X-Git-Url: https://vcs.fsf.org/?a=blobdiff_plain;ds=sidebyside;f=functions%2Fforms.php;h=c5b4cf728ec77422e0ac69ea305619ed3ca7b89d;hb=c53195bbbf00d53343b5b33c35f43f75bb2646a9;hp=23215bb6ada42e26b5330c32abd07b4c3215b439;hpb=d4e46166df04792c6b939356ea5dfda8e47bba7b;p=squirrelmail.git diff --git a/functions/forms.php b/functions/forms.php index 23215bb6..c5b4cf72 100644 --- a/functions/forms.php +++ b/functions/forms.php @@ -4,7 +4,7 @@ * forms.php - html form functions * * Functions to build forms in a safe and consistent manner. - * All attribute values are sanitized with htmlspecialchars(). + * All attribute values are sanitized with sm_encode_html_special_chars(). //FIXME: I think the Template class might be better place to sanitize inside assign() method * * Currently functions don't provide simple wrappers for file and @@ -25,7 +25,7 @@ * @link http://www.section508.gov/ Section 508 * @link http://www.w3.org/WAI/ Web Accessibility Initiative (WAI) * @link http://www.w3.org/TR/html4/ W3.org HTML 4.01 form specs - * @copyright © 2004-2009 The SquirrelMail Project Team + * @copyright 2004-2021 The SquirrelMail Project Team * @license http://opensource.org/licenses/gpl-license.php GNU Public License * @version $Id$ * @package squirrelmail @@ -65,7 +65,7 @@ function addInputField($sType, $aAttribs=array()) { global $oTemplate; $oTemplate->assign('type', $sType); -//FIXME: all the values in the $aAttribs list used to go thru htmlspecialchars()... I would propose that most everything that is assigned to the template should go thru that *in the template class* on its way between here and the actual template file. Otherwise we have to do something like: foreach ($aAttribs as $key => $value) $aAttribs[$key] = htmlspecialchars($value); +//FIXME: all the values in the $aAttribs list used to go thru sm_encode_html_special_chars()... I would propose that most everything that is assigned to the template should go thru that *in the template class* on its way between here and the actual template file. Otherwise we have to do something like: foreach ($aAttribs as $key => $value) $aAttribs[$key] = sm_encode_html_special_chars($value); $oTemplate->assign('aAttribs', $aAttribs); return $oTemplate->fetch('input.tpl'); @@ -187,9 +187,10 @@ function addSelect($sName, $aValues, $default = null, $bUsekeys = false, $aAttri if (!$bMultiple && count($aValues) == 1) { $k = key($aValues); $v = array_pop($aValues); return addHidden($sName, ($bUsekeys ? $k : $v), $aAttribs) - . htmlspecialchars($v); + . sm_encode_html_special_chars($v); } + if (! isset($aAttribs['id'])) $aAttribs['id'] = $sName; // make sure $default is an array, since multiple select lists // need the chance to have more than one default... @@ -200,7 +201,7 @@ function addSelect($sName, $aValues, $default = null, $bUsekeys = false, $aAttri global $oTemplate; -//FIXME: all the values in the $aAttribs list and $sName and both the keys and values in $aValues used to go thru htmlspecialchars()... I would propose that most everything that is assigned to the template should go thru that *in the template class* on its way between here and the actual template file. Otherwise we have to do something like: foreach ($aAttribs as $key => $value) $aAttribs[$key] = htmlspecialchars($value); $sName = htmlspecialchars($sName); $aNewValues = array(); foreach ($aValues as $key => $value) $aNewValues[htmlspecialchars($key)] = htmlspecialchars($value); $aValues = $aNewValues; And probably this too because it has to be matched to a value that has already been sanitized: $default = htmlspecialchars($default); (oops, watch out for when $default is an array! (multiple select lists)) +//FIXME: all the values in the $aAttribs list and $sName and both the keys and values in $aValues used to go thru sm_encode_html_special_chars()... I would propose that most everything that is assigned to the template should go thru that *in the template class* on its way between here and the actual template file. Otherwise we have to do something like: foreach ($aAttribs as $key => $value) $aAttribs[$key] = sm_encode_html_special_chars($value); $sName = sm_encode_html_special_chars($sName); $aNewValues = array(); foreach ($aValues as $key => $value) $aNewValues[sm_encode_html_special_chars($key)] = sm_encode_html_special_chars($value); $aValues = $aNewValues; And probably this too because it has to be matched to a value that has already been sanitized: $default = sm_encode_html_special_chars($default); (oops, watch out for when $default is an array! (multiple select lists)) $oTemplate->assign('aAttribs', $aAttribs); $oTemplate->assign('aValues', $aValues); $oTemplate->assign('bUsekeys', $bUsekeys); @@ -292,10 +293,14 @@ function addTextArea($sName, $sText = '', $iCols = 40, $iRows = 10, $aAttribs = // add default css else if (!isset($aAttribs['class'])) $aAttribs['class'] = 'sqmtextarea'; + + if ( empty( $aAttribs['id'] ) ) { + $aAttribs['id'] = strtr($sName,'[]','__'); + } global $oTemplate; -//FIXME: all the values in the $aAttribs list as well as $sName and $sText used to go thru htmlspecialchars()... I would propose that most everything that is assigned to the template should go thru that *in the template class* on its way between here and the actual template file. Otherwise we have to do something like: foreach ($aAttribs as $key => $value) $aAttribs[$key] = htmlspecialchars($value); $sName = htmlspecialchars($sName); $sText = htmlspecialchars($sText); +//FIXME: all the values in the $aAttribs list as well as $sName and $sText used to go thru sm_encode_html_special_chars()... I would propose that most everything that is assigned to the template should go thru that *in the template class* on its way between here and the actual template file. Otherwise we have to do something like: foreach ($aAttribs as $key => $value) $aAttribs[$key] = sm_encode_html_special_chars($value); $sName = sm_encode_html_special_chars($sName); $sText = sm_encode_html_special_chars($sText); $oTemplate->assign('aAttribs', $aAttribs); $oTemplate->assign('name', $sName); $oTemplate->assign('text', $sText); @@ -308,24 +313,30 @@ function addTextArea($sName, $sText = '', $iCols = 40, $iRows = 10, $aAttribs = /** * Make a
start-tag. * - * @param string $sAction form handler URL - * @param string $sMethod http method used to submit form data. 'get' or 'post' - * @param string $sName form name used for identification (used for backward - * compatibility). Use of id is recommended instead. - * @param string $sEnctype content type that is used to submit data. html 4.01 - * defaults to 'application/x-www-form-urlencoded'. Form - * with file field needs 'multipart/form-data' encoding type. - * @param string $sCharset charset that is used for submitted data - * @param array $aAttribs (since 1.5.1) extra attributes + * @param string $sAction form handler URL + * @param string $sMethod http method used to submit form data. 'get' or 'post' + * @param string $sName form name used for identification (used for backward + * compatibility). Use of id is recommended instead. + * @param string $sEnctype content type that is used to submit data. html 4.01 + * defaults to 'application/x-www-form-urlencoded'. Form + * with file field needs 'multipart/form-data' encoding type. + * @param string $sCharset charset that is used for submitted data + * @param array $aAttribs (since 1.5.1) extra attributes + * @param boolean $bAddToken (since 1.5.2) When given as a string or as boolean TRUE, + * a hidden input is also added to the form containing a + * security token. When given as TRUE, the input name is + * "smtoken"; otherwise the name is the string that is + * given for this parameter. When FALSE, no hidden token + * input field is added. (OPTIONAL; default not used) * * @return string html formated form start string * */ -function addForm($sAction, $sMethod = 'post', $sName = '', $sEnctype = '', $sCharset = '', $aAttribs = array()) { +function addForm($sAction, $sMethod = 'post', $sName = '', $sEnctype = '', $sCharset = '', $aAttribs = array(), $bAddToken = FALSE) { global $oTemplate; -//FIXME: all the values in the $aAttribs list as well as $charset used to go thru htmlspecialchars()... I would propose that most everything that is assigned to the template should go thru that *in the template class* on its way between here and the actual template file. Otherwise we have to do something like: foreach ($aAttribs as $key => $value) $aAttribs[$key] = htmlspecialchars($value); $sCharset = htmlspecialchars($sCharset); +//FIXME: all the values in the $aAttribs list as well as $charset used to go thru sm_encode_html_special_chars()... I would propose that most everything that is assigned to the template should go thru that *in the template class* on its way between here and the actual template file. Otherwise we have to do something like: foreach ($aAttribs as $key => $value) $aAttribs[$key] = sm_encode_html_special_chars($value); $sCharset = sm_encode_html_special_chars($sCharset); $oTemplate->assign('aAttribs', $aAttribs); $oTemplate->assign('name', $sName); $oTemplate->assign('method', $sMethod); @@ -333,7 +344,14 @@ function addForm($sAction, $sMethod = 'post', $sName = '', $sEnctype = '', $sCha $oTemplate->assign('enctype', $sEnctype); $oTemplate->assign('charset', $sCharset); - return $oTemplate->fetch('form.tpl'); + $sForm = $oTemplate->fetch('form.tpl'); + + if ($bAddToken) { + $sForm .= addHidden((is_string($bAddToken) ? $bAddToken : 'smtoken'), + sm_generate_security_token()); + } + + return $sForm; } /**