* This contains the functions necessary to detect and decode MIME
* messages.
*
- * @copyright 1999-2010 The SquirrelMail Project Team
+ * @copyright 1999-2018 The SquirrelMail Project Team
* @license http://opensource.org/licenses/gpl-license.php GNU Public License
* @version $Id$
* @package squirrelmail
displayPageHeader( $color, $mailbox );
$errormessage = _("SquirrelMail could not decode the bodystructure of the message");
$errormessage .= '<br />'._("The bodystructure provided by your IMAP server:").'<br /><br />';
- $errormessage .= '<pre>' . htmlspecialchars($read) . '</pre>';
+ $errormessage .= '<pre>' . sm_encode_html_special_chars($read) . '</pre>';
plain_error_message( $errormessage );
echo '</body></html>';
exit;
$data = sqimap_run_command ($imap_stream, $cmd, true, $response, $message, TRUE);
do {
$topline = trim(array_shift($data));
- } while($topline && ($topline[0] == '*') && !preg_match('/\* [0-9]+ FETCH.*/i', $topline)) ;
+ } while($topline && ($topline[0] == '*') && !preg_match('/\* [0-9]+ FETCH .*BODY.*/i', $topline)) ;
+ // Matching with "BODY" above is difficult: in most cases "FETCH \(BODY" would work
+ // but some servers may put other things in the same result, perhaps something such
+ // as "* 23 FETCH (FLAGS (\Seen) BODY[1] {174}". There is some small chance that
+ // if the character sequence "BODY" appears in a response where it isn't actually
+ // a FETCH response data item name, the current regex will break things. The better
+ // way to do this would be to parse the response correctly and not use a regex.
$wholemessage = implode('', $data);
if (preg_match('/\{([^\}]*)\}/', $topline, $regs)) {
$this_attachment['DownloadHREF'] = $links['download link']['href'];
$this_attachment['ViewHREF'] = isset($links['attachment_common']) ? $links['attachment_common']['href'] : '';
$this_attachment['Size'] = $header->size;
- $this_attachment['ContentType'] = htmlspecialchars($type0 .'/'. $type1);
+ $this_attachment['ContentType'] = sm_encode_html_special_chars($type0 .'/'. $type1);
$this_attachment['OtherLinks'] = array();
foreach ($links as $val) {
if ($val['text']==_("Download") || $val['text'] == _("View"))
$iLastMatch = -2;
$encoded = true;
+// FIXME: spaces are allowed inside quoted-printable encoding, but the following line will bust up any such encoded strings
$aString = explode(' ',$string);
$ret = '';
foreach ($aString as $chunk) {
$iLastMatch = $i;
$j = $i;
if ($htmlsafe) {
- $ret .= htmlspecialchars($res[1]);
+ $ret .= sm_encode_html_special_chars($res[1]);
} else {
$ret .= $res[1];
}
}
} else {
if ($htmlsafe) {
- $replace = htmlspecialchars($replace);
+ $replace = sm_encode_html_special_chars($replace);
}
$ret.= $replace;
}
break;
case 'Q':
$replace = str_replace('_', ' ', $res[4]);
- $replace = preg_replace('/=([0-9a-f]{2})/ie', 'chr(hexdec("\1"))',
+ $replace = preg_replace_callback('/=([0-9a-f]{2})/i',
+ create_function ('$matches', 'return chr(hexdec($matches[1]));'),
$replace);
if ($utfencode) {
if ($can_be_encoded) {
}
} else {
if ($htmlsafe) {
- $replace = htmlspecialchars($replace);
+ $replace = sm_encode_html_special_chars($replace);
}
}
$ret .= $replace;
}
if (!$encoded && $htmlsafe) {
- $ret .= htmlspecialchars($chunk);
+ $ret .= sm_encode_html_special_chars($chunk);
} else {
$ret .= $chunk;
}
// images off by default.
sqgetGlobalVar('view_unsafe_images', $view_unsafe_images, SQ_GET, FALSE);
- $secremoveimg = '../images/' . _("sec_remove_eng.png");
+ global $use_transparent_security_image;
+ if ($use_transparent_security_image) $secremoveimg = '../images/spacer.png';
+ else $secremoveimg = '../images/' . _("sec_remove_eng.png");
/**
* Replace empty src tags with the blank image. src is only used
break;
}
} else {
- if (!(isset($aUrl['path']) && $aUrl['path'] == $secremoveimg)) {
+ if (!isset($aUrl['path']) || $aUrl['path'] != $secremoveimg) {
// parse_url did not lead to satisfying result
$attvalue = $sQuote . SM_PATH . 'images/blank.png' . $sQuote;
}
* and change it to .bodyclass so we can just assign it to a <div>
*/
$content = preg_replace("|body(\s*\{.*?\})|si", ".bodyclass\\1", $content);
- $secremoveimg = '../images/' . _("sec_remove_eng.png");
+
+ global $use_transparent_security_image;
+ if ($use_transparent_security_image) $secremoveimg = '../images/spacer.png';
+ else $secremoveimg = '../images/' . _("sec_remove_eng.png");
+
/**
* Fix url('blah') declarations.
*/
list($free_content, $curpos) =
sq_fixstyle($body, $gt+1, $message, $id, $mailbox);
if ($free_content != FALSE){
+ if ( !empty($attary) ) {
+ $attary = sq_fixatts($tagname,
+ $attary,
+ $rm_attnames,
+ $bad_attvals,
+ $add_attr_to_tag,
+ $message,
+ $id,
+ $mailbox
+ );
+ }
$trusted .= sq_tagprint($tagname, $attary, $tagtype);
$trusted .= $free_content;
$trusted .= sq_tagprint($tagname, false, 2);
)
);
- $secremoveimg = "../images/" . _("sec_remove_eng.png");
+ global $use_transparent_security_image;
+ if ($use_transparent_security_image) $secremoveimg = '../images/spacer.png';
+ else $secremoveimg = '../images/' . _("sec_remove_eng.png");
+
$bad_attvals = Array(
"/.*/" =>
Array(
$filename=rawurlencode($filename);
header ("Pragma: public");
header ("Cache-Control: no-store, max-age=0, no-cache, must-revalidate"); // HTTP/1.1
- header ("Cache-Control: post-check=0, pre-check=0", false);
+ // does nothing - see: https://blogs.msdn.microsoft.com/ieinternals/2009/07/20/internet-explorers-cache-control-extensions/
+ // header ("Cache-Control: post-check=0, pre-check=0", false);
header ("Cache-Control: private");
//set the inline header for IE, we'll add the attachment header later if we need it