#1291081. Undo encoding of line feeds in calendar data.

Code still need fixes because htmlspecialchars should not be used on $calendar
data. Only functions that output data should do sanitizing.

git-svn-id: https://svn.code.sf.net/p/squirrelmail/code/trunk/squirrelmail@10527 7612ce4b-ef26-0410-bec9-ea0150e637f0

diff --git a/plugins/calendar/calendar_data.php b/plugins/calendar/calendar_data.php
index 1ae6ff62720a18270de4b2800ce80052144cce63..7128841db11b234a776179dd51b949acc6dbdd70 100644 (file)
--- a/plugins/calendar/calendar_data.php
+++ b/plugins/calendar/calendar_data.php
@@ -19,6 +19,34 @@
  *  $calendardata[date][time] = array(length,priority,title,message); */
 $calendardata = array();
 
+/**
+ * Reads multilined calendar data
+ * 
+ * Plugin stores multiline texts converted to single line with PHP nl2br().
+ * Function undoes nl2br() conversion and sanitizes data with htmlspecialchars().
+ * @param string $string calendar string
+ * @return string calendar string converted to multiline text
+ * @since 1.5.1
+ */
+function calendar_readmultiline($string) {
+    // replace html line breaks with ASCII line feeds
+    $string = str_replace(array('<br />','<br>'),array("\n","\n"),$string);
+    // FIXME: don't sanitize data. Storage backend should not care about html data safety
+    $string = htmlspecialchars($string,ENT_NOQUOTES);
+    return $string;
+}
+
+/**
+ * Callback function used to sanitize calendar data before saving it to file
+ * @param string $sValue array value 
+ * @param string $sKey array key
+ * @since 1.5.1
+ */
+function calendar_encodedata(&$sValue, $sKey) {
+    // add html line breaks and remove original ASCII line feeds and carriage returns
+    $sValue = str_replace(array("\n","\r"),array('',''),nl2br($sValue));
+}
+
 /**
  * read events into array
  *
@@ -39,7 +67,7 @@ function readcalendardata() {
                 $calendardata[$fdata[0]][$fdata[1]] = array( 'length' => $fdata[2],
                                                             'priority' => $fdata[3],
                                                             'title' => htmlspecialchars($fdata[4],ENT_NOQUOTES),
-                                                            'message' => htmlspecialchars($fdata[5],ENT_NOQUOTES),
+                                                            'message' => calendar_readmultiline($fdata[5]),
                                                             'reminder' => $fdata[6] );
             }
             fclose ($fp);
@@ -65,6 +93,7 @@ function writecalendardata() {
         while ( $calfoo = each ($calendardata)) {
             while ( $calbar = each ($calfoo['value'])) {
                 $calfoobar = $calendardata[$calfoo['key']][$calbar['key']];
+                array_walk($calfoobar,'calendar_encodedata');
                 $calstr = "$calfoo[key]|$calbar[key]|$calfoobar[length]|$calfoobar[priority]|$calfoobar[title]|$calfoobar[message]|$calfoobar[reminder]\n";
                 if(sq_fwrite($fp, $calstr, 4096) === FALSE) {
                         error_box(_("Could not write calendar file %s", "$username.$year.cal.tmp"), $color);
@@ -125,5 +154,4 @@ function update_event($date, $time) {
     }
 }
 
-
 ?>
\ No newline at end of file

diff --git a/plugins/calendar/day.php b/plugins/calendar/day.php
index d98e4f940cbe1db5d239c255538fd2566cfe744c..a1816c61ccf3269c6157156646b9ec7913e5a2dd 100644 (file)
--- a/plugins/calendar/day.php
+++ b/plugins/calendar/day.php
@@ -138,7 +138,7 @@ function display_events() {
                         html_tag( 'td', $ehour . ':' . $eminute . $elength, 'left' ) .
                         html_tag( 'td', '', 'left' ) . '[';
                             echo ($calbar['priority']==1) ? "<font color=\"$color[1]\">$calbar[title]</font>" : "$calbar[title]";
-                            echo"] $calbar[message]&nbsp;" .
+                            echo'] <div style="margin-left:10px">'.nl2br($calbar['message']).'</div>' .
                         html_tag( 'td',
                             "<font size=\"-1\"><nobr>\n" .
                             "<a href=\"event_edit.php?year=$year&amp;month=$month&amp;day=$day&amp;hour=".substr($calfoo['key'],0,2)."&amp;minute=".substr($calfoo['key'],2,2)."\">".