*
* Prints the page header (duh)
*
- * @copyright © 1999-2007 The SquirrelMail Project Team
+ * @copyright 1999-2018 The SquirrelMail Project Team
* @license http://opensource.org/licenses/gpl-license.php GNU Public License
* @version $Id$
* @package squirrelmail
* @param string xtra extra HTML to insert into the header
* @param bool do_hook whether to execute hooks, default true
* @param bool frames generate html frameset doctype (since 1.5.1)
+ * @param bool $browser_cache_ok When TRUE, it's OK to leave out the
+ * no-cache browser headers (OPTIONAL;
+ * default = FALSE, send no-cache headers)
* @return void
*/
-function displayHtmlHeader( $title = 'SquirrelMail', $xtra = '', $do_hook = TRUE, $frames = FALSE ) {
+function displayHtmlHeader( $title = 'SquirrelMail', $xtra = '', $do_hook = TRUE, $frames = FALSE, $browser_cache_ok=FALSE ) {
global $squirrelmail_language, $sTemplateID, $oErrorHandler, $oTemplate;
if ( !sqgetGlobalVar('base_uri', $base_uri, SQ_SESSION) ) {
$default_fontset, $chosen_fontset, $default_fontsize, $chosen_fontsize,
$chosen_theme, $chosen_theme_path, $user_themes, $user_theme_default;
- /* add no cache headers here */
+ // add no cache headers here
+ //
+ if (!$browser_cache_ok) {
//FIXME: should change all header() calls in SM core to use $oTemplate->header()!!
- $oTemplate->header('Pragma: no-cache'); // http 1.0 (rfc1945)
- $oTemplate->header('Cache-Control: private, no-cache, no-store'); // http 1.1 (rfc2616)
+ $oTemplate->header('Pragma: no-cache'); // http 1.0 (rfc1945)
+ $oTemplate->header('Cache-Control: private, no-cache, no-store, must-revalidate, max-age=0'); // http 1.1 (rfc2616)
+ $oTemplate->header('Expires: Sat, 1 Jan 2000 00:00:00 GMT');
+//TODO: is this needed? $oTemplate->header('Last-Modified: ' . gmdate('D, d M Y H:i:s') . 'GMT');
+ }
+ /* prevent information leakage about read emails by forbidding Firefox
+ * to do preemptive DNS requests for any links in the message body. */
+ $oTemplate->header('X-DNS-Prefetch-Control: off');
+
+ // don't show version as a security measure
+ //$oTemplate->header('X-Powered-By: SquirrelMail/' . SM_VERSION, FALSE);
+ $oTemplate->header('X-Powered-By: SquirrelMail', FALSE);
+
+ // prevent clickjack attempts
+// FIXME: should we use DENY instead? We can also make this a configurable value, including giving the admin the option of removing this entirely in case they WANT to be framed by an external domain
+ $oTemplate->header('X-Frame-Options: SAMEORIGIN');
+
+ // prevent clickjack attempts using JavaScript for browsers that
+ // don't support the X-Frame-Options header...
+ // we check to see if we are *not* the top page, and if not, check
+ // whether or not the top page is in the same domain as we are...
+ // if not, log out immediately -- this is an attempt to do the same
+ // thing that the X-Frame-Options does using JavaScript (never a good
+ // idea to rely on JavaScript-based solutions, though)
+//FIXME: is it a problem that we still force the clickjack protection code whether or not JavaScript is supported or desired by the user?
+ $header_tags = '<script type="text/javascript" language="JavaScript">'
+ . "\n<!--\n"
+ . 'if (self != top) { try { if (document.domain != top.document.domain) {'
+ . ' throw "Clickjacking security violation! Please log out immediately!"; /* this code should never execute - exception should already have been thrown since it\'s a security violation in this case to even try to access top.document.domain (but it\'s left here just to be extra safe) */ } } catch (e) { self.location = "'
+ . sqm_baseuri() . 'src/signout.php"; top.location = "'
+ . sqm_baseuri() . 'src/signout.php" } }'
+ . "\n// -->\n</script>\n";
$oTemplate->assign('frames', $frames);
$oTemplate->assign('lang', $squirrelmail_language);
- $header_tags = '';
-
$header_tags .= "<meta name=\"robots\" content=\"noindex,nofollow\" />\n";
$used_fontset = (!empty($chosen_fontset) ? $chosen_fontset : $default_fontset);
/**
* Given a path to a SquirrelMail file, return a HTML link to it
*
- * @param string path the SquirrelMail file to link to
- * @param string text the link text
- * @param string target the target frame for this link
+ * @param string $path The SquirrelMail file to link to
+ * (should start with something like "src/..." or
+ * "functions/..." or "plugins/..." etc.)
+ * @param string $text The link text
+ * @param string $target The target frame for this link
+ * @param string $accesskey The access key to be used, if any
*/
-function makeInternalLink($path, $text, $target='') {
+function makeInternalLink($path, $text, $target='', $accesskey='NONE') {
global $base_uri, $oTemplate;
// sqgetGlobalVar('base_uri', $base_uri, SQ_SESSION);
//
//do_hook('internal_link', $text);
- return create_hyperlink($base_uri . $path, $text, $target);
+ return create_hyperlink($base_uri . $path, $text, $target,
+ '', '', '', '',
+ ($accesskey == 'NONE'
+ ? array()
+ : array('accesskey' => $accesskey)));
}
/**
* @param array color the array of theme colors
* @param string mailbox the current mailbox name to display
* @param string sHeaderJs javascipt code to be inserted in a script block in the header
- * @param string sBodyTagJs js events to be inserted in the body tag
+ * @param string sOnload JavaScript code to be added inside the body's onload handler
+ * as of 1.5.2, this replaces $sBodyTagJs argument
* @return void
*/
-
-function displayPageHeader($color, $mailbox='', $sHeaderJs='', $sBodyTagJs = '') {
+function displayPageHeader($color, $mailbox='', $sHeaderJs='', $sOnload = '') {
global $reply_focus, $hide_sm_attributions, $frame_top,
$provider_name, $provider_uri, $startMessage,
$action, $oTemplate, $org_title, $base_uri,
$data_dir, $username;
-//FIXME: $sBodyTag should be turned into $sOnload and should only contain the contents of the onload attribute (not the attribute name nor any quotes).... only question is if anyone was using $sBodyTag for anything but onload event handlers? (see function compose_Header() below for how to fix it once we confirm it can be changed)
- if (empty($sBodyTagJs)) {
+ if (empty($sOnload)) {
if (strpos($action, 'reply') !== FALSE && $reply_focus) {
- if ($reply_focus == 'select')
- $sBodyTagJs = 'onload="checkForm(\'select\');"';
- else if ($reply_focus == 'focus')
- $sBodyTagJs = 'onload="checkForm(\'focus\');"';
- else if ($reply_focus != 'none')
- $sBodyTagJs = 'onload="checkForm();"';
+ if ($reply_focus == 'select')
+ $sOnload = 'checkForm(\'select\');';
+ else if ($reply_focus == 'focus')
+ $sOnload = 'checkForm(\'focus\');';
+ else if ($reply_focus != 'none')
+ $sOnload = 'checkForm();';
}
else
- $sBodyTagJs = 'onload="checkForm();"';
+ $sOnload = 'checkForm();';
}
$startMessage = (int)$startMessage;
$frame_top = '_top';
}
-//FIXME: does checkForJavascript() make the 2nd part of the if() below unneccessary??
+//FIXME: does checkForJavascript() make the 2nd part of the if() below unneccessary?? (that is, I think checkForJavascript() might already look for new_js_autodetect_results...(?))
if( checkForJavascript() || strpos($sHeaderJs, 'new_js_autodetect_results.value') ) {
$js_includes = $oTemplate->get_javascript_includes(TRUE);
$sJsBlock = '';
} else {
/* do not use JavaScript */
displayHtmlHeader ($org_title);
- $sBodyTagJs = '';
+ $sOnload = '';
}
if ($mailbox) {
/*
* this explains the imap_mailbox.php dependency. We should instead store
* the selected mailbox in the session and fallback to the session var.
*/
- $shortBoxName = htmlspecialchars(imap_utf7_decode_local(
+ $shortBoxName = sm_encode_html_special_chars(imap_utf7_decode_local(
readShortMailboxName($mailbox, $delimiter)));
if (getPref($data_dir, $username, 'translate_special_folders')) {
- $shortBoxName = _($shortBoxName);
+ global $sent_folder, $trash_folder, $draft_folder;
+ if ($mailbox == $sent_folder)
+ $shortBoxName = _("Sent");
+ else if ($mailbox == $trash_folder)
+ $shortBoxName = _("Trash");
+ else if ($mailbox == $sent_folder)
+ $shortBoxName = _("Drafts");
}
$urlMailbox = urlencode($mailbox);
} else {
$provider_link = create_hyperlink($provider_uri, $provider_name, '_blank');
}
- $oTemplate->assign('body_tag_js', $sBodyTagJs);
+ $oTemplate->assign('onload', $sOnload);
$oTemplate->assign('shortBoxName', $shortBoxName);
$oTemplate->assign('provider_link', $provider_link);
$oTemplate->assign('frame_top', $frame_top);
$oTemplate->assign('urlMailbox', $urlMailbox);
$oTemplate->assign('startMessage', $startMessage);
$oTemplate->assign('hide_sm_attributions', $hide_sm_attributions);
+
+ // access keys
+ //
+ global $accesskey_menubar_compose, $accesskey_menubar_addresses,
+ $accesskey_menubar_folders, $accesskey_menubar_options,
+ $accesskey_menubar_search, $accesskey_menubar_help,
+ $accesskey_menubar_signout;
+ $oTemplate->assign('accesskey_menubar_compose', $accesskey_menubar_compose);
+ $oTemplate->assign('accesskey_menubar_addresses', $accesskey_menubar_addresses);
+ $oTemplate->assign('accesskey_menubar_folders', $accesskey_menubar_folders);
+ $oTemplate->assign('accesskey_menubar_options', $accesskey_menubar_options);
+ $oTemplate->assign('accesskey_menubar_search', $accesskey_menubar_search);
+ $oTemplate->assign('accesskey_menubar_help', $accesskey_menubar_help);
+ $oTemplate->assign('accesskey_menubar_signout', $accesskey_menubar_signout);
+
$oTemplate->display('page_header.tpl');
global $null;
$sOnload = 'checkForm();';
}
else
- $sOnload = 'checkForm();';
+ $sOnload = 'checkForm();';
}
} else {
/* javascript off */
displayHtmlHeader(_("Compose"));
- $onload = '';
+ $sOnload = '';
}
// FIXME: change the colorization attributes below to a CSS class!