From 516467080bd822cb94a4a9ef58a168dcdaf7535b Mon Sep 17 00:00:00 2001
From: alecpl <alec@alec.pl>
Date: Fri, 27 May 2011 09:01:05 -0400
Subject: [PATCH] - Fix handling of "<" character in contact data, search fields and folder names, identity name and organization fields (#1487864)

---
 CHANGELOG                                |    2 ++
 program/steps/mail/search.inc            |    7 ++++---
 program/include/main.inc                 |    3 +--
 program/steps/addressbook/save.inc       |    9 ++++-----
 program/steps/settings/save_identity.inc |    6 +++---
 program/steps/addressbook/search.inc     |    2 +-
 6 files changed, 15 insertions(+), 14 deletions(-)

diff --git a/CHANGELOG b/CHANGELOG
index 807cd82..15bfd76 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -1,6 +1,8 @@
 CHANGELOG Roundcube Webmail
 ===========================
 
+- Fix handling of "<" character in contact data, search fields and folder names (#1487864)
+- Fix saving "<" character in identity name and organization fields (#1487864)
 - Added option to specify to which address book add new contacts
 - Added plugin hook for keep-alive requests
 - Store user preferences in session when write-master is not available and session is stored in memcache, write them later
diff --git a/program/include/main.inc b/program/include/main.inc
index 44a43c6..98b8bcb 100644
--- a/program/include/main.inc
+++ b/program/include/main.inc
@@ -867,8 +867,7 @@
 
   // use value from post
   if (isset($_POST[$fname])) {
-    $postvalue = get_input_value($fname, RCUBE_INPUT_POST,
-      $type == 'textarea' && strpos($attrib['class'], 'mce_editor')!==false ? true : false);
+    $postvalue = get_input_value($fname, RCUBE_INPUT_POST, true);
     $value = $attrib['array'] ? $postvalue[intval($colcounts[$col]++)] : $postvalue;
   }
 
diff --git a/program/steps/addressbook/save.inc b/program/steps/addressbook/save.inc
index 2536097..0092eb1 100644
--- a/program/steps/addressbook/save.inc
+++ b/program/steps/addressbook/save.inc
@@ -95,7 +95,6 @@
     $OUTPUT->send('iframe');
 }
 
-
 // read POST values into hash array
 $a_record = array();
 foreach ($GLOBALS['CONTACT_COLTYPES'] as $col => $colprop) {
@@ -106,7 +105,7 @@
   if ($colprop['childs']) {
     $values = array();
     foreach ($colprop['childs'] as $childcol => $cp) {
-      $vals = get_input_value('_'.$childcol, RCUBE_INPUT_POST);
+      $vals = get_input_value('_'.$childcol, RCUBE_INPUT_POST, true);
       foreach ((array)$vals as $i => $val)
         $values[$i][$childcol] = $val;
     }
@@ -117,7 +116,7 @@
   }
   // assign values and subtypes
   else if (is_array($_POST[$fname])) {
-    $values = get_input_value($fname, RCUBE_INPUT_POST);
+    $values = get_input_value($fname, RCUBE_INPUT_POST, true);
     $subtypes = get_input_value('_subtype_' . $col, RCUBE_INPUT_POST);
     foreach ($values as $i => $val) {
       $subtype = $subtypes[$i] ? ':'.$subtypes[$i] : '';
@@ -125,7 +124,7 @@
     }
   }
   else if (isset($_POST[$fname])) {
-    $a_record[$col] = get_input_value($fname, RCUBE_INPUT_POST);
+    $a_record[$col] = get_input_value($fname, RCUBE_INPUT_POST, true);
   }
 }
 
@@ -190,7 +189,7 @@
       $record['name'] = $record['email'];
 
     foreach (array('name', 'email') as $col)
-      $a_js_cols[] = (string)$record[$col];
+      $a_js_cols[] = Q((string)$record[$col]);
 
     // update the changed col in list
     $OUTPUT->command('parent.update_contact_row', $cid, $a_js_cols, $newcid);
diff --git a/program/steps/addressbook/search.inc b/program/steps/addressbook/search.inc
index 7d67755..8d25a8f 100644
--- a/program/steps/addressbook/search.inc
+++ b/program/steps/addressbook/search.inc
@@ -22,7 +22,7 @@
 $CONTACTS->set_page(1);
 $_SESSION['page'] = 1;
 
-$search = trim(get_input_value('_q', RCUBE_INPUT_GET));
+$search = trim(get_input_value('_q', RCUBE_INPUT_GET, true));
 $search_request = md5('addr'.$search);
 
 // get contacts for this user
diff --git a/program/steps/mail/search.inc b/program/steps/mail/search.inc
index 39fb32f..c038d77 100644
--- a/program/steps/mail/search.inc
+++ b/program/steps/mail/search.inc
@@ -27,10 +27,11 @@
 $imap_charset = RCMAIL_CHARSET;
 
 // get search string
-$str = get_input_value('_q', RCUBE_INPUT_GET);
-$filter = get_input_value('_filter', RCUBE_INPUT_GET);
-$mbox = get_input_value('_mbox', RCUBE_INPUT_GET);
+$str     = get_input_value('_q', RCUBE_INPUT_GET, true);
+$mbox    = get_input_value('_mbox', RCUBE_INPUT_GET, true);
+$filter  = get_input_value('_filter', RCUBE_INPUT_GET);
 $headers = get_input_value('_headers', RCUBE_INPUT_GET);
+
 $search_request = md5($mbox.$filter.$str);
 
 // add list filter string
diff --git a/program/steps/settings/save_identity.inc b/program/steps/settings/save_identity.inc
index 4fb6a2a..b2957a7 100644
--- a/program/steps/settings/save_identity.inc
+++ b/program/steps/settings/save_identity.inc
@@ -22,17 +22,17 @@
 define('IDENTITIES_LEVEL', intval($RCMAIL->config->get('identities_level', 0)));
 
 $a_save_cols = array('name', 'email', 'organization', 'reply-to', 'bcc', 'standard', 'signature', 'html_signature');
-$a_html_cols = array('signature');
+$a_html_cols = array('signature', 'name', 'organization');
 $a_boolean_cols = array('standard', 'html_signature');
 $updated = $default_id = false;
 
 // check input
 if (empty($_POST['_name']) || (empty($_POST['_email']) && IDENTITIES_LEVEL != 1 && IDENTITIES_LEVEL != 3))
-  {
+{
   $OUTPUT->show_message('formincomplete', 'warning');
   rcmail_overwrite_action('edit-identity');
   return;
-  }
+}
 
 
 $save_data = array();

--
Gitblit v1.9.1