X-Git-Url: https://vcs.fsf.org/?a=blobdiff_plain;f=functions%2Fforms.php;h=0be61fb58fd94299d4c3b7877134e3d806244448;hb=9ebace193471e0957e523805e59e8676a831c2b7;hp=7bc75e95d1f444ae51d647a902ceb1fa10832ce4;hpb=47ccfad452e8d345542d09e59112cac317cffed8;p=squirrelmail.git diff --git a/functions/forms.php b/functions/forms.php index 7bc75e95..0be61fb5 100644 --- a/functions/forms.php +++ b/functions/forms.php @@ -3,8 +3,9 @@ /** * forms.php - html form functions * - * Functions to build HTML forms in a safe and consistent manner. + * Functions to build forms in a safe and consistent manner. * All attribute values are sanitized with htmlspecialchars(). +//FIXME: I think the Template class might be better place to sanitize inside assign() method * * Currently functions don't provide simple wrappers for file and * image input fields, support only submit and reset buttons and use @@ -24,7 +25,7 @@ * @link http://www.section508.gov/ Section 508 * @link http://www.w3.org/WAI/ Web Accessibility Initiative (WAI) * @link http://www.w3.org/TR/html4/ W3.org HTML 4.01 form specs - * @copyright © 2004-2006 The SquirrelMail Project Team + * @copyright © 2004-2007 The SquirrelMail Project Team * @license http://opensource.org/licenses/gpl-license.php GNU Public License * @version $Id$ * @package squirrelmail @@ -50,13 +51,25 @@ function addInputField($sType, $aAttribs=array()) { $sAttribs = ''; // define unique identifier if (! isset($aAttribs['id']) && isset($aAttribs['name']) && ! is_null($aAttribs['name'])) { - $aAttribs['id'] = $aAttribs['name']; + /** + * if 'id' is not set, set it to 'name' and replace brackets + * with underscores. 'name' might contain field name with squire + * brackets (array). Brackets are not allowed in id (validator.w3.org + * fails to validate document). According to html 4.01 manual cdata + * type description, 'name' attribute uses same type, but validator.w3.org + * does not barf on brackets in 'name' attributes. + */ + $aAttribs['id'] = strtr($aAttribs['name'],'[]','__'); } - // create attribute string (do we have to sanitize keys?) - foreach ($aAttribs as $key => $value) { - $sAttribs.= ' ' . $key . (! is_null($value) ? '="'.htmlspecialchars($value).'"':''); - } - return '\n"; + + global $oTemplate; + + $oTemplate->assign('type', $sType); +//FIXME: all the values in the $aAttribs list used to go thru htmlspecialchars()... I would propose that most everything that is assigned to the template should go thru that *in the template class* on its way between here and the actual template file. Otherwise we have to do something like: foreach ($aAttribs as $key => $value) $aAttribs[$key] = htmlspecialchars($value); + $oTemplate->assign('aAttribs', $aAttribs); + + return $oTemplate->fetch('input.tpl'); + } /** @@ -146,47 +159,77 @@ function addInput($sName, $sValue = '', $iSize = 0, $iMaxlength = 0, $aAttribs=a /** * Function to create a selectlist from an array. - * @param string $sName field name - * @param array $aValues field values array ( key => value ) -> - * @param mixed $default the key that will be selected - * @param boolean $bUsekeys use the keys of the array as option value or not - * @param array $aAttribs (since 1.5.1) extra attributes + * @param string $sName Field name + * @param array $aValues Field values array(key => value) results in: + * , + * although if $bUsekeys is FALSE, then it changes to: + * + * @param mixed $default The key(s) that will be selected (it is OK to pass + * in an array here in the case of multiple select lists) + * @param boolean $bUsekeys Use the keys of the array as option value or not + * @param array $aAttribs (since 1.5.1) Extra attributes + * @param boolean $bMultiple When TRUE, a multiple select list will be shown + * (OPTIONAL; default is FALSE (single select list)) + * @param int $iSize Desired height of multiple select boxes + * (OPTIONAL; default is SMOPT_SIZE_NORMAL) + * (only applicable when $bMultiple is TRUE) + * * @return string html formated selection box * @todo add attributes argument for option tags and default css */ -function addSelect($sName, $aValues, $default = null, $bUsekeys = false, $aAttribs = array()) { +function addSelect($sName, $aValues, $default = null, $bUsekeys = false, $aAttribs = array(), $bMultiple = FALSE, $iSize = SMOPT_SIZE_NORMAL) { // only one element - if(count($aValues) == 1) { + if (!$bMultiple && count($aValues) == 1) { $k = key($aValues); $v = array_pop($aValues); - return addHidden($sName, ($bUsekeys ? $k:$v), $aAttribs). - htmlspecialchars($v) . "\n"; + return addHidden($sName, ($bUsekeys ? $k : $v), $aAttribs) + . htmlspecialchars($v); } - if (isset($aAttribs['id'])) { - $label_open = ''; - } else { - $label_open = ''; - $label_close = ''; - } - // create attribute string for select tag - $sAttribs = ''; - foreach ($aAttribs as $key => $value) { - $sAttribs.= ' ' . $key . (! is_null($value) ? '="'.htmlspecialchars($value).'"':''); - } + // make sure $default is an array, since multiple select lists + // need the chance to have more than one default... + // + if (!is_array($default)) + $default = array($default); - $ret = '\n"; - return $ret; + global $oTemplate; + +//FIXME: all the values in the $aAttribs list and $sName and both the keys and values in $aValues used to go thru htmlspecialchars()... I would propose that most everything that is assigned to the template should go thru that *in the template class* on its way between here and the actual template file. Otherwise we have to do something like: foreach ($aAttribs as $key => $value) $aAttribs[$key] = htmlspecialchars($value); $sName = htmlspecialchars($sName); $aNewValues = array(); foreach ($aValues as $key => $value) $aNewValues[htmlspecialchars($key)] = htmlspecialchars($value); $aValues = $aNewValues; And probably this too because it has to be matched to a value that has already been sanitized: $default = htmlspecialchars($default); (oops, watch out for when $default is an array! (multiple select lists)) + $oTemplate->assign('aAttribs', $aAttribs); + $oTemplate->assign('aValues', $aValues); + $oTemplate->assign('bUsekeys', $bUsekeys); + $oTemplate->assign('default', $default); + $oTemplate->assign('name', $sName); + $oTemplate->assign('multiple', $bMultiple); + $oTemplate->assign('size', $iSize); + + return $oTemplate->fetch('select.tpl'); +} + +/** + * Normal button + * + * Note the switched value/name parameters! + * Note also that regular buttons are not very useful unless + * used with onclick handlers, thus are only really appropriate + * if you use them after having checked if JavaScript is turned + * on by doing this: if (checkForJavascript()) ... + * + * @param string $sValue button name + * @param string $sName key name + * @param array $aAttribs extra attributes + * + * @return string html formated submit input field + * + * @since 1.5.2 + */ +function addButton($sValue, $sName = null, $aAttribs=array()) { + $aAttribs['value'] = $sValue; + if (! is_null($sName)) $aAttribs['name'] = $sName; + // add default css + if (! isset($aAttribs['class'])) $aAttribs['class'] = 'sqmsubmitfield'; + return addInputField('button', $aAttribs); } /** @@ -204,6 +247,7 @@ function addSubmit($sValue, $sName = null, $aAttribs=array()) { if (! isset($aAttribs['class'])) $aAttribs['class'] = 'sqmsubmitfield'; return addInputField('submit', $aAttribs); } + /** * Form reset button * @param string $sValue button name @@ -219,77 +263,71 @@ function addReset($sValue, $aAttribs=array()) { /** * Textarea form element. - * @param string $sName field name - * @param string $sText initial field value - * @param integer $iCols field width (number of chars) - * @param integer $iRows field height (number of character rows) - * @param array $aAttribs (since 1.5.1) extra attributes. function accepts string argument - * for backward compatibility. + * + * @param string $sName field name + * @param string $sText initial field value (OPTIONAL; default empty) + * @param integer $iCols field width (number of chars) (OPTIONAL; default 40) + * @param integer $iRows field height (number of character rows) (OPTIONAL; default 10) + * @param array $aAttribs (since 1.5.1) extra attributes (OPTIONAL; default empty) + * * @return string html formated text area field + * */ function addTextArea($sName, $sText = '', $iCols = 40, $iRows = 10, $aAttribs = array()) { - $label_open = ''; - $label_close = ''; - if (is_array($aAttribs)) { - // maybe id can default to name? - if (isset($aAttribs['id'])) { - $label_open = ''; - } - // add default css - if (! isset($aAttribs['class'])) $aAttribs['class'] = 'sqmtextarea'; - // create attribute string (do we have to sanitize keys?) - $sAttribs = ''; - foreach ($aAttribs as $key => $value) { - $sAttribs.= ' ' . $key . (! is_null($value) ? '="'.htmlspecialchars($value).'"':''); - } - } elseif (is_string($aAttribs)) { - // backward compatibility mode. deprecated. - $sAttribs = ' ' . $aAttribs; - } else { - $sAttribs = ''; + + // no longer accept string arguments for attribs; print + // backtrace to help people fix their code + //FIXME: throw error instead? + if (!is_array($aAttribs)) { + echo '$aAttribs argument to addTextArea() must be an array
';
+        debug_print_backtrace();
+        echo '

'; + exit; } - return '\n"; + + // add default css + else if (!isset($aAttribs['class'])) $aAttribs['class'] = 'sqmtextarea'; + + global $oTemplate; + +//FIXME: all the values in the $aAttribs list as well as $sName and $sText used to go thru htmlspecialchars()... I would propose that most everything that is assigned to the template should go thru that *in the template class* on its way between here and the actual template file. Otherwise we have to do something like: foreach ($aAttribs as $key => $value) $aAttribs[$key] = htmlspecialchars($value); $sName = htmlspecialchars($sName); $sText = htmlspecialchars($sText); + $oTemplate->assign('aAttribs', $aAttribs); + $oTemplate->assign('name', $sName); + $oTemplate->assign('text', $sText); + $oTemplate->assign('cols', (int)$iCols); + $oTemplate->assign('rows', (int)$iRows); + + return $oTemplate->fetch('textarea.tpl'); } /** * Make a
start-tag. - * @param string $sAction form handler URL - * @param string $sMethod http method used to submit form data. 'get' or 'post' - * @param string $sName form name used for identification (used for backward - * compatibility). Use of id is recommended. + * + * @param string $sAction form handler URL + * @param string $sMethod http method used to submit form data. 'get' or 'post' + * @param string $sName form name used for identification (used for backward + * compatibility). Use of id is recommended instead. * @param string $sEnctype content type that is used to submit data. html 4.01 - * defaults to 'application/x-www-form-urlencoded'. Form with file field needs - * 'multipart/form-data' encoding type. + * defaults to 'application/x-www-form-urlencoded'. Form + * with file field needs 'multipart/form-data' encoding type. * @param string $sCharset charset that is used for submitted data - * @param array $aAttribs (since 1.5.1) extra attributes + * @param array $aAttribs (since 1.5.1) extra attributes + * * @return string html formated form start string + * */ function addForm($sAction, $sMethod = 'post', $sName = '', $sEnctype = '', $sCharset = '', $aAttribs = array()) { - // id tags - if (! isset($aAttribs['id']) && ! empty($sName)) - $aAttribs['id'] = $sName; - if($sName) { - $sName = ' name="'.$sName.'"'; - } - if($sEnctype) { - $sEnctype = ' enctype="'.$sEnctype.'"'; - } - if($sCharset) { - $sCharset = ' accept-charset="'.htmlspecialchars($sCharset).'"'; - } + global $oTemplate; - // create attribute string (do we have to sanitize keys?) - $sAttribs = ''; - foreach ($aAttribs as $key => $value) { - $sAttribs.= ' ' . $key . (! is_null($value) ? '="'.htmlspecialchars($value).'"':''); - } +//FIXME: all the values in the $aAttribs list as well as $charset used to go thru htmlspecialchars()... I would propose that most everything that is assigned to the template should go thru that *in the template class* on its way between here and the actual template file. Otherwise we have to do something like: foreach ($aAttribs as $key => $value) $aAttribs[$key] = htmlspecialchars($value); $sCharset = htmlspecialchars($sCharset); + $oTemplate->assign('aAttribs', $aAttribs); + $oTemplate->assign('name', $sName); + $oTemplate->assign('method', $sMethod); + $oTemplate->assign('action', $sAction); + $oTemplate->assign('enctype', $sEnctype); + $oTemplate->assign('charset', $sCharset); - return '\n"; + return $oTemplate->fetch('form.tpl'); } -?> \ No newline at end of file