X-Git-Url: https://vcs.fsf.org/?a=blobdiff_plain;f=functions%2Fforms.php;h=9941504f33529731b653652cb29b87464aa7160a;hb=59927db317c6b031765a88ca3508edeb7ccbcc6e;hp=4f5b1bf4709001392f32bcffab07b822e81e7ada;hpb=4b5049de2fa934c45599d6e4c74bf2bbee10d34d;p=squirrelmail.git
diff --git a/functions/forms.php b/functions/forms.php
index 4f5b1bf4..9941504f 100644
--- a/functions/forms.php
+++ b/functions/forms.php
@@ -4,7 +4,7 @@
* forms.php - html form functions
*
* Functions to build forms in a safe and consistent manner.
- * All attribute values are sanitized with htmlspecialchars().
+ * All attribute values are sanitized with sm_encode_html_special_chars().
//FIXME: I think the Template class might be better place to sanitize inside assign() method
*
* Currently functions don't provide simple wrappers for file and
@@ -25,7 +25,7 @@
* @link http://www.section508.gov/ Section 508
* @link http://www.w3.org/WAI/ Web Accessibility Initiative (WAI)
* @link http://www.w3.org/TR/html4/ W3.org HTML 4.01 form specs
- * @copyright © 2004-2007 The SquirrelMail Project Team
+ * @copyright 2004-2018 The SquirrelMail Project Team
* @license http://opensource.org/licenses/gpl-license.php GNU Public License
* @version $Id$
* @package squirrelmail
@@ -65,7 +65,7 @@ function addInputField($sType, $aAttribs=array()) {
global $oTemplate;
$oTemplate->assign('type', $sType);
-//FIXME: all the values in the $aAttribs list used to go thru htmlspecialchars()... I would propose that most everything that is assigned to the template should go thru that *in the template class* on its way between here and the actual template file. Otherwise we have to do something like: foreach ($aAttribs as $key => $value) $aAttribs[$key] = htmlspecialchars($value);
+//FIXME: all the values in the $aAttribs list used to go thru sm_encode_html_special_chars()... I would propose that most everything that is assigned to the template should go thru that *in the template class* on its way between here and the actual template file. Otherwise we have to do something like: foreach ($aAttribs as $key => $value) $aAttribs[$key] = sm_encode_html_special_chars($value);
$oTemplate->assign('aAttribs', $aAttribs);
return $oTemplate->fetch('input.tpl');
@@ -76,12 +76,17 @@ function addInputField($sType, $aAttribs=array()) {
* Password input field
* @param string $sName field name
* @param string $sValue initial password value
- * @param array $aAttribs (since 1.5.1) extra attributes
- * @return string html formated password field
+ * @param integer $iSize field size (number of characters)
+ * @param integer $iMaxlength maximum number of characters the user may enter
+ * @param array $aAttribs (since 1.5.1) extra attributes - should be given
+ * in the form array('attribute_name' => 'attribute_value', ...)
+ * @return string html formated password field
*/
-function addPwField($sName, $sValue = null, $aAttribs=array()) {
+function addPwField($sName, $sValue = '', $iSize = 0, $iMaxlength = 0, $aAttribs=array()) {
$aAttribs['name'] = $sName;
- $aAttribs['value'] = (! is_null($sValue) ? $sValue : '');
+ $aAttribs['value'] = $sValue;
+ if ($iSize) $aAttribs['size'] = (int)$iSize;
+ if ($iMaxlength) $aAttribs['maxlength'] = (int)$iMaxlength;
// add default css
if (! isset($aAttribs['class'])) $aAttribs['class'] = 'sqmpwfield';
return addInputField('password',$aAttribs);
@@ -159,34 +164,80 @@ function addInput($sName, $sValue = '', $iSize = 0, $iMaxlength = 0, $aAttribs=a
/**
* Function to create a selectlist from an array.
- * @param string $sName field name
- * @param array $aValues field values array(key => value) -> , although if $bUsekeys is FALSE, then
- * @param mixed $default the key that will be selected
- * @param boolean $bUsekeys use the keys of the array as option value or not
- * @param array $aAttribs (since 1.5.1) extra attributes
+ * @param string $sName Field name
+ * @param array $aValues Field values array(key => value) results in:
+ * ,
+ * although if $bUsekeys is FALSE, then it changes to:
+ *
+ * @param mixed $default The key(s) that will be selected (it is OK to pass
+ * in an array here in the case of multiple select lists)
+ * @param boolean $bUsekeys Use the keys of the array as option value or not
+ * @param array $aAttribs (since 1.5.1) Extra attributes
+ * @param boolean $bMultiple When TRUE, a multiple select list will be shown
+ * (OPTIONAL; default is FALSE (single select list))
+ * @param int $iSize Desired height of multiple select boxes
+ * (OPTIONAL; default is SMOPT_SIZE_NORMAL)
+ * (only applicable when $bMultiple is TRUE)
+ *
* @return string html formated selection box
* @todo add attributes argument for option tags and default css
*/
-function addSelect($sName, $aValues, $default = null, $bUsekeys = false, $aAttribs = array()) {
+function addSelect($sName, $aValues, $default = null, $bUsekeys = false, $aAttribs = array(), $bMultiple = FALSE, $iSize = SMOPT_SIZE_NORMAL) {
// only one element
- if(count($aValues) == 1) {
+ if (!$bMultiple && count($aValues) == 1) {
$k = key($aValues); $v = array_pop($aValues);
- return addHidden($sName, ($bUsekeys ? $k:$v), $aAttribs).
- htmlspecialchars($v) . "\n";
+ return addHidden($sName, ($bUsekeys ? $k : $v), $aAttribs)
+ . sm_encode_html_special_chars($v);
}
+ if (! isset($aAttribs['id'])) $aAttribs['id'] = $sName;
+
+ // make sure $default is an array, since multiple select lists
+ // need the chance to have more than one default...
+ //
+ if (!is_array($default))
+ $default = array($default);
+
+
global $oTemplate;
-//FIXME: all the values in the $aAttribs list and $sName and both the keys and values in $aValues used to go thru htmlspecialchars()... I would propose that most everything that is assigned to the template should go thru that *in the template class* on its way between here and the actual template file. Otherwise we have to do something like: foreach ($aAttribs as $key => $value) $aAttribs[$key] = htmlspecialchars($value); $sName = htmlspecialchars($sName); $aNewValues = array(); foreach ($aValues as $key => $value) $aNewValues[htmlspecialchars($key)] = htmlspecialchars($value); $aValues = $aNewValues; And probably this too because it has to be matched to a value that has already been sanitized: $default = htmlspecialchars($default);
+//FIXME: all the values in the $aAttribs list and $sName and both the keys and values in $aValues used to go thru sm_encode_html_special_chars()... I would propose that most everything that is assigned to the template should go thru that *in the template class* on its way between here and the actual template file. Otherwise we have to do something like: foreach ($aAttribs as $key => $value) $aAttribs[$key] = sm_encode_html_special_chars($value); $sName = sm_encode_html_special_chars($sName); $aNewValues = array(); foreach ($aValues as $key => $value) $aNewValues[sm_encode_html_special_chars($key)] = sm_encode_html_special_chars($value); $aValues = $aNewValues; And probably this too because it has to be matched to a value that has already been sanitized: $default = sm_encode_html_special_chars($default); (oops, watch out for when $default is an array! (multiple select lists))
$oTemplate->assign('aAttribs', $aAttribs);
$oTemplate->assign('aValues', $aValues);
$oTemplate->assign('bUsekeys', $bUsekeys);
$oTemplate->assign('default', $default);
$oTemplate->assign('name', $sName);
+ $oTemplate->assign('multiple', $bMultiple);
+ $oTemplate->assign('size', $iSize);
return $oTemplate->fetch('select.tpl');
}
+/**
+ * Normal button
+ *
+ * Note the switched value/name parameters!
+ * Note also that regular buttons are not very useful unless
+ * used with onclick handlers, thus are only really appropriate
+ * if you use them after having checked if JavaScript is turned
+ * on by doing this: if (checkForJavascript()) ...
+ *
+ * @param string $sValue button name
+ * @param string $sName key name
+ * @param array $aAttribs extra attributes
+ *
+ * @return string html formated submit input field
+ *
+ * @since 1.5.2
+ */
+function addButton($sValue, $sName = null, $aAttribs=array()) {
+ $aAttribs['value'] = $sValue;
+ if (! is_null($sName)) $aAttribs['name'] = $sName;
+ // add default css
+ if (! isset($aAttribs['class'])) $aAttribs['class'] = 'sqmsubmitfield';
+ return addInputField('button', $aAttribs);
+}
+
/**
* Form submission button
* Note the switched value/name parameters!
@@ -202,6 +253,7 @@ function addSubmit($sValue, $sName = null, $aAttribs=array()) {
if (! isset($aAttribs['class'])) $aAttribs['class'] = 'sqmsubmitfield';
return addInputField('submit', $aAttribs);
}
+
/**
* Form reset button
* @param string $sValue button name
@@ -231,6 +283,7 @@ function addTextArea($sName, $sText = '', $iCols = 40, $iRows = 10, $aAttribs =
// no longer accept string arguments for attribs; print
// backtrace to help people fix their code
+ //FIXME: throw error instead?
if (!is_array($aAttribs)) {
echo '$aAttribs argument to addTextArea() must be an array
'; debug_print_backtrace(); @@ -238,12 +291,16 @@ function addTextArea($sName, $sText = '', $iCols = 40, $iRows = 10, $aAttribs = exit; } - // FIXME: should the template do this instead???? + // add default css else if (!isset($aAttribs['class'])) $aAttribs['class'] = 'sqmtextarea'; + + if ( empty( $aAttribs['id'] ) ) { + $aAttribs['id'] = strtr($sName,'[]','__'); + } global $oTemplate; -//FIXME: all the values in the $aAttribs list as well as $sName and $sText used to go thru htmlspecialchars()... I would propose that most everything that is assigned to the template should go thru that *in the template class* on its way between here and the actual template file. Otherwise we have to do something like: foreach ($aAttribs as $key => $value) $aAttribs[$key] = htmlspecialchars($value); $sName = htmlspecialchars($sName); $sText = htmlspecialchars($sText); +//FIXME: all the values in the $aAttribs list as well as $sName and $sText used to go thru sm_encode_html_special_chars()... I would propose that most everything that is assigned to the template should go thru that *in the template class* on its way between here and the actual template file. Otherwise we have to do something like: foreach ($aAttribs as $key => $value) $aAttribs[$key] = sm_encode_html_special_chars($value); $sName = sm_encode_html_special_chars($sName); $sText = sm_encode_html_special_chars($sText); $oTemplate->assign('aAttribs', $aAttribs); $oTemplate->assign('name', $sName); $oTemplate->assign('text', $sText); @@ -256,24 +313,30 @@ function addTextArea($sName, $sText = '', $iCols = 40, $iRows = 10, $aAttribs = /** * Make a