From: tokul <tokul@7612ce4b-ef26-0410-bec9-ea0150e637f0>
Date: Thu, 8 Apr 2004 17:09:58 +0000 (+0000)
Subject: Don't use htmlentities() to sanitize input/output.
X-Git-Url: https://vcs.fsf.org/?a=commitdiff_plain;h=745eb9e20da22614d83f6931bbeea9ec1ac30053;p=squirrelmail.git

Don't use htmlentities() to sanitize input/output.
It breaks things outside of Western Europe/US.

Changing functions to use htmlspecialchars(). It still breaks things
in compose, when is_conversion_safe($charset)=true.

at least it breaks less.


git-svn-id: https://svn.code.sf.net/p/squirrelmail/code/trunk/squirrelmail@7051 7612ce4b-ef26-0410-bec9-ea0150e637f0
---

diff --git a/functions/forms.php b/functions/forms.php
index 4ddc32d9..3f204101 100644
--- a/functions/forms.php
+++ b/functions/forms.php
@@ -18,8 +18,8 @@
  */
 function addInputField($type, $name = null, $value = null, $attributes = '') {
     return '<input type="'.$type.'"'.
-        ($name  !== null ? ' name="'.htmlentities($name).'"'   : '').
-        ($value !== null ? ' value="'.htmlentities($value).'"' : '').
+        ($name  !== null ? ' name="'.htmlspecialchars($name).'"'   : '').
+        ($value !== null ? ' value="'.htmlspecialchars($value).'"' : '').
         $attributes . ">\n";
 }
 
@@ -85,16 +85,16 @@ function addSelect($name, $values, $default = null, $usekeys = false)
     if(count($values) == 1) {
         $k = key($values); $v = array_pop($values);
         return addHidden($name, ($usekeys ? $k:$v)).
-            htmlentities($v) . "\n";
+            htmlspecialchars($v) . "\n";
     }
 
-    $ret = '<select name="'.htmlentities($name) . "\">\n";
+    $ret = '<select name="'.htmlspecialchars($name) . "\">\n";
     foreach ($values as $k => $v) {
         if(!$usekeys) $k = $v;
         $ret .= '<option value="' .
-            htmlentities( $k ) . '"' .
+            htmlspecialchars( $k ) . '"' .
             (($default == $k) ? ' selected':'') .
-            '>' . htmlentities($v) ."</option>\n";
+            '>' . htmlspecialchars($v) ."</option>\n";
     }
     $ret .= "</select>\n";
 
@@ -119,9 +119,9 @@ function addReset($value) {
  * Textarea form element.
  */
 function addTextArea($name, $text = '', $cols = 40, $rows = 10, $attr = '') {
-    return '<textarea name="'.htmlentities($name).'" '.
+    return '<textarea name="'.htmlspecialchars($name).'" '.
         'rows="'.(int)$rows .'" cols="'.(int)$cols.'"'.
-        $attr . '">'.htmlentities($text) ."</textarea>\n";
+        $attr . '">'.htmlspecialchars($text) ."</textarea>\n";
 }
 
 /**