From 7b0ea8602d2a437280347c0f0a46a27540e2ffcc Mon Sep 17 00:00:00 2001 From: tokul Date: Sat, 15 Oct 2005 11:12:53 +0000 Subject: [PATCH] sanitizing address book listing. extra field row is added for plugins that want to add html tags to address book listing (like vcard_abook). git-svn-id: https://svn.code.sf.net/p/squirrelmail/code/trunk/squirrelmail@10173 7612ce4b-ef26-0410-bec9-ea0150e637f0 --- ChangeLog | 2 + functions/addressbook.php | 14 ++++++ src/addressbook.php | 94 +++++++++++++++++++++++---------------- 3 files changed, 71 insertions(+), 39 deletions(-) diff --git a/ChangeLog b/ChangeLog index 76e6ef87..2803b551 100644 --- a/ChangeLog +++ b/ChangeLog @@ -452,6 +452,8 @@ Version 1.5.1 -- CVS Reported by João Carlos Mendes Luís. - Added CR trimming to SquirrelSpell plugin in order to fix problems on Windows systems. + - Sanitized names displayed in address book listing. + - Added extra field controls to address book class. Version 1.5.0 - 2 February 2004 ------------------------------- diff --git a/functions/addressbook.php b/functions/addressbook.php index 362d1e40..6e18d1b6 100644 --- a/functions/addressbook.php +++ b/functions/addressbook.php @@ -447,6 +447,20 @@ class AddressBook { * @var string */ var $localbackendname = ''; + /** + * Controls use of 'extra' field + * + * Extra field can be used to add link to form, which allows + * to modify all fields supported by backend. This is the only field + * that is not sanitized with htmlspecialchars. Backends MUST make + * sure that field data is sanitized and displayed correctly inside + * table cell. Use of html formating in other address book fields is + * not allowed. Backends that don't return 'extra' row in address book + * data should not modify this object property. + * @var boolean + * @since 1.5.1 + */ + var $add_extra_field = false; /** * Constructor function. diff --git a/src/addressbook.php b/src/addressbook.php index eda30cc9..419b73b9 100644 --- a/src/addressbook.php +++ b/src/addressbook.php @@ -247,6 +247,11 @@ if ($showaddrlist) { /* List addresses */ if (count($alist) > 0) { echo addForm($form_url, 'post'); + if ($abook->add_extra_field) { + $abook_fields = 6; + } else { + $abook_fields = 5; + } while(list($undef,$row) = each($alist)) { /* New table header for each backend */ @@ -257,10 +262,10 @@ if ($showaddrlist) { html_tag( 'td', addSubmit(_("Edit selected"), 'editaddr'). addSubmit(_("Delete selected"), 'deladdr'), - 'center', '', 'colspan="5"' ) + 'center', '', "colspan=\"$abook_fields\"" ) ) . html_tag( 'tr', - html_tag( 'td', ' 
', 'center', '', 'colspan="5"' ) + html_tag( 'td', ' 
', 'center', '', "colspan=\"$abook_fields\"" ) ), 'center' ); echo "\n\n" . @@ -278,20 +283,22 @@ if ($showaddrlist) { 'left', '', 'width="1%"' ) . "\n" . html_tag( 'th', _("Info") . show_abook_sort_button($abook_sort_order, _("sort by info"), 6, 7), - 'left', '', 'width="1%"' ) . "\n", + 'left', '', 'width="1%"' ) . + ($abook->add_extra_field ? html_tag( 'th', ' ','left', '', 'width="1%"'): '') . + "\n", '', $color[9] ) . "\n"; } // Separate different backends with
if($prevbackend > 0) { echo html_tag( 'tr', - html_tag( 'td', "
", 'center', '' ,'colspan="5"' ) + html_tag( 'td', "
", 'center', '' ,"colspan=\"$abook_fields\"" ) ); } // Print backend name echo html_tag( 'tr', - html_tag( 'td', "\n" . '' . $row['source'] . '' . "\n", 'center', $color[0] ,'colspan="5"' ) + html_tag( 'td', "\n" . '' . $row['source'] . '' . "\n", 'center', $color[0] ,"colspan=\"$abook_fields\"" ) ); $line = 0; @@ -309,45 +316,54 @@ if ($showaddrlist) { } else { $tr_bgcolor = $color[4]; } + echo html_tag( 'tr', '', '', $tr_bgcolor); + if ($abook->backends[$row['backend']]->writeable) { + echo html_tag( 'td', + '' . + addCheckBox('sel[]', $selected, $row['backend'].':'.$row['nickname']). + '' , + 'center', '', 'valign="top" width="1%"' ); + } else { + echo html_tag( 'td', + ' ' , + 'center', '', 'valign="top" width="1%"' ); + } + echo html_tag( 'td', + ' ' . htmlspecialchars($row['nickname']) . ' ', + 'left', '', 'valign="top" width="1%" style="white-space: nowrap;"' ); + + // different full name display formating for Japanese translation if ($squirrelmail_language == 'ja_JP') { - echo html_tag( 'tr', '', '', $tr_bgcolor); - if ($abook->backends[$row['backend']]->writeable) { - echo html_tag( 'td', - '' . - addCheckBox('sel[]', $selected, $row['backend'].':'.$row['nickname']). - '' , - 'center', '', 'valign="top" width="1%"' ); - } else { - echo html_tag( 'td', - ' ' , - 'center', '', 'valign="top" width="1%"' ); - } - echo html_tag( 'td', ' ' . $row['nickname'] . ' ', 'left', '', 'valign="top" width="1%" style="white-space: nowrap;"' ) . - html_tag( 'td', ' ' . $row['lastname'] . ' ' . $row['firstname'] . ' ', 'left', '', 'valign="top" width="1%" style="white-space: nowrap;"' ) . - html_tag( 'td', '', 'left', '', 'valign="top" width="1%" style="white-space: nowrap;"' ) . ' '; + /* + * translation uses euc-jp character set internally. + * htmlspecialchars() should not break any characters. + */ + echo html_tag( 'td', + ' ' . htmlspecialchars($row['lastname']) . ' ' . htmlspecialchars($row['firstname']) . ' ', + 'left', '', 'valign="top" width="1%" style="white-space: nowrap;"' ); } else { - echo html_tag( 'tr', '', '', $tr_bgcolor); - if ($abook->backends[$row['backend']]->writeable) { - echo html_tag( 'td', - '' . - addCheckBox('sel[]', $selected, $row['backend'] . ':' . $row['nickname']). - '' , - 'center', '', 'valign="top" width="1%"' ); - } else { - echo html_tag( 'td', - ' ' , - 'center', '', 'valign="top" width="1%"' ); - } - echo html_tag( 'td', ' ' . $row['nickname'] . ' ', 'left', '', 'valign="top" width="1%" style="white-space: nowrap;"' ) . - html_tag( 'td', ' ' . $row['name'] . ' ', 'left', '', 'valign="top" width="1%" style="white-space: nowrap;"' ) . - html_tag( 'td', '', 'left', '', 'valign="top" width="1%" style="white-space: nowrap;"' ) . ' '; + echo html_tag( 'td', + ' ' . htmlspecialchars($row['name']) . ' ', + 'left', '', 'valign="top" width="1%" style="white-space: nowrap;"' ); } + + // email address column + echo html_tag( 'td', '', 'left', '', 'valign="top" width="1%" style="white-space: nowrap;"' ) . ' '; $email = $abook->full_address($row); echo makeComposeLink('src/compose.php?send_to='.rawurlencode($email), htmlspecialchars($row['email'])). - ' '."\n". - html_tag( 'td', ' ' . htmlspecialchars($row['label']) . ' ', 'left', '', 'valign="top" width="1%"' ) . - "\n"; + ' '."\n"; + + // info column + echo html_tag( 'td', ' ' . htmlspecialchars($row['label']) . ' ', 'left', '', 'valign="top" width="1%"' ); + + // add extra column if third party backend needs it + if ($abook->add_extra_field) { + echo html_tag( 'td', + ' ' . (isset($row['extra']) ? $row['extra'] : '') . ' ', + 'left', '', 'valign="top" width="1%"' ); + } + echo "\n"; $line++; } echo "" . @@ -360,7 +376,7 @@ if ($showaddrlist) { html_tag( 'td', addSubmit(_("Edit selected"), 'editaddr') . addSubmit(_("Delete selected"), 'deladdr'), - 'center', '', 'colspan="5"' ) + 'center', '', "colspan=\"$abook_fields\"" ) ), 'center' ); } -- 2.25.1