_folder_row('%s');\n", rep_specialchars_output(get_input_value('_mboxes', RCUBE_INPUT_GET), 'js'));
+    $commands = sprintf("this.remove_folder_row('%s');\n", JQ(get_input_value('_mboxes', RCUBE_INPUT_GET)));
     $commands .= show_message('folderdeleted', 'confirmation');
     rcube_remote_response($commands);
     }
@@ -165,8 +165,8 @@
     $subscribed = in_array($folder, $a_subscribed);
     $protected = ($CONFIG['protect_default_folders'] == TRUE && in_array($folder,$CONFIG['default_imap_folders']));
     $zebra_class = $i%2 ? 'even' : 'odd';
-    $folder_js = rep_specialchars_output($folder, 'js');
-    $folder_js_enc = rep_specialchars_output(rcube_charset_convert($folder, 'UTF-7'), 'js');
+    $folder_js = JQ($folder);
+    $folder_js_enc = JQ(rcube_charset_convert($folder, 'UTF-7'));
     $folder_html = $CONFIG['protect_default_folders'] && in_array($folder, $CONFIG['default_imap_folders']) ? rcube_label(strtolower($folder)) : rcube_charset_convert($folder, 'UTF-7');
     
     if (!$protected)
@@ -175,7 +175,7 @@
     $out .= sprintf('<tr id="rcmrow%d" class="%s"><td>%s</td>',
                     $i+1,
                     $zebra_class,
-                    rep_specialchars_output($folder_html, 'html', 'all'));
+                    Q($folder_html));
                     
     if ($protected)
       $out .= '<td>&nbsp;'.($subscribed ? '&#x2022;' : '-').'</td>';

--
Gitblit v1.9.1