From 2bca6e1da0e46f93297a7f60ff449b6c6ebac239 Mon Sep 17 00:00:00 2001
From: thomascube <thomas@roundcube.net>
Date: Wed, 20 Dec 2006 09:06:33 -0500
Subject: [PATCH] New (strict) quoting for all kind of strings
---
program/include/main.inc | 82 ++++++++++++++++++++++++++--------------
1 files changed, 53 insertions(+), 29 deletions(-)
diff --git a/program/include/main.inc b/program/include/main.inc
index 10436ca..1abd84a 100644
--- a/program/include/main.inc
+++ b/program/include/main.inc
@@ -734,7 +734,7 @@
$framed = $GLOBALS['_framed'];
$command = sprintf("display_message('%s', '%s');",
- rep_specialchars_output(rcube_label(array('name' => $message, 'vars' => $vars)), 'js'),
+ JQ(rcube_label(array('name' => $message, 'vars' => $vars))),
$type);
if ($REMOTE_REQUEST)
@@ -854,7 +854,7 @@
$OUTPUT->add_script(sprintf("%s.add_label('%s', '%s');",
$JS_OBJECT_NAME,
$name,
- rep_specialchars_output(rcube_label($name), 'js')));
+ JQ(rcube_label($name))));
}
@@ -897,8 +897,15 @@
}
-// convert a string from one charset to another
-// this function is not complete and not tested well
+/**
+ * Convert a string from one charset to another.
+ * Uses mbstring and iconv functions if possible
+ *
+ * @param string Input string
+ * @param string Suspected charset of the input string
+ * @param string Target charset to convert to; defaults to $GLOBALS['CHARSET']
+ * @return Converted string
+ */
function rcube_charset_convert($str, $from, $to=NULL)
{
global $MBSTRING;
@@ -953,12 +960,19 @@
}
-
-// replace specials characters to a specific encoding type
+/**
+ * Replacing specials characters to a specific encoding type
+ *
+ * @param string Input string
+ * @param string Encoding type: text|html|xml|js|url
+ * @param string Replace mode for tags: show|replace|remove
+ * @param boolean Convert newlines
+ * @return The quoted string
+ */
function rep_specialchars_output($str, $enctype='', $mode='', $newlines=TRUE)
{
global $OUTPUT_TYPE, $OUTPUT;
- static $html_encode_arr, $js_rep_table, $rtf_rep_table, $xml_rep_table;
+ static $html_encode_arr, $js_rep_table, $xml_rep_table;
if (!$enctype)
$enctype = $GLOBALS['OUTPUT_TYPE'];
@@ -1000,21 +1014,18 @@
return $newlines ? nl2br($out) : $out;
}
-
if ($enctype=='url')
return rawurlencode($str);
-
- // if the replace tables for RTF, XML and JS are not yet defined
+ // if the replace tables for XML and JS are not yet defined
if (!$js_rep_table)
{
- $js_rep_table = $rtf_rep_table = $xml_rep_table = array();
+ $js_rep_tabl = $xml_rep_table = array();
$xml_rep_table['&'] = '&';
for ($c=160; $c<256; $c++) // can be increased to support more charsets
{
$hex = dechex($c);
- $rtf_rep_table[Chr($c)] = "\\'$hex";
$xml_rep_table[Chr($c)] = "&#$c;";
if ($OUTPUT->get_charset()=='ISO-8859-1')
@@ -1025,7 +1036,7 @@
$xml_rep_table['"'] = '"';
}
- // encode for RTF
+ // encode for XML
if ($enctype=='xml')
return strtr($str, $xml_rep_table);
@@ -1038,12 +1049,26 @@
return addslashes(preg_replace(array("/\r\n/", "/\r/"), array('\n', '\n'), strtr($str, $js_rep_table)));
}
- // encode for RTF
- if ($enctype=='rtf')
- return preg_replace("/\r\n/", "\par ", strtr($str, $rtf_rep_table));
-
// no encoding given -> return original string
return $str;
+ }
+
+/**
+ * Quote a given string. Alias function for rep_specialchars_output
+ * @see rep_specialchars_output
+ */
+function Q($str, $mode='strict', $newlines=TRUE)
+ {
+ return rep_specialchars_output($str, 'html', $mode, $newlines);
+ }
+
+/**
+ * Quote a given string. Alias function for rep_specialchars_output
+ * @see rep_specialchars_output
+ */
+function JQ($str, $mode='strict', $newlines=TRUE)
+ {
+ return rep_specialchars_output($str, 'js', $mode, $newlines);
}
@@ -1248,7 +1273,7 @@
// show a label
case 'label':
if ($attrib['name'] || $attrib['command'])
- return rep_specialchars_output(rcube_label($attrib));
+ return Q(rcube_label($attrib));
break;
// create a menu item
@@ -1331,7 +1356,7 @@
else if ($object=='productname')
{
$name = !empty($CONFIG['product_name']) ? $CONFIG['product_name'] : 'RoundCube Webmail';
- return rep_specialchars_output($name, 'html', 'all');
+ return Q($name);
}
else if ($object=='version')
{
@@ -1353,7 +1378,7 @@
else
$title .= ucfirst($task);
- return rep_specialchars_output($title, 'html', 'all');
+ return Q($title);
}
break;
@@ -1419,12 +1444,12 @@
// get localized text for labels and titles
if ($attrib['title'])
- $attrib['title'] = rep_specialchars_output(rcube_label($attrib['title']));
+ $attrib['title'] = Q(rcube_label($attrib['title']));
if ($attrib['label'])
- $attrib['label'] = rep_specialchars_output(rcube_label($attrib['label']));
+ $attrib['label'] = Q(rcube_label($attrib['label']));
if ($attrib['alt'])
- $attrib['alt'] = rep_specialchars_output(rcube_label($attrib['alt']));
+ $attrib['alt'] = Q(rcube_label($attrib['alt']));
// set title to alt attribute for IE browsers
if ($BROWSER['ie'] && $attrib['title'] && !$attrib['alt'])
@@ -1537,12 +1562,11 @@
$table .= "<thead><tr>\n";
foreach ($a_show_cols as $col)
- $table .= '<td class="'.$col.'">' . rep_specialchars_output(rcube_label($col)) . "</td>\n";
+ $table .= '<td class="'.$col.'">' . Q(rcube_label($col)) . "</td>\n";
$table .= "</tr></thead>\n<tbody>\n";
$c = 0;
-
if (!is_array($table_data))
{
while ($table_data && ($sql_arr = $DB->fetch_assoc($table_data)))
@@ -1554,8 +1578,8 @@
// format each col
foreach ($a_show_cols as $col)
{
- $cont = rep_specialchars_output($sql_arr[$col]);
- $table .= '<td class="'.$col.'">' . $cont . "</td>\n";
+ $cont = Q($sql_arr[$col]);
+ $table .= '<td class="'.$col.'">' . $cont . "</td>\n";
}
$table .= "</tr>\n";
@@ -1573,8 +1597,8 @@
// format each col
foreach ($a_show_cols as $col)
{
- $cont = rep_specialchars_output($row_data[$col]);
- $table .= '<td class="'.$col.'">' . $cont . "</td>\n";
+ $cont = Q($row_data[$col]);
+ $table .= '<td class="'.$col.'">' . $cont . "</td>\n";
}
$table .= "</tr>\n";
--
Gitblit v1.9.1