/**
* forms.php - html form functions
*
- * Functions to build HTML forms in a safe and consistent manner.
- * All attribute values are sanitized with htmlspecialchars().
+ * Functions to build forms in a safe and consistent manner.
+ * All attribute values are sanitized with sm_encode_html_special_chars().
+//FIXME: I think the Template class might be better place to sanitize inside assign() method
*
* Currently functions don't provide simple wrappers for file and
* image input fields, support only submit and reset buttons and use
* @link http://www.section508.gov/ Section 508
* @link http://www.w3.org/WAI/ Web Accessibility Initiative (WAI)
* @link http://www.w3.org/TR/html4/ W3.org HTML 4.01 form specs
- * @copyright © 2004-2005 The SquirrelMail Project Team
+ * @copyright 2004-2014 The SquirrelMail Project Team
* @license http://opensource.org/licenses/gpl-license.php GNU Public License
* @version $Id$
* @package squirrelmail
$sAttribs = '';
// define unique identifier
if (! isset($aAttribs['id']) && isset($aAttribs['name']) && ! is_null($aAttribs['name'])) {
- $aAttribs['id'] = $aAttribs['name'];
+ /**
+ * if 'id' is not set, set it to 'name' and replace brackets
+ * with underscores. 'name' might contain field name with squire
+ * brackets (array). Brackets are not allowed in id (validator.w3.org
+ * fails to validate document). According to html 4.01 manual cdata
+ * type description, 'name' attribute uses same type, but validator.w3.org
+ * does not barf on brackets in 'name' attributes.
+ */
+ $aAttribs['id'] = strtr($aAttribs['name'],'[]','__');
}
- // create attribute string (do we have to sanitize keys?)
- foreach ($aAttribs as $key => $value) {
- $sAttribs.= ' ' . $key . (! is_null($value) ? '="'.htmlspecialchars($value).'"':'');
- }
- return '<input type="'.$sType.'"'.$sAttribs." />\n";
+
+ global $oTemplate;
+
+ $oTemplate->assign('type', $sType);
+//FIXME: all the values in the $aAttribs list used to go thru sm_encode_html_special_chars()... I would propose that most everything that is assigned to the template should go thru that *in the template class* on its way between here and the actual template file. Otherwise we have to do something like: foreach ($aAttribs as $key => $value) $aAttribs[$key] = sm_encode_html_special_chars($value);
+ $oTemplate->assign('aAttribs', $aAttribs);
+
+ return $oTemplate->fetch('input.tpl');
+
}
/**
* Password input field
* @param string $sName field name
* @param string $sValue initial password value
- * @param array $aAttribs (since 1.5.1) extra attributes
- * @return string html formated password field
+ * @param integer $iSize field size (number of characters)
+ * @param integer $iMaxlength maximum number of characters the user may enter
+ * @param array $aAttribs (since 1.5.1) extra attributes - should be given
+ * in the form array('attribute_name' => 'attribute_value', ...)
+ * @return string html formated password field
*/
-function addPwField($sName, $sValue = null, $aAttribs=array()) {
+function addPwField($sName, $sValue = '', $iSize = 0, $iMaxlength = 0, $aAttribs=array()) {
$aAttribs['name'] = $sName;
- $aAttribs['value'] = (! is_null($sValue) ? $sValue : '');
+ $aAttribs['value'] = $sValue;
+ if ($iSize) $aAttribs['size'] = (int)$iSize;
+ if ($iMaxlength) $aAttribs['maxlength'] = (int)$iMaxlength;
// add default css
if (! isset($aAttribs['class'])) $aAttribs['class'] = 'sqmpwfield';
return addInputField('password',$aAttribs);
/**
* Function to create a selectlist from an array.
- * @param string $sName field name
- * @param array $aValues field values array ( key => value ) -> <option value="key">value</option>
- * @param mixed $default the key that will be selected
- * @param boolean $bUsekeys use the keys of the array as option value or not
- * @param array $aAttribs (since 1.5.1) extra attributes
+ * @param string $sName Field name
+ * @param array $aValues Field values array(key => value) results in:
+ * <option value="key">value</option>,
+ * although if $bUsekeys is FALSE, then it changes to:
+ * <option value="value">value</option>
+ * @param mixed $default The key(s) that will be selected (it is OK to pass
+ * in an array here in the case of multiple select lists)
+ * @param boolean $bUsekeys Use the keys of the array as option value or not
+ * @param array $aAttribs (since 1.5.1) Extra attributes
+ * @param boolean $bMultiple When TRUE, a multiple select list will be shown
+ * (OPTIONAL; default is FALSE (single select list))
+ * @param int $iSize Desired height of multiple select boxes
+ * (OPTIONAL; default is SMOPT_SIZE_NORMAL)
+ * (only applicable when $bMultiple is TRUE)
+ *
* @return string html formated selection box
* @todo add attributes argument for option tags and default css
*/
-function addSelect($sName, $aValues, $default = null, $bUsekeys = false, $aAttribs = array()) {
+function addSelect($sName, $aValues, $default = null, $bUsekeys = false, $aAttribs = array(), $bMultiple = FALSE, $iSize = SMOPT_SIZE_NORMAL) {
// only one element
- if(count($aValues) == 1) {
+ if (!$bMultiple && count($aValues) == 1) {
$k = key($aValues); $v = array_pop($aValues);
- return addHidden($sName, ($bUsekeys ? $k:$v), $aAttribs).
- htmlspecialchars($v) . "\n";
+ return addHidden($sName, ($bUsekeys ? $k : $v), $aAttribs)
+ . sm_encode_html_special_chars($v);
}
- if (isset($aAttribs['id'])) {
- $label_open = '<label for="'.htmlspecialchars($aAttribs['id']).'">';
- $label_close = '</label>';
- } else {
- $label_open = '';
- $label_close = '';
- }
+ if (! isset($aAttribs['id'])) $aAttribs['id'] = $sName;
- // create attribute string for select tag
- $sAttribs = '';
- foreach ($aAttribs as $key => $value) {
- $sAttribs.= ' ' . $key . (! is_null($value) ? '="'.htmlspecialchars($value).'"':'');
- }
+ // make sure $default is an array, since multiple select lists
+ // need the chance to have more than one default...
+ //
+ if (!is_array($default))
+ $default = array($default);
- $ret = '<select name="'.htmlspecialchars($sName) . '"' . $sAttribs . ">\n";
- foreach ($aValues as $k => $v) {
- if(!$bUsekeys) $k = $v;
- $ret .= '<option value="' .
- htmlspecialchars( $k ) . '"' .
- (($default == $k) ? ' selected="selected"' : '') .
- '>' . $label_open . htmlspecialchars($v) . $label_close ."</option>\n";
- }
- $ret .= "</select>\n";
- return $ret;
+ global $oTemplate;
+
+//FIXME: all the values in the $aAttribs list and $sName and both the keys and values in $aValues used to go thru sm_encode_html_special_chars()... I would propose that most everything that is assigned to the template should go thru that *in the template class* on its way between here and the actual template file. Otherwise we have to do something like: foreach ($aAttribs as $key => $value) $aAttribs[$key] = sm_encode_html_special_chars($value); $sName = sm_encode_html_special_chars($sName); $aNewValues = array(); foreach ($aValues as $key => $value) $aNewValues[sm_encode_html_special_chars($key)] = sm_encode_html_special_chars($value); $aValues = $aNewValues; And probably this too because it has to be matched to a value that has already been sanitized: $default = sm_encode_html_special_chars($default); (oops, watch out for when $default is an array! (multiple select lists))
+ $oTemplate->assign('aAttribs', $aAttribs);
+ $oTemplate->assign('aValues', $aValues);
+ $oTemplate->assign('bUsekeys', $bUsekeys);
+ $oTemplate->assign('default', $default);
+ $oTemplate->assign('name', $sName);
+ $oTemplate->assign('multiple', $bMultiple);
+ $oTemplate->assign('size', $iSize);
+
+ return $oTemplate->fetch('select.tpl');
+}
+
+/**
+ * Normal button
+ *
+ * Note the switched value/name parameters!
+ * Note also that regular buttons are not very useful unless
+ * used with onclick handlers, thus are only really appropriate
+ * if you use them after having checked if JavaScript is turned
+ * on by doing this: if (checkForJavascript()) ...
+ *
+ * @param string $sValue button name
+ * @param string $sName key name
+ * @param array $aAttribs extra attributes
+ *
+ * @return string html formated submit input field
+ *
+ * @since 1.5.2
+ */
+function addButton($sValue, $sName = null, $aAttribs=array()) {
+ $aAttribs['value'] = $sValue;
+ if (! is_null($sName)) $aAttribs['name'] = $sName;
+ // add default css
+ if (! isset($aAttribs['class'])) $aAttribs['class'] = 'sqmsubmitfield';
+ return addInputField('button', $aAttribs);
}
/**
if (! isset($aAttribs['class'])) $aAttribs['class'] = 'sqmsubmitfield';
return addInputField('submit', $aAttribs);
}
+
/**
* Form reset button
* @param string $sValue button name
/**
* Textarea form element.
- * @param string $sName field name
- * @param string $sText initial field value
- * @param integer $iCols field width (number of chars)
- * @param integer $iRows field height (number of character rows)
- * @param array $aAttribs (since 1.5.1) extra attributes. function accepts string argument
- * for backward compatibility.
+ *
+ * @param string $sName field name
+ * @param string $sText initial field value (OPTIONAL; default empty)
+ * @param integer $iCols field width (number of chars) (OPTIONAL; default 40)
+ * @param integer $iRows field height (number of character rows) (OPTIONAL; default 10)
+ * @param array $aAttribs (since 1.5.1) extra attributes (OPTIONAL; default empty)
+ *
* @return string html formated text area field
+ *
*/
function addTextArea($sName, $sText = '', $iCols = 40, $iRows = 10, $aAttribs = array()) {
- $label_open = '';
- $label_close = '';
- if (is_array($aAttribs)) {
- // maybe id can default to name?
- if (isset($aAttribs['id'])) {
- $label_open = '<label for="'.htmlspecialchars($aAttribs['id']).'">';
- $label_close = '</label>';
- }
- // add default css
- if (! isset($aAttribs['class'])) $aAttribs['class'] = 'sqmtextarea';
- // create attribute string (do we have to sanitize keys?)
- $sAttribs = '';
- foreach ($aAttribs as $key => $value) {
- $sAttribs.= ' ' . $key . (! is_null($value) ? '="'.htmlspecialchars($value).'"':'');
- }
- } elseif (is_string($aAttribs)) {
- // backward compatibility mode. deprecated.
- $sAttribs = ' ' . $aAttribs;
- } else {
- $sAttribs = '';
+
+ // no longer accept string arguments for attribs; print
+ // backtrace to help people fix their code
+ //FIXME: throw error instead?
+ if (!is_array($aAttribs)) {
+ echo '$aAttribs argument to addTextArea() must be an array<br /><pre>';
+ debug_print_backtrace();
+ echo '</pre><br />';
+ exit;
+ }
+
+ // add default css
+ else if (!isset($aAttribs['class'])) $aAttribs['class'] = 'sqmtextarea';
+
+ if ( empty( $aAttribs['id'] ) ) {
+ $aAttribs['id'] = strtr($sName,'[]','__');
}
- return '<textarea name="'.htmlspecialchars($sName).'" '.
- 'rows="'.(int)$iRows .'" cols="'.(int)$iCols.'"'.
- $sAttribs . '>'. $label_open . htmlspecialchars($sText) . $label_close ."</textarea>\n";
+
+ global $oTemplate;
+
+//FIXME: all the values in the $aAttribs list as well as $sName and $sText used to go thru sm_encode_html_special_chars()... I would propose that most everything that is assigned to the template should go thru that *in the template class* on its way between here and the actual template file. Otherwise we have to do something like: foreach ($aAttribs as $key => $value) $aAttribs[$key] = sm_encode_html_special_chars($value); $sName = sm_encode_html_special_chars($sName); $sText = sm_encode_html_special_chars($sText);
+ $oTemplate->assign('aAttribs', $aAttribs);
+ $oTemplate->assign('name', $sName);
+ $oTemplate->assign('text', $sText);
+ $oTemplate->assign('cols', (int)$iCols);
+ $oTemplate->assign('rows', (int)$iRows);
+
+ return $oTemplate->fetch('textarea.tpl');
}
/**
* Make a <form> start-tag.
- * @param string $sAction form handler URL
- * @param string $sMethod http method used to submit form data. 'get' or 'post'
- * @param string $sName form name used for identification (used for backward
- * compatibility). Use of id is recommended.
- * @param string $sEnctype content type that is used to submit data. html 4.01
- * defaults to 'application/x-www-form-urlencoded'. Form with file field needs
- * 'multipart/form-data' encoding type.
- * @param string $sCharset charset that is used for submitted data
- * @param array $aAttribs (since 1.5.1) extra attributes
+ *
+ * @param string $sAction form handler URL
+ * @param string $sMethod http method used to submit form data. 'get' or 'post'
+ * @param string $sName form name used for identification (used for backward
+ * compatibility). Use of id is recommended instead.
+ * @param string $sEnctype content type that is used to submit data. html 4.01
+ * defaults to 'application/x-www-form-urlencoded'. Form
+ * with file field needs 'multipart/form-data' encoding type.
+ * @param string $sCharset charset that is used for submitted data
+ * @param array $aAttribs (since 1.5.1) extra attributes
+ * @param boolean $bAddToken (since 1.5.2) When given as a string or as boolean TRUE,
+ * a hidden input is also added to the form containing a
+ * security token. When given as TRUE, the input name is
+ * "smtoken"; otherwise the name is the string that is
+ * given for this parameter. When FALSE, no hidden token
+ * input field is added. (OPTIONAL; default not used)
+ *
* @return string html formated form start string
+ *
*/
-function addForm($sAction, $sMethod = 'post', $sName = '', $sEnctype = '', $sCharset = '', $aAttribs = array()) {
- // id tags
- if (! isset($aAttribs['id']) && ! empty($sName))
- $aAttribs['id'] = $sName;
+function addForm($sAction, $sMethod = 'post', $sName = '', $sEnctype = '', $sCharset = '', $aAttribs = array(), $bAddToken = FALSE) {
- if($sName) {
- $sName = ' name="'.$sName.'"';
- }
- if($sEnctype) {
- $sEnctype = ' enctype="'.$sEnctype.'"';
- }
- if($sCharset) {
- $sCharset = ' accept-charset="'.htmlspecialchars($sCharset).'"';
- }
+ global $oTemplate;
- // create attribute string (do we have to sanitize keys?)
- $sAttribs = '';
- foreach ($aAttribs as $key => $value) {
- $sAttribs.= ' ' . $key . (! is_null($value) ? '="'.htmlspecialchars($value).'"':'');
+//FIXME: all the values in the $aAttribs list as well as $charset used to go thru sm_encode_html_special_chars()... I would propose that most everything that is assigned to the template should go thru that *in the template class* on its way between here and the actual template file. Otherwise we have to do something like: foreach ($aAttribs as $key => $value) $aAttribs[$key] = sm_encode_html_special_chars($value); $sCharset = sm_encode_html_special_chars($sCharset);
+ $oTemplate->assign('aAttribs', $aAttribs);
+ $oTemplate->assign('name', $sName);
+ $oTemplate->assign('method', $sMethod);
+ $oTemplate->assign('action', $sAction);
+ $oTemplate->assign('enctype', $sEnctype);
+ $oTemplate->assign('charset', $sCharset);
+
+ $sForm = $oTemplate->fetch('form.tpl');
+
+ if ($bAddToken) {
+ $sForm .= addHidden((is_string($bAddToken) ? $bAddToken : 'smtoken'),
+ sm_generate_security_token());
}
- return '<form action="'. $sAction .'" method="'. $sMethod .'"'.
- $sEnctype . $sName . $sCharset . $sAttribs . ">\n";
+ return $sForm;
+}
+
+/**
+ * Creates unique widget names
+ *
+ * Names are formatted as such: "send1", "send2", "send3", etc.,
+ * where "send" in this example is what was given for $base_name
+ *
+ * @param string $base_name The name upon which to base the
+ * returned widget name.
+ * @param boolean $return_count When TRUE, this function will
+ * return the last number used to
+ * create a widget name for $base_name
+ * (OPTIONAL; default = FALSE).
+ *
+ * @return mixed When $return_output is FALSE, a string containing
+ * the unique widget name; otherwise an integer with
+ * the last number used to create the last widget
+ * name for the given $base_name (where 0 (zero) means
+ * that no such widgets have been created yet).
+ *
+ * @since 1.5.2
+ *
+ */
+function unique_widget_name($base_name, $return_count=FALSE)
+{
+ static $counts = array();
+
+ if (!isset($counts[$base_name]))
+ $counts[$base_name] = 0;
+
+ if ($return_count)
+ return $counts[$base_name];
+
+ ++$counts[$base_name];
+ return $base_name . $counts[$base_name];
}
-?>
\ No newline at end of file