From d5342aabcfeddb959cc286befe6de5bf35fe9d76 Mon Sep 17 00:00:00 2001
From: thomascube <thomas@roundcube.net>
Date: Sun, 25 Nov 2007 14:45:38 -0500
Subject: [PATCH] More input sanitizing
---
program/steps/mail/func.inc | 722 +++++++++++++++++++-----------------------------------
1 files changed, 258 insertions(+), 464 deletions(-)
diff --git a/program/steps/mail/func.inc b/program/steps/mail/func.inc
index d655a33..dd38016 100644
--- a/program/steps/mail/func.inc
+++ b/program/steps/mail/func.inc
@@ -5,7 +5,7 @@
| program/steps/mail/func.inc |
| |
| This file is part of the RoundCube Webmail client |
- | Copyright (C) 2005, RoundCube Dev. - Switzerland |
+ | Copyright (C) 2005-2007, RoundCube Dev. - Switzerland |
| Licensed under the GNU GPL |
| |
| PURPOSE: |
@@ -25,22 +25,15 @@
$EMAIL_ADDRESS_PATTERN = '/([a-z0-9][a-z0-9\-\.\+\_]*@[a-z0-9]([a-z0-9\-][.]?)*[a-z0-9]\\.[a-z]{2,5})/i';
-if (empty($_SESSION['mbox'])){
+if (empty($_SESSION['mbox']))
$_SESSION['mbox'] = $IMAP->get_mailbox_name();
-}
// set imap properties and session vars
-if (strlen($_GET['_mbox']))
- {
- $IMAP->set_mailbox($_GET['_mbox']);
- $_SESSION['mbox'] = $_GET['_mbox'];
- }
+if ($mbox = get_input_value('_mbox', RCUBE_INPUT_GPC))
+ $IMAP->set_mailbox(($_SESSION['mbox'] = $mbox));
-if (strlen($_GET['_page']))
- {
- $IMAP->set_page($_GET['_page']);
- $_SESSION['page'] = $_GET['_page'];
- }
+if (!empty($_GET['_page']))
+ $IMAP->set_page(($_SESSION['page'] = intval($_GET['_page'])));
// set mailbox to INBOX if not set
if (empty($_SESSION['mbox']))
@@ -51,245 +44,41 @@
$_SESSION['sort_col'] = $CONFIG['message_sort_col'];
if (!isset($_SESSION['sort_order']))
$_SESSION['sort_order'] = $CONFIG['message_sort_order'];
-
+
+// set message set for search result
+if (!empty($_REQUEST['_search']) && isset($_SESSION['search'][$_REQUEST['_search']]))
+ $IMAP->set_search_set($_SESSION['search'][$_REQUEST['_search']]);
+
// define url for getting message parts
if (strlen($_GET['_uid']))
- $GET_URL = sprintf('%s&_action=get&_mbox=%s&_uid=%d', $COMM_PATH, $IMAP->get_mailbox_name(), $_GET['_uid']);
+ $GET_URL = rcmail_url('get', array('_mbox'=>$IMAP->get_mailbox_name(), '_uid'=>get_input_value('_uid', RCUBE_INPUT_GET)));
// set current mailbox in client environment
-$OUTPUT->add_script(sprintf("%s.set_env('mailbox', '%s');", $JS_OBJECT_NAME, $IMAP->get_mailbox_name()));
+$OUTPUT->set_env('mailbox', $IMAP->get_mailbox_name());
+$OUTPUT->set_env('quota', $IMAP->get_capability('quota'));
if ($CONFIG['trash_mbox'])
- $OUTPUT->add_script(sprintf("%s.set_env('trash_mailbox', '%s');", $JS_OBJECT_NAME, $CONFIG['trash_mbox']));
-
+ $OUTPUT->set_env('trash_mailbox', $CONFIG['trash_mbox']);
if ($CONFIG['drafts_mbox'])
- $OUTPUT->add_script(sprintf("%s.set_env('drafts_mailbox', '%s');", $JS_OBJECT_NAME, $CONFIG['drafts_mbox']));
-
+ $OUTPUT->set_env('drafts_mailbox', $CONFIG['drafts_mbox']);
if ($CONFIG['junk_mbox'])
- $OUTPUT->add_script(sprintf("%s.set_env('junk_mailbox', '%s');", $JS_OBJECT_NAME, $CONFIG['junk_mbox']));
+ $OUTPUT->set_env('junk_mailbox', $CONFIG['junk_mbox']);
-// return the mailboxlist in HTML
-function rcmail_mailbox_list($attrib)
- {
- global $IMAP, $CONFIG, $OUTPUT, $JS_OBJECT_NAME, $COMM_PATH;
- static $s_added_script = FALSE;
- static $a_mailboxes;
+if (!$OUTPUT->ajax_call)
+ rcube_add_label('checkingmail', 'deletemessage', 'movemessagetotrash');
- // add some labels to client
- rcube_add_label('purgefolderconfirm');
- rcube_add_label('deletemessagesconfirm');
-
-// $mboxlist_start = rcube_timer();
-
- $type = $attrib['type'] ? $attrib['type'] : 'ul';
- $add_attrib = $type=='select' ? array('style', 'class', 'id', 'name', 'onchange') :
- array('style', 'class', 'id');
-
- if ($type=='ul' && !$attrib['id'])
- $attrib['id'] = 'rcmboxlist';
+// set page title
+if (empty($_action) || $_action == 'list')
+ $OUTPUT->set_pagetitle(rcube_charset_convert($IMAP->get_mailbox_name(), 'UTF-7'));
- // allow the following attributes to be added to the <ul> tag
- $attrib_str = create_attrib_string($attrib, $add_attrib);
-
- $out = '<' . $type . $attrib_str . ">\n";
-
- // add no-selection option
- if ($type=='select' && $attrib['noselection'])
- $out .= sprintf('<option value="0">%s</option>'."\n",
- rcube_label($attrib['noselection']));
-
- // get mailbox list
- $mbox_name = $IMAP->get_mailbox_name();
-
- // for these mailboxes we have localized labels
- $special_mailboxes = array('inbox', 'sent', 'drafts', 'trash', 'junk');
-
-
- // build the folders tree
- if (empty($a_mailboxes))
- {
- // get mailbox list
- $a_folders = $IMAP->list_mailboxes();
- $delimiter = $IMAP->get_hierarchy_delimiter();
- $a_mailboxes = array();
-
-// rcube_print_time($mboxlist_start, 'list_mailboxes()');
-
- foreach ($a_folders as $folder)
- rcmail_build_folder_tree($a_mailboxes, $folder, $delimiter);
- }
-
-// var_dump($a_mailboxes);
-
- if ($type=='select')
- $out .= rcmail_render_folder_tree_select($a_mailboxes, $special_mailboxes, $mbox_name, $attrib['maxlength']);
- else
- $out .= rcmail_render_folder_tree_html($a_mailboxes, $special_mailboxes, $mbox_name, $attrib['maxlength']);
-
-// rcube_print_time($mboxlist_start, 'render_folder_tree()');
-
-
- if ($type=='ul')
- $OUTPUT->add_script(sprintf("%s.gui_object('mailboxlist', '%s');", $JS_OBJECT_NAME, $attrib['id']));
-
- return $out . "</$type>";
- }
-
-
-
-
-// create a hierarchical array of the mailbox list
-function rcmail_build_folder_tree(&$arrFolders, $folder, $delm='/', $path='')
- {
- $pos = strpos($folder, $delm);
- if ($pos !== false)
- {
- $subFolders = substr($folder, $pos+1);
- $currentFolder = substr($folder, 0, $pos);
- }
- else
- {
- $subFolders = false;
- $currentFolder = $folder;
- }
-
- $path .= $currentFolder;
-
- if (!isset($arrFolders[$currentFolder]))
- {
- $arrFolders[$currentFolder] = array('id' => $path,
- 'name' => rcube_charset_convert($currentFolder, 'UTF-7'),
- 'folders' => array());
- }
-
- if (!empty($subFolders))
- rcmail_build_folder_tree($arrFolders[$currentFolder]['folders'], $subFolders, $delm, $path.$delm);
- }
-
-
-// return html for a structured list <ul> for the mailbox tree
-function rcmail_render_folder_tree_html(&$arrFolders, &$special, &$mbox_name, $maxlength, $nestLevel=0)
- {
- global $JS_OBJECT_NAME, $COMM_PATH, $IMAP, $CONFIG, $OUTPUT;
-
- $idx = 0;
- $out = '';
- foreach ($arrFolders as $key => $folder)
- {
- $zebra_class = ($nestLevel*$idx)%2 ? 'even' : 'odd';
- $title = '';
-
- $folder_lc = strtolower($folder['id']);
- if (in_array($folder_lc, $special))
- $foldername = rcube_label($folder_lc);
- else
- {
- $foldername = $folder['name'];
-
- // shorten the folder name to a given length
- if ($maxlength && $maxlength>1)
- {
- $fname = abbrevate_string($foldername, $maxlength);
- if ($fname != $foldername)
- $title = ' title="'.rep_specialchars_output($foldername, 'html', 'all').'"';
- $foldername = $fname;
- }
- }
-
- // add unread message count display
- if ($unread_count = $IMAP->messagecount($folder['id'], 'RECENT', ($folder['id']==$mbox_name)))
- $foldername .= sprintf(' (%d)', $unread_count);
-
- // make folder name safe for ids and class names
- $folder_css = $class_name = preg_replace('/[^a-z0-9\-_]/', '', $folder_lc);
-
- // set special class for Sent, Drafts, Trash and Junk
- if ($folder['id']==$CONFIG['sent_mbox'])
- $class_name = 'sent';
- else if ($folder['id']==$CONFIG['drafts_mbox'])
- $class_name = 'drafts';
- else if ($folder['id']==$CONFIG['trash_mbox'])
- $class_name = 'trash';
- else if ($folder['id']==$CONFIG['junk_mbox'])
- $class_name = 'junk';
-
- $js_name = htmlspecialchars(rep_specialchars_output($folder['id'], 'js'));
- $out .= sprintf('<li id="rcmbx%s" class="mailbox %s %s%s%s"><a href="%s&_mbox=%s"'.
- ' onclick="return %s.command(\'list\',\'%s\')"'.
- ' onmouseover="return %s.focus_mailbox(\'%s\')"' .
- ' onmouseout="return %s.unfocus_mailbox(\'%s\')"' .
- ' onmouseup="return %s.mbox_mouse_up(\'%s\')"%s>%s</a>',
- $folder_css,
- $class_name,
- $zebra_class,
- $unread_count ? ' unread' : '',
- $folder['id']==$mbox_name ? ' selected' : '',
- $COMM_PATH,
- urlencode($folder['id']),
- $JS_OBJECT_NAME,
- $js_name,
- $JS_OBJECT_NAME,
- $js_name,
- $JS_OBJECT_NAME,
- $js_name,
- $JS_OBJECT_NAME,
- $js_name,
- $title,
- rep_specialchars_output($foldername, 'html', 'all'));
-
- if (!empty($folder['folders']))
- $out .= "\n<ul>\n" . rcmail_render_folder_tree_html($folder['folders'], $special, $mbox_name, $maxlength, $nestLevel+1) . "</ul>\n";
-
- $out .= "</li>\n";
- $idx++;
- }
-
- return $out;
- }
-
-
-// return html for a flat list <select> for the mailbox tree
-function rcmail_render_folder_tree_select(&$arrFolders, &$special, &$mbox_name, $maxlength, $nestLevel=0)
- {
- global $IMAP, $OUTPUT;
-
- $idx = 0;
- $out = '';
- foreach ($arrFolders as $key=>$folder)
- {
- $folder_lc = strtolower($folder['id']);
- if (in_array($folder_lc, $special))
- $foldername = rcube_label($folder_lc);
- else
- {
- $foldername = $folder['name'];
-
- // shorten the folder name to a given length
- if ($maxlength && $maxlength>1)
- $foldername = abbrevate_string($foldername, $maxlength);
- }
-
- $out .= sprintf('<option value="%s">%s%s</option>'."\n",
- htmlspecialchars($folder['id']),
- str_repeat(' ', $nestLevel*4),
- rep_specialchars_output($foldername, 'html', 'all'));
-
- if (!empty($folder['folders']))
- $out .= rcmail_render_folder_tree_select($folder['folders'], $special, $mbox_name, $maxlength, $nestLevel+1);
-
- $idx++;
- }
-
- return $out;
- }
// return the message list as HTML table
function rcmail_message_list($attrib)
{
- global $IMAP, $CONFIG, $COMM_PATH, $OUTPUT, $JS_OBJECT_NAME;
+ global $IMAP, $CONFIG, $COMM_PATH, $OUTPUT;
$skin_path = $CONFIG['skin_path'];
$image_tag = '<img src="%s%s" alt="%s" border="0" />';
@@ -317,9 +106,11 @@
// define list of cols to be displayed
$a_show_cols = is_array($CONFIG['list_cols']) ? $CONFIG['list_cols'] : array('subject');
$a_sort_cols = array('subject', 'date', 'from', 'to', 'size');
+
+ $mbox = $IMAP->get_mailbox_name();
// show 'to' instead of from in sent messages
- if (($IMAP->get_mailbox_name()==$CONFIG['sent_mbox'] || $IMAP->get_mailbox_name()==$CONFIG['drafts_mbox']) && ($f = array_search('from', $a_show_cols))
+ if (($mbox==$CONFIG['sent_mbox'] || $mbox==$CONFIG['drafts_mbox']) && ($f = array_search('from', $a_show_cols))
&& !array_search('to', $a_show_cols))
$a_show_cols[$f] = 'to';
@@ -340,7 +131,7 @@
foreach ($a_show_cols as $col)
{
// get column name
- $col_name = rep_specialchars_output(rcube_label($col));
+ $col_name = Q(rcube_label($col));
// make sort links
$sort = '';
@@ -354,31 +145,34 @@
// asc link
if (!empty($attrib['sortascbutton']))
{
- $sort .= rcube_button(array('command' => 'sort',
- 'prop' => $col.'_ASC',
- 'image' => $attrib['sortascbutton'],
- 'align' => 'absmiddle',
- 'title' => 'sortasc'));
+ $sort .= $OUTPUT->button(array(
+ 'command' => 'sort',
+ 'prop' => $col.'_ASC',
+ 'image' => $attrib['sortascbutton'],
+ 'align' => 'absmiddle',
+ 'title' => 'sortasc'));
}
// desc link
if (!empty($attrib['sortdescbutton']))
{
- $sort .= rcube_button(array('command' => 'sort',
- 'prop' => $col.'_DESC',
- 'image' => $attrib['sortdescbutton'],
- 'align' => 'absmiddle',
- 'title' => 'sortdesc'));
+ $sort .= $OUTPUT->button(array(
+ 'command' => 'sort',
+ 'prop' => $col.'_DESC',
+ 'image' => $attrib['sortdescbutton'],
+ 'align' => 'absmiddle',
+ 'title' => 'sortdesc'));
}
}
// just add a link tag to the header
else
{
- $col_name = sprintf('<a href="./#sort" onclick="return %s.command(\'sort\',\'%s\',this)" title="%s">%s</a>',
- $JS_OBJECT_NAME,
- $col,
- rcube_label('sortby'),
- $col_name);
+ $col_name = sprintf(
+ '<a href="./#sort" onclick="return %s.command(\'sort\',\'%s\',this)" title="%s">%s</a>',
+ JS_OBJECT_NAME,
+ $col,
+ rcube_label('sortby'),
+ $col_name);
}
}
@@ -393,12 +187,7 @@
// no messages in this mailbox
if (!sizeof($a_headers))
- {
- $out .= rep_specialchars_output(
- sprintf('<tr><td colspan="%d">%s</td></tr>',
- sizeof($a_show_cols)+2,
- rcube_label('nomessagesfound')));
- }
+ $OUTPUT->show_message('nomessagesfound', 'notice');
$a_js_message_arr = array();
@@ -427,7 +216,7 @@
else if ($attrib['messageicon'])
$message_icon = $attrib['messageicon'];
- // set attachment icon
+ // set attachment icon
if ($attrib['attachmenticon'] && preg_match("/multipart\/[mr]/i", $header->ctype))
$attach_icon = $attrib['attachmenticon'];
@@ -438,26 +227,28 @@
$zebra_class);
$out .= sprintf("<td class=\"icon\">%s</td>\n", $message_icon ? sprintf($image_tag, $skin_path, $message_icon, '') : '');
-
+
// format each col
foreach ($a_show_cols as $col)
{
if ($col=='from' || $col=='to')
- $cont = rep_specialchars_output(rcmail_address_string($header->$col, 3, $attrib['addicon']));
+ $cont = Q(rcmail_address_string($header->$col, 3, $attrib['addicon']), 'show');
else if ($col=='subject')
{
- $cont = rep_specialchars_output($IMAP->decode_header($header->$col), 'html', 'all');
- // firefox/mozilla temporary workaround to pad subject with content so that whitespace in rows responds to drag+drop
- $cont .= '<img src="./program/blank.gif" height="5" width="1000" alt="" />';
+ $action = $mbox==$CONFIG['drafts_mbox'] ? 'compose' : 'show';
+ $uid_param = $mbox==$CONFIG['drafts_mbox'] ? '_draf_uid' : '_uid';
+ $cont = Q(rcube_imap::decode_mime_string($header->$col, $header->charset));
+ if (empty($cont)) $cont = Q(rcube_label('nosubject'));
+ $cont = sprintf('<a href="%s" onclick="return rcube_event.cancel(event)">%s</a>', Q(rcmail_url($action, array($uid_param=>$header->uid, '_mbox'=>$mbox))), $cont);
}
else if ($col=='size')
$cont = show_bytes($header->$col);
else if ($col=='date')
- $cont = format_date($header->date); //date('m.d.Y G:i:s', strtotime($header->date));
+ $cont = format_date($header->date);
else
- $cont = rep_specialchars_output($header->$col, 'html', 'all');
+ $cont = Q($header->$col);
- $out .= '<td class="'.$col.'">' . $cont . "</td>\n";
+ $out .= '<td class="'.$col.'">' . $cont . "</td>\n";
}
$out .= sprintf("<td class=\"icon\">%s</td>\n", $attach_icon ? sprintf($image_tag, $skin_path, $attach_icon, '') : '');
@@ -474,71 +265,76 @@
$message_count = $IMAP->messagecount();
// set client env
- $javascript .= sprintf("%s.gui_object('mailcontframe', '%s');\n", $JS_OBJECT_NAME, 'mailcontframe');
- $javascript .= sprintf("%s.gui_object('messagelist', '%s');\n", $JS_OBJECT_NAME, $attrib['id']);
- $javascript .= sprintf("%s.set_env('messagecount', %d);\n", $JS_OBJECT_NAME, $message_count);
- $javascript .= sprintf("%s.set_env('current_page', %d);\n", $JS_OBJECT_NAME, $IMAP->list_page);
- $javascript .= sprintf("%s.set_env('pagecount', %d);\n", $JS_OBJECT_NAME, ceil($message_count/$IMAP->page_size));
- $javascript .= sprintf("%s.set_env('sort_col', '%s');\n", $JS_OBJECT_NAME, $sort_col);
- $javascript .= sprintf("%s.set_env('sort_order', '%s');\n", $JS_OBJECT_NAME, $sort_order);
+ $OUTPUT->add_gui_object('mailcontframe', 'mailcontframe');
+ $OUTPUT->add_gui_object('messagelist', $attrib['id']);
+ $OUTPUT->set_env('messagecount', $message_count);
+ $OUTPUT->set_env('current_page', $IMAP->list_page);
+ $OUTPUT->set_env('pagecount', ceil($message_count/$IMAP->page_size));
+ $OUTPUT->set_env('sort_col', $sort_col);
+ $OUTPUT->set_env('sort_order', $sort_order);
if ($attrib['messageicon'])
- $javascript .= sprintf("%s.set_env('messageicon', '%s%s');\n", $JS_OBJECT_NAME, $skin_path, $attrib['messageicon']);
+ $OUTPUT->set_env('messageicon', $skin_path . $attrib['messageicon']);
if ($attrib['deletedicon'])
- $javascript .= sprintf("%s.set_env('deletedicon', '%s%s');\n", $JS_OBJECT_NAME, $skin_path, $attrib['deletedicon']);
+ $OUTPUT->set_env('deletedicon', $skin_path . $attrib['deletedicon']);
if ($attrib['unreadicon'])
- $javascript .= sprintf("%s.set_env('unreadicon', '%s%s');\n", $JS_OBJECT_NAME, $skin_path, $attrib['unreadicon']);
+ $OUTPUT->set_env('unreadicon', $skin_path . $attrib['unreadicon']);
if ($attrib['repliedicon'])
- $javascript .= sprintf("%s.set_env('repliedicon', '%s%s');\n", $JS_OBJECT_NAME, $skin_path, $attrib['repliedicon']);
+ $OUTPUT->set_env('repliedicon', $skin_path . $attrib['repliedicon']);
if ($attrib['attachmenticon'])
- $javascript .= sprintf("%s.set_env('attachmenticon', '%s%s');\n", $JS_OBJECT_NAME, $skin_path, $attrib['attachmenticon']);
-
- $javascript .= sprintf("%s.set_env('messages', %s);", $JS_OBJECT_NAME, array2js($a_js_message_arr));
+ $OUTPUT->set_env('attachmenticon', $skin_path . $attrib['attachmenticon']);
- $OUTPUT->add_script($javascript);
+ $OUTPUT->set_env('messages', $a_js_message_arr);
+
$OUTPUT->include_script('list.js');
return $out;
}
-
-
// return javascript commands to add rows to the message list
function rcmail_js_message_list($a_headers, $insert_top=FALSE)
{
- global $CONFIG, $IMAP;
+ global $CONFIG, $IMAP, $OUTPUT;
- $commands = '';
$a_show_cols = is_array($CONFIG['list_cols']) ? $CONFIG['list_cols'] : array('subject');
+ $mbox = $IMAP->get_mailbox_name();
// show 'to' instead of from in sent messages
- if (strtolower($IMAP->get_mailbox_name())=='sent' && ($f = array_search('from', $a_show_cols))
- && !array_search('to', $a_show_cols))
+ if (($mbox == $CONFIG['sent_mbox'] || $mbox == $CONFIG['drafts_mbox'])
+ && (($f = array_search('from', $a_show_cols)) !== false) && array_search('to', $a_show_cols) === false)
$a_show_cols[$f] = 'to';
- $commands .= sprintf("this.set_message_coltypes(%s);\n", array2js($a_show_cols));
+ $OUTPUT->command('set_message_coltypes', $a_show_cols);
// loop through message headers
- for ($n=0; $a_headers[$n]; $n++)
+ foreach ($a_headers as $n => $header)
{
- $header = $a_headers[$n];
$a_msg_cols = array();
$a_msg_flags = array();
-
+
+ if (empty($header))
+ continue;
+
// format each col; similar as in rcmail_message_list()
foreach ($a_show_cols as $col)
{
if ($col=='from' || $col=='to')
- $cont = rep_specialchars_output(rcmail_address_string($header->$col, 3), 'html');
+ $cont = Q(rcmail_address_string($header->$col, 3), 'show');
else if ($col=='subject')
- $cont = rep_specialchars_output($IMAP->decode_header($header->$col), 'html', 'all');
+ {
+ $action = $mbox==$CONFIG['drafts_mbox'] ? 'compose' : 'show';
+ $uid_param = $mbox==$CONFIG['drafts_mbox'] ? '_draf_uid' : '_uid';
+ $cont = Q(rcube_imap::decode_mime_string($header->$col, $header->charset));
+ if (!$cont) $cont = Q(rcube_label('nosubject'));
+ $cont = sprintf('<a href="%s" onclick="return rcube_event.cancel(event)">%s</a>', Q(rcmail_url($action, array($uid_param=>$header->uid, '_mbox'=>$mbox))), $cont);
+ }
else if ($col=='size')
$cont = show_bytes($header->$col);
else if ($col=='date')
- $cont = format_date($header->date); //date('m.d.Y G:i:s', strtotime($header->date));
+ $cont = format_date($header->date);
else
- $cont = rep_specialchars_output($header->$col, 'html', 'all');
+ $cont = Q($header->$col);
$a_msg_cols[$col] = $cont;
}
@@ -546,22 +342,20 @@
$a_msg_flags['deleted'] = $header->deleted ? 1 : 0;
$a_msg_flags['unread'] = $header->seen ? 0 : 1;
$a_msg_flags['replied'] = $header->answered ? 1 : 0;
- $commands .= sprintf("this.add_message_row(%s, %s, %s, %b, %b);\n",
- $header->uid,
- array2js($a_msg_cols),
- array2js($a_msg_flags),
- preg_match("/multipart\/m/i", $header->ctype),
- $insert_top);
+ $OUTPUT->command('add_message_row',
+ $header->uid,
+ $a_msg_cols,
+ $a_msg_flags,
+ preg_match("/multipart\/m/i", $header->ctype),
+ $insert_top);
}
-
- return $commands;
}
// return an HTML iframe for loading mail content
function rcmail_messagecontent_frame($attrib)
{
- global $OUTPUT, $JS_OBJECT_NAME;
+ global $OUTPUT;
if (empty($attrib['id']))
$attrib['id'] = 'rcmailcontentwindow';
@@ -574,52 +368,21 @@
$framename,
$attrib_str);
- $OUTPUT->add_script("$JS_OBJECT_NAME.set_env('contentframe', '$framename');");
+ $OUTPUT->set_env('contentframe', $framename);
+ $OUTPUT->set_env('blankpage', $attrib['src'] ? $OUTPUT->abs_url($attrib['src']) : 'program/blank.gif');
return $out;
}
-// return code for search function
-function rcmail_search_form($attrib)
- {
- global $OUTPUT, $JS_OBJECT_NAME;
-
- // add some labels to client
- rcube_add_label('searching');
-
- $attrib['name'] = '_q';
-
- if (empty($attrib['id']))
- $attrib['id'] = 'rcmqsearchbox';
-
- $input_q = new textfield($attrib);
- $out = $input_q->show();
-
- $OUTPUT->add_script(sprintf("%s.gui_object('qsearchbox', '%s');",
- $JS_OBJECT_NAME,
- $attrib['id']));
-
- // add form tag around text field
- if (empty($attrib['form']))
- $out = sprintf('<form name="rcmqsearchform" action="./" '.
- 'onsubmit="%s.command(\'search\');return false" style="display:inline;">%s</form>',
- $JS_OBJECT_NAME,
- $out);
-
- return $out;
- }
-
function rcmail_messagecount_display($attrib)
{
- global $IMAP, $OUTPUT, $JS_OBJECT_NAME;
+ global $IMAP, $OUTPUT;
if (!$attrib['id'])
$attrib['id'] = 'rcmcountdisplay';
- $OUTPUT->add_script(sprintf("%s.gui_object('countdisplay', '%s');",
- $JS_OBJECT_NAME,
- $attrib['id']));
+ $OUTPUT->add_gui_object('countdisplay', $attrib['id']);
// allow the following attributes to be added to the <span> tag
$attrib_str = create_attrib_string($attrib, array('style', 'class', 'id'));
@@ -634,15 +397,26 @@
function rcmail_quota_display($attrib)
{
- global $IMAP, $OUTPUT, $JS_OBJECT_NAME, $COMM_PATH;
+ global $OUTPUT, $COMM_PATH;
if (!$attrib['id'])
$attrib['id'] = 'rcmquotadisplay';
- $OUTPUT->add_script(sprintf("%s.gui_object('quotadisplay', '%s');", $JS_OBJECT_NAME, $attrib['id']));
+ $OUTPUT->add_gui_object('quotadisplay', $attrib['id']);
// allow the following attributes to be added to the <span> tag
$attrib_str = create_attrib_string($attrib, array('style', 'class', 'id'));
+
+ $out = '<span' . $attrib_str . '>';
+ $out .= rcmail_quota_content($attrib['display']);
+ $out .= '</span>';
+ return $out;
+ }
+
+
+function rcmail_quota_content($display)
+ {
+ global $IMAP, $COMM_PATH;
if (!$IMAP->get_capability('QUOTA'))
$quota_text = rcube_label('unknown');
@@ -654,11 +428,10 @@
$quota["percent"]);
// show quota as image (by Brett Patterson)
- if ($attrib['display'] == 'image' && function_exists('imagegif'))
+ if ($display == 'image' && function_exists('imagegif'))
{
- $attrib += array('width' => 100, 'height' => 14);
- $quota_text = sprintf('<img src="%s&_action=quotaimg&u=%s&q=%d&w=%d&h=%d" width="%d" height="%d" alt="%s" title="%s / %s" />',
- $COMM_PATH,
+ $attrib = array('width' => 100, 'height' => 14);
+ $quota_text = sprintf('<img src="./bin/quotaimg.php?u=%s&q=%d&w=%d&h=%d" width="%d" height="%d" alt="%s" title="%s / %s" />',
$quota['used'], $quota['total'],
$attrib['width'], $attrib['height'],
$attrib['width'], $attrib['height'],
@@ -669,12 +442,8 @@
}
else
$quota_text = rcube_label('unlimited');
-
- $out = '<span' . $attrib_str . '>';
- $out .= $quota_text;
- $out .= '</span>';
- return $out;
+ return $quota_text;
}
@@ -703,16 +472,24 @@
'to' => min($max, $start_msg + $IMAP->page_size - 1),
'count' => $max)));
- return rep_specialchars_output($out);
+ return Q($out);
}
function rcmail_print_body($part, $safe=FALSE, $plain=FALSE)
{
- global $IMAP, $REMOTE_OBJECTS, $JS_OBJECT_NAME;
+ global $IMAP, $REMOTE_OBJECTS;
$body = is_array($part->replaces) ? strtr($part->body, $part->replaces) : $part->body;
+ // convert html to text/plain
+ if ($part->ctype_secondary=='html' && $plain)
+ {
+ $txt = new html2text($body, false, true);
+ $body = $txt->get_text();
+ $part->ctype_secondary = 'plain';
+ }
+
// text/html
if ($part->ctype_secondary=='html')
{
@@ -729,7 +506,7 @@
'/url\s*\(["\']?([\.\/]+[^"\'\s]+)["\']?\)/i',
'/<script.+<\/script>/Umis');
- $remote_replaces = array('<img \\1src=\\2./program/blank.gif\\4',
+ $remote_replaces = array('<img \\1src=\\2./program/blocked.gif\\4',
'',
'',
'',
@@ -750,13 +527,13 @@
$body = preg_replace($remote_patterns, $remote_replaces, $body);
}
- return rep_specialchars_output($body, 'html', '', FALSE);
+ return Q($body, 'show', FALSE);
}
// text/enriched
if ($part->ctype_secondary=='enriched')
{
- return rep_specialchars_output(enriched_to_html($body), 'html');
+ return Q(enriched_to_html($body), 'show');
}
else
{
@@ -773,7 +550,7 @@
$convert_replaces[] = "rcmail_str_replacement('\\1<a href=\"http://\\2\\3\" target=\"_blank\">\\2\\3</a>', \$replace_strings)";
$convert_patterns[] = '/([a-z0-9][a-z0-9\-\.\+\_]*@[a-z0-9]([a-z0-9\-][.]?)*[a-z0-9]\\.[a-z]{2,5})/ie';
- $convert_replaces[] = "rcmail_str_replacement('<a href=\"mailto:\\1\" onclick=\"return $JS_OBJECT_NAME.command(\'compose\',\'\\1\',this)\">\\1</a>', \$replace_strings)";
+ $convert_replaces[] = "rcmail_str_replacement('<a href=\"mailto:\\1\" onclick=\"return ".JS_OBJECT_NAME.".command(\'compose\',\'\\1\',this)\">\\1</a>', \$replace_strings)";
if ($part->ctype_parameters['format'] != 'flowed')
$body = wordwrap(trim($body), 80);
@@ -805,7 +582,7 @@
$quotation = str_repeat("</blockquote>", $quote_level);
$quote_level = $q;
- $a_lines[$n] = $quotation . rep_specialchars_output($line, 'html', 'replace', FALSE);
+ $a_lines[$n] = $quotation . Q($line, 'replace', FALSE);
}
// insert the links for urls and mailtos
@@ -865,6 +642,7 @@
foreach ($structure->parts as $p => $sub_part)
{
+ $rel_parts = $attachmnts = null;
$sub_ctype_primary = strtolower($sub_part->ctype_primary);
$sub_ctype_secondary = strtolower($sub_part->ctype_secondary);
@@ -875,19 +653,22 @@
$html_part = $p;
else if ($sub_ctype_primary=='text' && $sub_ctype_secondary=='enriched')
$enriched_part = $p;
- else if ($sub_ctype_primary=='multipart' && $sub_ctype_secondary=='related')
+ else if ($sub_ctype_primary=='multipart' && ($sub_ctype_secondary=='related' || $sub_ctype_secondary=='mixed'))
$related_part = $p;
}
-
+
// parse related part (alternative part could be in here)
- if ($related_part!==NULL && $prefer_html)
- {
- list($parts, $attachmnts) = rcmail_parse_message($structure->parts[$related_part], $arg, TRUE);
- $a_return_parts = array_merge($a_return_parts, $parts);
+ if ($related_part!==NULL)
+ {
+ list($rel_parts, $attachmnts) = rcmail_parse_message($structure->parts[$related_part], $arg, TRUE);
$a_attachments = array_merge($a_attachments, $attachmnts);
- }
+ }
+
+ // merge related parts if any
+ if ($rel_parts && $prefer_html && !$html_part)
+ $a_return_parts = array_merge($a_return_parts, $rel_parts);
- // print html/plain part
+ // choose html/plain part to print
else if ($html_part!==NULL && $prefer_html)
$print_part = &$structure->parts[$html_part];
else if ($enriched_part!==NULL)
@@ -902,7 +683,7 @@
$a_return_parts[] = $print_part;
}
// show plaintext warning
- else if ($html_part!==NULL)
+ else if ($html_part!==NULL && empty($a_return_parts))
{
$c = new stdClass;
$c->type = 'content';
@@ -961,30 +742,27 @@
// part is file/attachment
else if ($mail_part->disposition=='attachment' || $mail_part->disposition=='inline' || $mail_part->headers['content-id'] ||
- (empty($mail_part->disposition) && ($mail_part->d_parameters['filename'] || $mail_part->ctype_parameters['name'])))
+ (empty($mail_part->disposition) && $mail_part->filename))
{
- // skip apple ressource files
+ // skip apple resource forks
if ($message_ctype_secondary=='appledouble' && $secondary_type=='applefile')
continue;
// part belongs to a related message
if ($message_ctype_secondary=='related' && $mail_part->headers['content-id'])
{
- $mail_part->filename = rcube_imap::decode_mime_string($mail_part->d_parameters['filename']);
$mail_part->content_id = preg_replace(array('/^</', '/>$/'), '', $mail_part->headers['content-id']);
$sa_inline_objects[] = $mail_part;
}
// is regular attachment
- else if (($fname = $mail_part->d_parameters['filename']) ||
- ($fname = $mail_part->ctype_parameters['name']) ||
- ($fname = $mail_part->headers['content-description']))
+ else
{
- $mail_part->filename = rcube_imap::decode_mime_string($fname);
+ if (!$mail_part->filename)
+ $mail_part->filename = 'file_'.$mail_part->mime_id;
$a_attachments[] = $mail_part;
}
}
}
-
// if this was a related part try to resolve references
if ($message_ctype_secondary=='related' && sizeof($sa_inline_objects))
@@ -1003,6 +781,10 @@
}
}
}
+
+ // message is single part non-text
+ else if ($structure->filename)
+ $a_attachments[] = $structure;
return array($a_return_parts, $a_attachments);
}
@@ -1029,7 +811,7 @@
// get associative array of headers object
if (!$headers)
$headers = is_object($MESSAGE['headers']) ? get_object_vars($MESSAGE['headers']) : $MESSAGE['headers'];
-
+
$header_count = 0;
// allow the following attributes to be added to the <table> tag
@@ -1047,12 +829,12 @@
if ($hkey=='date' && !empty($headers[$hkey]))
$header_value = format_date(strtotime($headers[$hkey]));
else if (in_array($hkey, array('from', 'to', 'cc', 'bcc', 'reply-to')))
- $header_value = rep_specialchars_output(rcmail_address_string($headers[$hkey], NULL, $attrib['addicon']));
+ $header_value = Q(rcmail_address_string($headers[$hkey], NULL, $attrib['addicon']), 'show');
else
- $header_value = rep_specialchars_output($IMAP->decode_header($headers[$hkey]), '', 'all');
+ $header_value = Q(rcube_imap::decode_mime_string($headers[$hkey], $headers['charset']));
$out .= "\n<tr>\n";
- $out .= '<td class="header-title">'.rep_specialchars_output(rcube_label($hkey)).": </td>\n";
+ $out .= '<td class="header-title">'.Q(rcube_label($hkey)).": </td>\n";
$out .= '<td class="'.$hkey.'" width="90%">'.$header_value."</td>\n</tr>";
$header_count++;
}
@@ -1066,7 +848,7 @@
function rcmail_message_body($attrib)
{
- global $CONFIG, $OUTPUT, $MESSAGE, $IMAP, $GET_URL, $REMOTE_OBJECTS, $JS_OBJECT_NAME;
+ global $CONFIG, $OUTPUT, $MESSAGE, $IMAP, $GET_URL, $REMOTE_OBJECTS;
if (!is_array($MESSAGE['parts']) && !$MESSAGE['body'])
return '';
@@ -1074,7 +856,7 @@
if (!$attrib['id'])
$attrib['id'] = 'rcmailMsgBody';
- $safe_mode = (bool)$_GET['_safe'];
+ $safe_mode = intval($_GET['_safe']);
$attrib_str = create_attrib_string($attrib, array('style', 'class', 'id'));
$out = '<div '. $attrib_str . ">\n";
@@ -1111,11 +893,11 @@
if (!isset($part->body))
$part->body = $IMAP->get_message_part($MESSAGE['UID'], $part->mime_id, $part);
- $body = rcmail_print_body($part, $safe_mode);
+ $body = rcmail_print_body($part, $safe_mode, !$CONFIG['prefer_html']);
$out .= '<div class="message-part">';
if ($part->ctype_secondary != 'plain')
- $out .= rcmail_mod_html_body($body, $attrib['id']);
+ $out .= rcmail_sanitize_html($body, $attrib['id']);
else
$out .= $body;
@@ -1131,8 +913,8 @@
$ctype_secondary = strtolower($MESSAGE['structure']->ctype_secondary);
// list images after mail body
- if (get_boolean($attrib['showimages']) && $ctype_primary=='multipart' && $ctype_secondary=='mixed' &&
- sizeof($MESSAGE['attachments']) && !strstr($message_body, '<html') && strlen($GET_URL))
+ if (get_boolean($attrib['showimages']) && $ctype_primary=='multipart' &&
+ !empty($MESSAGE['attachments']) && !strstr($message_body, '<html') && strlen($GET_URL))
{
foreach ($MESSAGE['attachments'] as $attach_prop)
{
@@ -1146,7 +928,7 @@
// tell client that there are blocked remote objects
if ($REMOTE_OBJECTS && !$safe_mode)
- $OUTPUT->add_script(sprintf("%s.set_env('blockedobjects', true);", $JS_OBJECT_NAME));
+ $OUTPUT->set_env('blockedobjects', true);
$out .= "\n</div>";
return $out;
@@ -1155,13 +937,18 @@
// modify a HTML message that it can be displayed inside a HTML page
-function rcmail_mod_html_body($body, $container_id)
+function rcmail_sanitize_html($body, $container_id)
{
// remove any null-byte characters before parsing
$body = preg_replace('/\x00/', '', $body);
+ $base_url = "";
$last_style_pos = 0;
$body_lc = strtolower($body);
+
+ // check for <base href>
+ if (preg_match(($base_reg = '/(<base.*href=["\']?)([hftps]{3,5}:\/{2}[^"\'\s]+)([^<]*>)/i'), $body, $base_regs))
+ $base_url = $base_regs[2];
// find STYLE tags
while (($pos = strpos($body_lc, '<style', $last_style_pos)) && ($pos2 = strpos($body_lc, '</style>', $pos)))
@@ -1169,9 +956,10 @@
$pos = strpos($body_lc, '>', $pos)+1;
// replace all css definitions with #container [def]
- $styles = rcmail_mod_css_styles(substr($body, $pos, $pos2-$pos), $container_id);
+ $styles = rcmail_mod_css_styles(substr($body, $pos, $pos2-$pos), $container_id, $base_url);
- $body = substr($body, 0, $pos) . $styles . substr($body, $pos2);
+ $body = substr($body, 0, $pos) . $styles . substr($body, $pos2);
+ $body_lc = strtolower($body);
$last_style_pos = $pos2;
}
@@ -1179,86 +967,80 @@
// remove SCRIPT tags
foreach (array('script', 'applet', 'object', 'embed', 'iframe') as $tag)
{
- while (($pos = strpos($body_lc, '<'.$tag)) && ($pos2 = strpos($body_lc, '</'.$tag.'>', $pos)))
+ while (($pos = strpos($body_lc, '<'.$tag)) && (($pos2 = strpos($body_lc, '</'.$tag.'>', $pos)) || ($pos3 = strpos($body_lc, '>', $pos))))
{
- $pos2 += 8;
- $body = substr($body, 0, $pos) . substr($body, $pos2, strlen($body)-$pos2);
+ $end = $pos2 ? $pos2 + strlen('</'.$tag.'>') : $pos3 + 1;
+ $body = substr($body, 0, $pos) . substr($body, $end, strlen($body)-$end);
$body_lc = strtolower($body);
}
}
// replace event handlers on any object
- $body = preg_replace('/\s(on[a-z]+)=/im', ' __removed=', $body);
+ while ($body != $prev_body)
+ {
+ $prev_body = $body;
+ $body = preg_replace('/(<[^!][^>]*\s)(on[^=>]+)=([^>]+>)/im', '$1__removed=$3', $body);
+ $body = preg_replace('/(<[^!][^>]*\shref=["\']?)(javascript:)([^>]*?>)/im', '$1null:$3', $body);
+ }
// resolve <base href>
- $base_reg = '/(<base.*href=["\']?)([hftps]{3,5}:\/{2}[^"\'\s]+)([^<]*>)/i';
- if (preg_match($base_reg, $body, $regs))
+ if ($base_url)
{
- $base_url = $regs[2];
$body = preg_replace('/(src|background|href)=(["\']?)([\.\/]+[^"\'\s]+)(\2|\s|>)/Uie', "'\\1=\"'.make_absolute_url('\\3', '$base_url').'\"'", $body);
$body = preg_replace('/(url\s*\()(["\']?)([\.\/]+[^"\'\)\s]+)(\2)\)/Uie', "'\\1\''.make_absolute_url('\\3', '$base_url').'\')'", $body);
$body = preg_replace($base_reg, '', $body);
}
// modify HTML links to open a new window if clicked
- $body = preg_replace('/<a\s+([^>]+)>/Uie', "rcmail_alter_html_link('\\1');", $body);
+ $body = preg_replace('/<(a|link)\s+([^>]+)>/Uie', "rcmail_alter_html_link('\\1','\\2', '$container_id');", $body);
// add comments arround html and other tags
- $out = preg_replace(array('/(<\/?html[^>]*>)/i',
- '/(<\/?head[^>]*>)/i',
- '/(<title[^>]*>.*<\/title>)/Ui',
- '/(<\/?meta[^>]*>)/i'),
- '<!--\\1-->',
- $body);
+ $out = preg_replace(array(
+ '/(<!DOCTYPE.+)/i',
+ '/(<\/?html[^>]*>)/i',
+ '/(<\/?head[^>]*>)/i',
+ '/(<title[^>]*>.*<\/title>)/Ui',
+ '/(<\/?meta[^>]*>)/i'),
+ '<!--\\1-->',
+ $body);
- $out = preg_replace(array('/(<body[^>]*>)/i',
- '/(<\/body>)/i'),
- array('<div class="rcmBody">',
- '</div>'),
- $out);
+ $out = preg_replace(
+ array(
+ '/<body([^>]*)>/i',
+ '/<\/body>/i',
+ ),
+ array(
+ '<div class="rcmBody"\\1>',
+ '</div>',
+ ),
+ $out);
+
+ // quote <? of php and xml files that are specified as text/html
+ $out = preg_replace(array('/<\?/', '/\?>/'), array('<?', '?>'), $out);
return $out;
}
// parse link attributes and set correct target
-function rcmail_alter_html_link($in)
+function rcmail_alter_html_link($tag, $attrs, $container_id)
{
- $attrib = parse_attrib_string($in);
+ $in = preg_replace('/=([^("|\'|\s)]+)(\s|$)/', '="\1"', $in);
+ $attrib = parse_attrib_string($attrs);
+
+ if ($tag == 'link' && preg_match('/^https?:\/\//i', $attrib['href']))
+ $attrib['href'] = "./bin/modcss.php?u=" . urlencode($attrib['href']) . "&c=" . urlencode($container_id);
- if (stristr((string)$attrib['href'], 'mailto:'))
- $attrib['onclick'] = sprintf("return %s.command('compose','%s',this)",
- $GLOBALS['JS_OBJECT_NAME'],
- substr($attrib['href'], 7));
+ else if (stristr((string)$attrib['href'], 'mailto:'))
+ $attrib['onclick'] = sprintf(
+ "return %s.command('compose','%s',this)",
+ JS_OBJECT_NAME,
+ JQ(substr($attrib['href'], 7)));
+
else if (!empty($attrib['href']) && $attrib['href']{0}!='#')
$attrib['target'] = '_blank';
-
- return '<a' . create_attrib_string($attrib, array('href', 'name', 'target', 'onclick', 'id', 'class', 'style', 'title')) . '>';
- }
-
-// replace all css definitions with #container [def]
-function rcmail_mod_css_styles($source, $container_id)
- {
- $a_css_values = array();
- $last_pos = 0;
-
- // cut out all contents between { and }
- while (($pos = strpos($source, '{', $last_pos)) && ($pos2 = strpos($source, '}', $pos)))
- {
- $key = sizeof($a_css_values);
- $a_css_values[$key] = substr($source, $pos+1, $pos2-($pos+1));
- $source = substr($source, 0, $pos+1) . "<<str_replacement[$key]>>" . substr($source, $pos2, strlen($source)-$pos2);
- $last_pos = $pos+2;
- }
-
- $styles = preg_replace('/(^\s*|,\s*)([a-z0-9\._][a-z0-9\.\-_]*)/im', "\\1#$container_id \\2", $source);
- $styles = preg_replace('/<<str_replacement\[([0-9]+)\]>>/e', "\$a_css_values[\\1]", $styles);
-
- // replace body definition because we also stripped off the <body> tag
- $styles = preg_replace("/$container_id\s+body/i", "$container_id div.rcmBody", $styles);
-
- return $styles;
+ return "<$tag" . create_attrib_string($attrib, array('href','name','target','onclick','id','class','style','title','rel','type','media')) . ' />';
}
@@ -1350,7 +1132,7 @@
// decode address string and re-format it as HTML links
function rcmail_address_string($input, $max=NULL, $addicon=NULL)
{
- global $IMAP, $PRINT_MODE, $CONFIG, $OUTPUT, $JS_OBJECT_NAME, $EMAIL_ADDRESS_PATTERN;
+ global $IMAP, $PRINT_MODE, $CONFIG, $OUTPUT, $EMAIL_ADDRESS_PATTERN;
$a_parts = $IMAP->decode_address_list($input);
@@ -1365,19 +1147,19 @@
{
$j++;
if ($PRINT_MODE)
- $out .= sprintf('%s <%s>', rep_specialchars_output($part['name']), $part['mailto']);
+ $out .= sprintf('%s <%s>', Q($part['name']), $part['mailto']);
else if (preg_match($EMAIL_ADDRESS_PATTERN, $part['mailto']))
{
$out .= sprintf('<a href="mailto:%s" onclick="return %s.command(\'compose\',\'%s\',this)" class="rcmContactAddress" title="%s">%s</a>',
- $part['mailto'],
- $JS_OBJECT_NAME,
- $part['mailto'],
- $part['mailto'],
- rep_specialchars_output($part['name']));
+ Q($part['mailto']),
+ JS_OBJECT_NAME,
+ JQ($part['mailto']),
+ Q($part['mailto']),
+ Q($part['name']));
if ($addicon)
$out .= sprintf(' <a href="#add" onclick="return %s.command(\'add-contact\',\'%s\',this)" title="%s"><img src="%s%s" alt="add" border="0" /></a>',
- $JS_OBJECT_NAME,
+ JS_OBJECT_NAME,
urlencode($part['string']),
rcube_label('addtoaddressbook'),
$CONFIG['skin_path'],
@@ -1386,9 +1168,9 @@
else
{
if ($part['name'])
- $out .= rep_specialchars_output($part['name']);
+ $out .= Q($part['name']);
if ($part['mailto'])
- $out .= (strlen($out) ? ' ' : '') . sprintf('<%s>', $part['mailto']);
+ $out .= (strlen($out) ? ' ' : '') . sprintf('<%s>', Q($part['mailto']));
}
if ($c>$j)
@@ -1409,30 +1191,28 @@
{
global $CONFIG, $IMAP, $MESSAGE;
- if (!is_array($MESSAGE) || !is_array($MESSAGE['parts']) || !($_GET['_uid'] && $_GET['_part']) || !$MESSAGE['parts'][$_GET['_part']])
+ $part = asciiwords(get_input_value('_part', RCUBE_INPUT_GPC));
+ if (!is_array($MESSAGE) || !is_array($MESSAGE['parts']) || !($_GET['_uid'] && $_GET['_part']) || !$MESSAGE['parts'][$part])
return '';
- $part = &$MESSAGE['parts'][$_GET['_part']];
+ $part = &$MESSAGE['parts'][$part];
$attrib_str = create_attrib_string($attrib, array('id', 'class', 'style', 'cellspacing', 'cellpadding', 'border', 'summary'));
$out = '<table '. $attrib_str . ">\n";
- $filename = $part->d_parameters['filename'] ? $part->d_parameters['filename'] : $part->ctype_parameters['name'];
- $filesize = $part->size;
-
if ($filename)
{
$out .= sprintf('<tr><td class="title">%s</td><td>%s</td><td>[<a href="./?%s">%s</a>]</tr>'."\n",
- rcube_label('filename'),
- rep_specialchars_output(rcube_imap::decode_mime_string($filename)),
+ Q(rcube_label('filename')),
+ Q($part->filename),
str_replace('_frame=', '_download=', $_SERVER['QUERY_STRING']),
- rcube_label('download'));
+ Q(rcube_label('download')));
}
- if ($filesize)
+ if ($part->size)
$out .= sprintf('<tr><td class="title">%s</td><td>%s</td></tr>'."\n",
- rcube_label('filesize'),
- show_bytes($filesize));
+ Q(rcube_label('filesize')),
+ show_bytes($part->size));
$out .= "\n</table>";
@@ -1445,10 +1225,10 @@
{
global $MESSAGE;
- $part = $MESSAGE['parts'][$_GET['_part']];
+ $part = $MESSAGE['parts'][asciiwords(get_input_value('_part', RCUBE_INPUT_GPC))];
$ctype_primary = strtolower($part->ctype_primary);
- $attrib['src'] = './?'.str_replace('_frame=', ($ctype_primary=='text' ? '_show=' : '_preload='), $_SERVER['QUERY_STRING']);
+ $attrib['src'] = Q('./?'.str_replace('_frame=', ($ctype_primary=='text' ? '_show=' : '_preload='), $_SERVER['QUERY_STRING']));
$attrib_str = create_attrib_string($attrib, array('id', 'class', 'style', 'src', 'width', 'height'));
$out = '<iframe '. $attrib_str . "></iframe>";
@@ -1470,6 +1250,20 @@
unset($_SESSION['compose']);
}
-
-
+
+
+// register UI objects
+$OUTPUT->add_handlers(array(
+ 'mailboxlist' => 'rcmail_mailbox_list',
+ 'messages' => 'rcmail_message_list',
+ 'messagecountdisplay' => 'rcmail_messagecount_display',
+ 'quotadisplay' => 'rcmail_quota_display',
+ 'messageheaders' => 'rcmail_message_headers',
+ 'messagebody' => 'rcmail_message_body',
+ 'messagecontentframe' => 'rcmail_messagecontent_frame',
+ 'messagepartframe' => 'rcmail_message_part_frame',
+ 'messagepartcontrols' => 'rcmail_message_part_controls',
+ 'searchform' => 'rcmail_search_form'
+));
+
?>
--
Gitblit v1.9.1