fixed some quoting problems in searching and message highlighting

form submissions

git-svn-id: https://svn.code.sf.net/p/squirrelmail/code/trunk/squirrelmail@671 7612ce4b-ef26-0410-bec9-ea0150e637f0

diff --git a/src/options_highlight.php b/src/options_highlight.php
index 1a4a8fcb09e14ad1465c636e308a2cf4164edcd8..8529ab6ac04137993ff4417e83b4973b4eecd889 100644 (file)
--- a/src/options_highlight.php
+++ b/src/options_highlight.php
@@ -32,6 +32,9 @@
    } else if ($action == "save") {
       if (!$theid) $theid = 0;
       $identname = ereg_replace(",", " ", $identname);
+      $identname = str_replace("\\\\", "\\", $identname);
+      $identname = str_replace("\\\"", "\"", $identname);
+      $identname = str_replace("\"", """, $identname);
       if ($color_type == 1) $newcolor = $newcolor_choose;
       else $newcolor = $newcolor_input;
  
@@ -39,6 +42,10 @@
       $newcolor = ereg_replace("#", "", $newcolor);
       $newcolor = "$newcolor";
       $value = ereg_replace(",", " ", $value);
+      $value = str_replace("\\\\", "\\", $value);
+      $value = str_replace("\\\"", "\"", $value);
+      $value = str_replace("\"", """, $value);
+
       setPref($data_dir, $username, "highlight$theid", $identname.",".$newcolor.",".$value.",".$match_type);
       $message_highlight_list[$theid]["name"] = $identname;
       $message_highlight_list[$theid]["color"] = $newcolor;
@@ -115,7 +122,11 @@
       echo _("Identifying name") . ":";
       echo "      </b></td>\n";
       echo "      <td width=75%>\n";
-      echo "         <input type=\"text\" value=\"".$message_highlight_list[$theid]["name"]."\" name=\"identname\">";
+      $disp = $message_highlight_list[$theid]["name"];
+      $disp = str_replace("\\\\", "\\", $disp);
+      $disp = str_replace("\\\"", "\"", $disp);
+      $disp = str_replace("\"", "&quot;", $disp);
+      echo "         <input type=\"text\" value=\"".$disp."\" name=\"identname\">";
       echo "      </td>\n";
       echo "   </tr>\n";
       echo "   <tr><td><small><small>&nbsp;</small></small></td></tr>\n";
@@ -163,7 +174,11 @@
       if ($message_highlight_list[$theid]["match_type"] == "subject") echo "            <option value=\"subject\" selected>Subject\n";
       else                                                         echo "            <option value=\"subject\">Subject\n";
       echo "         </select>\n";
-      echo "         <nobr><input type=\"text\" value=\"".$message_highlight_list[$theid]["value"]."\" name=\"value\">";
+      $disp = $message_highlight_list[$theid]["value"];
+      $disp = str_replace("\\\\", "\\", $disp);
+      $disp = str_replace("\\\"", "\"", $disp);
+      $disp = str_replace("\"", "&quot;", $disp);
+      echo "         <nobr><input type=\"text\" value=\"".$disp."\" name=\"value\">";
       echo "        <nobr></td>\n";
       echo "   </tr>\n";
       echo "</table>\n";

diff --git a/src/search.php b/src/search.php
index 137b8fe1a2093372130d922ee94a413e26036c57..2fb69f6da38091833ad80ad12e354b3b9381d01f 100644 (file)
--- a/src/search.php
+++ b/src/search.php
@@ -55,7 +55,11 @@
    echo "         </SELECT></SMALL></TT>";
    echo "       </TD>\n";
    echo "        <TD ALIGN=\"CENTER\" WIDTH=33%>\n";
-   echo "          <INPUT TYPE=\"TEXT\" SIZE=\"20\" NAME=\"what\" VALUE=\"$what\">\n";
+   $what_disp = ereg_replace(",", " ", $what);
+   $what_disp = str_replace("\\\\", "\\", $what_disp);
+   $what_disp = str_replace("\\\"", "\"", $what_disp);
+   $what_disp = str_replace("\"", "&quot;", $what_disp);
+   echo "          <INPUT TYPE=\"TEXT\" SIZE=\"20\" NAME=\"what\" VALUE=\"$what_disp\">\n";
    echo "        </TD>";
    echo "       <TD ALIGN=\"RIGHT\" WIDTH=33%>\n";
    echo "         <SELECT NAME=\"where\">";