From 3047e291f2982efe9501ec790faafd3da843d22d Mon Sep 17 00:00:00 2001 From: kink Date: Sun, 9 Dec 2012 12:06:30 +0000 Subject: [PATCH] Replace calls to htmlspecialchars() with sm_encode_html_special_chars(). New function sm_encode_html_special_chars() encodes HTML special characters by calling htmlspecialchars(). It sets the character set to ISO-8859-1, to fix compatibility with PHP >= 5.4. Patch by Paul Lesniewski. See #3491925 git-svn-id: https://svn.code.sf.net/p/squirrelmail/code/trunk/squirrelmail@14346 7612ce4b-ef26-0410-bec9-ea0150e637f0 --- class/mime/Rfc822Header.class.php | 2 +- class/template/PHP_Template.class.php | 8 ++-- class/template/Smarty_Template.class.php | 8 ++-- class/template/Template.class.php | 2 +- functions/addressbook.php | 4 +- functions/attachment_common.php | 2 +- functions/display_messages.php | 2 +- functions/folder_manip.php | 10 ++--- functions/forms.php | 12 +++--- functions/global.php | 6 +-- functions/imap_general.php | 10 ++--- functions/imap_mailbox.php | 14 +++---- functions/imap_messages.php | 2 +- functions/mailbox_display.php | 4 +- functions/mime.php | 12 +++--- functions/options.php | 10 ++--- functions/page_header.php | 2 +- functions/strings.php | 35 ++++++++++++++++ include/init.php | 10 ++--- include/languages.php | 16 ++++---- include/options/display.php | 4 +- include/options/personal.php | 2 +- plugins/administrator/options.php | 4 +- plugins/calendar/calendar.php | 4 +- plugins/calendar/calendar_data.php | 2 +- plugins/calendar/day.php | 6 +-- plugins/calendar/event_create.php | 4 +- plugins/calendar/event_delete.php | 4 +- plugins/calendar/event_edit.php | 8 ++-- plugins/change_password/backend/ldap.php | 2 +- plugins/change_password/backend/peardb.php | 12 +++--- plugins/change_password/options.php | 2 +- plugins/filters/options.php | 4 +- plugins/filters/spamoptions.php | 2 +- plugins/fortune/functions.php | 2 +- plugins/info/functions.php | 4 +- plugins/info/options.php | 6 +-- plugins/listcommands/mailout.php | 4 +- .../templates/default/mailout.tpl | 12 +++--- plugins/mail_fetch/fetch.php | 20 +++++----- plugins/mail_fetch/functions.php | 8 ++-- plugins/mail_fetch/options.php | 14 +++---- .../message_details_bottom.php | 4 +- plugins/newmail/functions.php | 4 +- plugins/newmail/newmail_opt.php | 12 +++--- plugins/spamcop/options.php | 2 +- plugins/spamcop/spamcop.php | 12 +++--- plugins/squirrelspell/modules/check_me.mod | 6 +-- plugins/squirrelspell/modules/edit_dic.mod | 4 +- plugins/squirrelspell/modules/forget_me.mod | 2 +- plugins/squirrelspell/modules/lang_change.mod | 8 ++-- plugins/squirrelspell/sqspell_functions.php | 4 +- plugins/translate/functions.php | 2 +- src/addrbook_search.php | 4 +- src/addrbook_search_html.php | 2 +- src/addressbook.php | 8 ++-- src/compose.php | 18 ++++----- src/configtest.php | 40 +++++++++---------- src/folders.php | 6 +-- src/login.php | 2 +- src/options_highlight.php | 4 +- src/options_identities.php | 16 ++++---- src/options_order.php | 2 +- src/read_body.php | 4 +- src/right_main.php | 2 +- src/search.php | 12 +++--- src/vcard.php | 4 +- src/view_header.php | 2 +- templates/default/addrbook_addedit.tpl | 8 ++-- templates/default/addressbook_search_form.tpl | 2 +- templates/default/input.tpl | 4 +- templates/default/options_order.tpl | 2 +- templates/default_advanced/options_order.tpl | 2 +- templates/util_addressbook.php | 20 +++++----- templates/util_read.php | 2 +- 75 files changed, 281 insertions(+), 246 deletions(-) diff --git a/class/mime/Rfc822Header.class.php b/class/mime/Rfc822Header.class.php index 57a44d6e..a23c7b4d 100644 --- a/class/mime/Rfc822Header.class.php +++ b/class/mime/Rfc822Header.class.php @@ -736,7 +736,7 @@ class Rfc822Header { $value = substr($value,strlen($charset)+1); /* FIXME: What's the status of charset decode with language information ???? * Maybe language information contains only ascii text and charset_decode() - * only runs htmlspecialchars() on it. If it contains 8bit information, you + * only runs sm_encode_html_special_chars() on it. If it contains 8bit information, you * get html encoded text in charset used by selected translation. */ $value = charset_decode($charset,$value); diff --git a/class/template/PHP_Template.class.php b/class/template/PHP_Template.class.php index 7bf3e236..92399abc 100644 --- a/class/template/PHP_Template.class.php +++ b/class/template/PHP_Template.class.php @@ -65,7 +65,7 @@ class PHP_Template extends Template * @param mixed $value the value to assign FIXME: Proposed idea to add a parameter here that turns variable encoding on, so that we can make sure output is always - run through something like htmlspecialchars() (maybe even nl2br()?) + run through something like sm_encode_html_special_chars() (maybe even nl2br()?) * */ function assign($tpl_var, $value = NULL) { @@ -93,7 +93,7 @@ FIXME: Proposed idea to add a parameter here that turns variable * @param mixed $value the referenced value to assign FIXME: Proposed idea to add a parameter here that turns variable encoding on, so that we can make sure output is always - run through something like htmlspecialchars() (maybe even nl2br()?) + run through something like sm_encode_html_special_chars() (maybe even nl2br()?) * */ function assign_by_ref($tpl_var, &$value) { @@ -159,7 +159,7 @@ FIXME: Proposed idea to add a parameter here that turns variable * variable values FIXME: Proposed idea to add a parameter here that turns variable encoding on, so that we can make sure output is always - run through something like htmlspecialchars() (maybe even nl2br()?) + run through something like sm_encode_html_special_chars() (maybe even nl2br()?) * */ function append($tpl_var, $value = NULL, $merge = FALSE) @@ -220,7 +220,7 @@ FIXME: Proposed idea to add a parameter here that turns variable * variable values FIXME: Proposed idea to add a parameter here that turns variable encoding on, so that we can make sure output is always - run through something like htmlspecialchars() (maybe even nl2br()?) + run through something like sm_encode_html_special_chars() (maybe even nl2br()?) * */ function append_by_ref($tpl_var, &$value, $merge = FALSE) diff --git a/class/template/Smarty_Template.class.php b/class/template/Smarty_Template.class.php index fb83905f..2b09c61a 100644 --- a/class/template/Smarty_Template.class.php +++ b/class/template/Smarty_Template.class.php @@ -84,7 +84,7 @@ class Smarty_Template extends Template * @param mixed $value the value to assign FIXME: Proposed idea to add a parameter here that turns variable encoding on, so that we can make sure output is always - run through something like htmlspecialchars() (maybe even nl2br()?) + run through something like sm_encode_html_special_chars() (maybe even nl2br()?) * */ function assign($tpl_var, $value = NULL) { @@ -100,7 +100,7 @@ FIXME: Proposed idea to add a parameter here that turns variable * @param mixed $value the referenced value to assign FIXME: Proposed idea to add a parameter here that turns variable encoding on, so that we can make sure output is always - run through something like htmlspecialchars() (maybe even nl2br()?) + run through something like sm_encode_html_special_chars() (maybe even nl2br()?) * */ function assign_by_ref($tpl_var, &$value) { @@ -152,7 +152,7 @@ FIXME: Proposed idea to add a parameter here that turns variable * variable values FIXME: Proposed idea to add a parameter here that turns variable encoding on, so that we can make sure output is always - run through something like htmlspecialchars() (maybe even nl2br()?) + run through something like sm_encode_html_special_chars() (maybe even nl2br()?) * */ function append($tpl_var, $value = NULL, $merge = FALSE) { @@ -175,7 +175,7 @@ FIXME: Proposed idea to add a parameter here that turns variable * variable values FIXME: Proposed idea to add a parameter here that turns variable encoding on, so that we can make sure output is always - run through something like htmlspecialchars() (maybe even nl2br()?) + run through something like sm_encode_html_special_chars() (maybe even nl2br()?) * */ function append_by_ref($tpl_var, &$value, $merge = FALSE) { diff --git a/class/template/Template.class.php b/class/template/Template.class.php index 3e8361db..b12da29d 100644 --- a/class/template/Template.class.php +++ b/class/template/Template.class.php @@ -1480,7 +1480,7 @@ FIXME: We could make the incoming array more complex so it can if (empty($template)) { - trigger_error('The template "' . htmlspecialchars($file) + trigger_error('The template "' . sm_encode_html_special_chars($file) . '" could not be fetched!', E_USER_ERROR); } else { diff --git a/functions/addressbook.php b/functions/addressbook.php index 0559c8fa..5c5dbcb2 100644 --- a/functions/addressbook.php +++ b/functions/addressbook.php @@ -162,7 +162,7 @@ function addressbook_init($showerr = true, $onlylocal = false) { * display address book init errors. */ if ($abook_init_error!='' && $showerr) { - error_box(nl2br(htmlspecialchars($abook_init_error))); + error_box(nl2br(sm_encode_html_special_chars($abook_init_error))); } /* Return the initialized object */ @@ -414,7 +414,7 @@ class AddressBook { * * Extra field can be used to add link to form, which allows * to modify all fields supported by backend. This is the only field - * that is not sanitized with htmlspecialchars. Backends MUST make + * that is not sanitized with sm_encode_html_special_chars. Backends MUST make * sure that field data is sanitized and displayed correctly inside * table cell. Use of html formating in other address book fields is * not allowed. Backends that don't return 'extra' row in address book diff --git a/functions/attachment_common.php b/functions/attachment_common.php index 388ceef5..20f6b66c 100644 --- a/functions/attachment_common.php +++ b/functions/attachment_common.php @@ -147,7 +147,7 @@ function attachment_common_link_text(&$Args) { $Args[0]['attachment_common']['href'] = Where it links to */ sqgetGlobalVar('QUERY_STRING', $QUERY_STRING, SQ_SERVER); - // if htmlspecialchars() breaks something - find other way to encode & in url. + // if sm_encode_html_special_chars() breaks something - find other way to encode & in url. $Args[0]['attachment_common']['href'] = $base_uri . 'src/view_text.php?'. $QUERY_STRING; $Args[0]['attachment_common']['href'] = set_url_var($Args[0]['attachment_common']['href'], diff --git a/functions/display_messages.php b/functions/display_messages.php index 0854caba..68052f2f 100644 --- a/functions/display_messages.php +++ b/functions/display_messages.php @@ -28,7 +28,7 @@ function error_message($message, $mailbox, $sort, $startMessage) { $link = array ( 'URL' => sqm_baseuri()."src/right_main.php?sort=$sort&startMessage=$startMessage&mailbox=$urlMailbox", 'TEXT' => sprintf (_("Click here to return to %s"), - strtoupper($mailbox) == 'INBOX' ? _("INBOX") : htmlspecialchars(imap_utf7_decode_local($mailbox))) + strtoupper($mailbox) == 'INBOX' ? _("INBOX") : sm_encode_html_special_chars(imap_utf7_decode_local($mailbox))) ); error_box($message, $link); } diff --git a/functions/folder_manip.php b/functions/folder_manip.php index f35e2820..eb2a1813 100644 --- a/functions/folder_manip.php +++ b/functions/folder_manip.php @@ -124,9 +124,9 @@ function folders_rename_getname ($imapConnection, $delimiter, $old) { sqimap_logout($imapConnection); $oTemplate->assign('dialog_type', 'rename'); - $oTemplate->assign('parent_folder', htmlspecialchars($old_parent)); - $oTemplate->assign('current_full_name', htmlspecialchars($old)); - $oTemplate->assign('current_folder_name', htmlspecialchars($old_name)); + $oTemplate->assign('parent_folder', sm_encode_html_special_chars($old_parent)); + $oTemplate->assign('current_full_name', sm_encode_html_special_chars($old)); + $oTemplate->assign('current_folder_name', sm_encode_html_special_chars($old_name)); $oTemplate->assign('is_folder', $isfolder); $oTemplate->display('folder_manip_dialog.tpl'); @@ -198,8 +198,8 @@ function folders_delete_ask ($imapConnection, $folder_name) sqimap_logout($imapConnection); $oTemplate->assign('dialog_type', 'delete'); - $oTemplate->assign('folder_name', htmlspecialchars($folder_name)); - $oTemplate->assign('visible_folder_name', htmlspecialchars($visible_folder_name)); + $oTemplate->assign('folder_name', sm_encode_html_special_chars($folder_name)); + $oTemplate->assign('visible_folder_name', sm_encode_html_special_chars($visible_folder_name)); $oTemplate->display('folder_manip_dialog.tpl'); $oTemplate->display('footer.tpl'); diff --git a/functions/forms.php b/functions/forms.php index b2899d44..9d705765 100644 --- a/functions/forms.php +++ b/functions/forms.php @@ -4,7 +4,7 @@ * forms.php - html form functions * * Functions to build forms in a safe and consistent manner. - * All attribute values are sanitized with htmlspecialchars(). + * All attribute values are sanitized with sm_encode_html_special_chars(). //FIXME: I think the Template class might be better place to sanitize inside assign() method * * Currently functions don't provide simple wrappers for file and @@ -65,7 +65,7 @@ function addInputField($sType, $aAttribs=array()) { global $oTemplate; $oTemplate->assign('type', $sType); -//FIXME: all the values in the $aAttribs list used to go thru htmlspecialchars()... I would propose that most everything that is assigned to the template should go thru that *in the template class* on its way between here and the actual template file. Otherwise we have to do something like: foreach ($aAttribs as $key => $value) $aAttribs[$key] = htmlspecialchars($value); +//FIXME: all the values in the $aAttribs list used to go thru sm_encode_html_special_chars()... I would propose that most everything that is assigned to the template should go thru that *in the template class* on its way between here and the actual template file. Otherwise we have to do something like: foreach ($aAttribs as $key => $value) $aAttribs[$key] = sm_encode_html_special_chars($value); $oTemplate->assign('aAttribs', $aAttribs); return $oTemplate->fetch('input.tpl'); @@ -187,7 +187,7 @@ function addSelect($sName, $aValues, $default = null, $bUsekeys = false, $aAttri if (!$bMultiple && count($aValues) == 1) { $k = key($aValues); $v = array_pop($aValues); return addHidden($sName, ($bUsekeys ? $k : $v), $aAttribs) - . htmlspecialchars($v); + . sm_encode_html_special_chars($v); } if (! isset($aAttribs['id'])) $aAttribs['id'] = $sName; @@ -201,7 +201,7 @@ function addSelect($sName, $aValues, $default = null, $bUsekeys = false, $aAttri global $oTemplate; -//FIXME: all the values in the $aAttribs list and $sName and both the keys and values in $aValues used to go thru htmlspecialchars()... I would propose that most everything that is assigned to the template should go thru that *in the template class* on its way between here and the actual template file. Otherwise we have to do something like: foreach ($aAttribs as $key => $value) $aAttribs[$key] = htmlspecialchars($value); $sName = htmlspecialchars($sName); $aNewValues = array(); foreach ($aValues as $key => $value) $aNewValues[htmlspecialchars($key)] = htmlspecialchars($value); $aValues = $aNewValues; And probably this too because it has to be matched to a value that has already been sanitized: $default = htmlspecialchars($default); (oops, watch out for when $default is an array! (multiple select lists)) +//FIXME: all the values in the $aAttribs list and $sName and both the keys and values in $aValues used to go thru sm_encode_html_special_chars()... I would propose that most everything that is assigned to the template should go thru that *in the template class* on its way between here and the actual template file. Otherwise we have to do something like: foreach ($aAttribs as $key => $value) $aAttribs[$key] = sm_encode_html_special_chars($value); $sName = sm_encode_html_special_chars($sName); $aNewValues = array(); foreach ($aValues as $key => $value) $aNewValues[sm_encode_html_special_chars($key)] = sm_encode_html_special_chars($value); $aValues = $aNewValues; And probably this too because it has to be matched to a value that has already been sanitized: $default = sm_encode_html_special_chars($default); (oops, watch out for when $default is an array! (multiple select lists)) $oTemplate->assign('aAttribs', $aAttribs); $oTemplate->assign('aValues', $aValues); $oTemplate->assign('bUsekeys', $bUsekeys); @@ -300,7 +300,7 @@ function addTextArea($sName, $sText = '', $iCols = 40, $iRows = 10, $aAttribs = global $oTemplate; -//FIXME: all the values in the $aAttribs list as well as $sName and $sText used to go thru htmlspecialchars()... I would propose that most everything that is assigned to the template should go thru that *in the template class* on its way between here and the actual template file. Otherwise we have to do something like: foreach ($aAttribs as $key => $value) $aAttribs[$key] = htmlspecialchars($value); $sName = htmlspecialchars($sName); $sText = htmlspecialchars($sText); +//FIXME: all the values in the $aAttribs list as well as $sName and $sText used to go thru sm_encode_html_special_chars()... I would propose that most everything that is assigned to the template should go thru that *in the template class* on its way between here and the actual template file. Otherwise we have to do something like: foreach ($aAttribs as $key => $value) $aAttribs[$key] = sm_encode_html_special_chars($value); $sName = sm_encode_html_special_chars($sName); $sText = sm_encode_html_special_chars($sText); $oTemplate->assign('aAttribs', $aAttribs); $oTemplate->assign('name', $sName); $oTemplate->assign('text', $sText); @@ -336,7 +336,7 @@ function addForm($sAction, $sMethod = 'post', $sName = '', $sEnctype = '', $sCha global $oTemplate; -//FIXME: all the values in the $aAttribs list as well as $charset used to go thru htmlspecialchars()... I would propose that most everything that is assigned to the template should go thru that *in the template class* on its way between here and the actual template file. Otherwise we have to do something like: foreach ($aAttribs as $key => $value) $aAttribs[$key] = htmlspecialchars($value); $sCharset = htmlspecialchars($sCharset); +//FIXME: all the values in the $aAttribs list as well as $charset used to go thru sm_encode_html_special_chars()... I would propose that most everything that is assigned to the template should go thru that *in the template class* on its way between here and the actual template file. Otherwise we have to do something like: foreach ($aAttribs as $key => $value) $aAttribs[$key] = sm_encode_html_special_chars($value); $sCharset = sm_encode_html_special_chars($sCharset); $oTemplate->assign('aAttribs', $aAttribs); $oTemplate->assign('name', $sName); $oTemplate->assign('method', $sMethod); diff --git a/functions/global.php b/functions/global.php index 7e22864d..3b42e750 100644 --- a/functions/global.php +++ b/functions/global.php @@ -764,8 +764,8 @@ function sm_print_r() { /** - * Sanitize a value using htmlspecialchars() or similar, but also - * recursively run htmlspecialchars() (or similar) on array keys + * Sanitize a value using sm_encode_html_special_chars() or similar, but also + * recursively run sm_encode_html_special_chars() (or similar) on array keys * and values. * * If $value is not a string or an array with strings in it, @@ -811,7 +811,7 @@ function sq_htmlspecialchars($value, $quote_style=ENT_QUOTES) { if ($quote_style === TRUE) return str_replace(array('\'', '"'), array(''', '"'), $value); else - return htmlspecialchars($value, $quote_style); + return sm_encode_html_special_chars($value, $quote_style); } // anything else gets returned with no changes diff --git a/functions/imap_general.php b/functions/imap_general.php index 017025ed..227bce28 100755 --- a/functions/imap_general.php +++ b/functions/imap_general.php @@ -349,7 +349,7 @@ function sqimap_read_data_list($imap_stream, $tag, $handle_errors, 'sqimap_run_command or sqimap_run_command_list instead

'. 'The following query was issued:
'. //FIXME: NO HTML IN CORE! - htmlspecialchars($query) . '
' . "
\n"; + sm_encode_html_special_chars($query) . '
' . "
\n"; error_box($string); $oTemplate->display('footer.tpl'); exit; @@ -376,11 +376,11 @@ function sqimap_error_box($title, $query = '', $message_title = '', $message = ' $cmd= strtolower($cmd[0]); if ($query != '' && $cmd != 'login') - $string .= _("Query:") . ' ' . htmlspecialchars($query) . '
'; + $string .= _("Query:") . ' ' . sm_encode_html_special_chars($query) . '
'; if ($message_title != '') $string .= $message_title; if ($message != '') - $string .= htmlspecialchars($message); + $string .= sm_encode_html_special_chars($message); //FIXME: NO HTML IN CORE! $string .= "
\n"; if ($link != '') @@ -941,7 +941,7 @@ function sqimap_login ($username, $password, $imap_server_address, $imap_port, $ //FIXME: UUURG... We don't want HTML in error messages, should also do html sanitizing of error messages elsewhere; should't assume output is destined for an HTML browser here if ($response != 'NO') { /* "BAD" and anything else gets reported here. */ - $message = htmlspecialchars($message); + $message = sm_encode_html_special_chars($message); set_up_language($squirrelmail_language, true); if ($response == 'BAD') { if ($hide == 3) return sprintf(_("Bad request: %s"), $message); @@ -953,7 +953,7 @@ function sqimap_login ($username, $password, $imap_server_address, $imap_port, $ if (isset($read) && is_array($read)) { $string .= '
' . _("Read data:") . "
\n"; foreach ($read as $line) { - $string .= htmlspecialchars($line) . "
\n"; + $string .= sm_encode_html_special_chars($line) . "
\n"; } } error_box($string); diff --git a/functions/imap_mailbox.php b/functions/imap_mailbox.php index 94b46aa8..23bf8382 100755 --- a/functions/imap_mailbox.php +++ b/functions/imap_mailbox.php @@ -432,7 +432,7 @@ function sqimap_mailbox_select ($imap_stream, $mailbox) { */ if (strstr($mailbox, '../') || substr($mailbox, 0, 1) == '/') { global $oTemplate; - error_box(sprintf(_("Invalid mailbox name: %s"),htmlspecialchars($mailbox))); + error_box(sprintf(_("Invalid mailbox name: %s"),sm_encode_html_special_chars($mailbox))); sqimap_logout($imap_stream); $oTemplate->display('footer.tpl'); die(); @@ -784,7 +784,7 @@ function sqimap_mailbox_option_array($imap_stream, $folder_skip = 0, $boxes = 0, // i18n: Name of Drafts folder $box2 = $pad . _("Drafts"); } else { - $box2 = str_replace('  ', '. ', htmlspecialchars($boxes_part['formatted'])); + $box2 = str_replace('  ', '. ', sm_encode_html_special_chars($boxes_part['formatted'])); } break; case SMPREF_MAILBOX_SELECT_INDENTED: @@ -798,16 +798,16 @@ function sqimap_mailbox_option_array($imap_stream, $folder_skip = 0, $boxes = 0, $pad = str_pad('',12 * (count(explode($delimiter,$boxes_part['unformatted-dm']))-1),'  '); $box2 = $pad . _("Drafts"); } else { - $box2 = str_replace('  ', '  ', htmlspecialchars($boxes_part['formatted'])); + $box2 = str_replace('  ', '  ', sm_encode_html_special_chars($boxes_part['formatted'])); } break; default: /* default, long names, style = 0 */ - $box2 = str_replace(' ', ' ', htmlspecialchars(imap_utf7_decode_local($boxes_part['unformatted-disp']))); + $box2 = str_replace(' ', ' ', sm_encode_html_special_chars(imap_utf7_decode_local($boxes_part['unformatted-disp']))); break; } } - $a[htmlspecialchars($box)] = $box2; + $a[sm_encode_html_special_chars($box)] = $box2; } } @@ -843,12 +843,12 @@ function sqimap_mailbox_option_list($imap_stream, $show_selected = 0, $folder_sk $str = ''; foreach ($boxes as $value=>$option) { - $lowerbox = strtolower(htmlspecialchars($value)); + $lowerbox = strtolower(sm_encode_html_special_chars($value)); $sel = false; if ($show_selected != 0) { reset($show_selected); while (!$sel && (list($x, $val) = each($show_selected))) { - if (strtolower($value) == strtolower(htmlspecialchars($val))) { + if (strtolower($value) == strtolower(sm_encode_html_special_chars($val))) { $sel = true; } } diff --git a/functions/imap_messages.php b/functions/imap_messages.php index edff01ed..976d5a3e 100755 --- a/functions/imap_messages.php +++ b/functions/imap_messages.php @@ -622,7 +622,7 @@ function parseFetch(&$aResponse,$aMessageList = array()) { $aMsg['ID'] = $id; $fetch = substr($read,$i_space+1,5); if (!is_numeric($id) && $fetch !== 'FETCH') { - $aMsg['ERROR'] = $read; // htmlspecialchars should be done just before display. this is backend code + $aMsg['ERROR'] = $read; // sm_encode_html_special_chars should be done just before display. this is backend code break; } $i = strpos($read,'(',$i_space+5); diff --git a/functions/mailbox_display.php b/functions/mailbox_display.php index f858bb4a..28398603 100644 --- a/functions/mailbox_display.php +++ b/functions/mailbox_display.php @@ -554,11 +554,11 @@ function prepareMessageList(&$aMailbox, $aProps) { $sMailbox = (isset($aAddr[SQM_ADDR_MAILBOX])) ? $aAddr[SQM_ADDR_MAILBOX] : ''; $sHost = (isset($aAddr[SQM_ADDR_HOST])) ? $aAddr[SQM_ADDR_HOST] : ''; if ($sPersonal) { - $title .= htmlspecialchars($sMailbox.'@'.$sHost).', '; + $title .= sm_encode_html_special_chars($sMailbox.'@'.$sHost).', '; } else { // if $value gets truncated we need to add the addresses with no // personal name as well - $title_maybe .= htmlspecialchars($sMailbox.'@'.$sHost).', '; + $title_maybe .= sm_encode_html_special_chars($sMailbox.'@'.$sHost).', '; } } if ($title) { diff --git a/functions/mime.php b/functions/mime.php index 1fff67ed..63d6d2df 100644 --- a/functions/mime.php +++ b/functions/mime.php @@ -63,7 +63,7 @@ function mime_structure ($bodystructure, $flags=array()) { displayPageHeader( $color, $mailbox ); $errormessage = _("SquirrelMail could not decode the bodystructure of the message"); $errormessage .= '
'._("The bodystructure provided by your IMAP server:").'

'; - $errormessage .= '
' . htmlspecialchars($read) . '
'; + $errormessage .= '
' . sm_encode_html_special_chars($read) . '
'; plain_error_message( $errormessage ); echo ''; exit; @@ -632,7 +632,7 @@ function buildAttachmentArray($message, $exclude_id, $mailbox, $id) { $this_attachment['DownloadHREF'] = $links['download link']['href']; $this_attachment['ViewHREF'] = isset($links['attachment_common']) ? $links['attachment_common']['href'] : ''; $this_attachment['Size'] = $header->size; - $this_attachment['ContentType'] = htmlspecialchars($type0 .'/'. $type1); + $this_attachment['ContentType'] = sm_encode_html_special_chars($type0 .'/'. $type1); $this_attachment['OtherLinks'] = array(); foreach ($links as $val) { if ($val['text']==_("Download") || $val['text'] == _("View")) @@ -831,7 +831,7 @@ function decodeHeader ($string, $utfencode=true,$htmlsafe=true,$decide=false) { $iLastMatch = $i; $j = $i; if ($htmlsafe) { - $ret .= htmlspecialchars($res[1]); + $ret .= sm_encode_html_special_chars($res[1]); } else { $ret .= $res[1]; } @@ -860,7 +860,7 @@ function decodeHeader ($string, $utfencode=true,$htmlsafe=true,$decide=false) { } } else { if ($htmlsafe) { - $replace = htmlspecialchars($replace); + $replace = sm_encode_html_special_chars($replace); } $ret.= $replace; } @@ -881,7 +881,7 @@ function decodeHeader ($string, $utfencode=true,$htmlsafe=true,$decide=false) { } } else { if ($htmlsafe) { - $replace = htmlspecialchars($replace); + $replace = sm_encode_html_special_chars($replace); } } $ret .= $replace; @@ -901,7 +901,7 @@ function decodeHeader ($string, $utfencode=true,$htmlsafe=true,$decide=false) { } if (!$encoded && $htmlsafe) { - $ret .= htmlspecialchars($chunk); + $ret .= sm_encode_html_special_chars($chunk); } else { $ret .= $chunk; } diff --git a/functions/options.php b/functions/options.php index 5bb582c1..1df76857 100644 --- a/functions/options.php +++ b/functions/options.php @@ -475,9 +475,9 @@ class SquirrelOption { //TODO: might be better to have a separate template file for all widgets, because then the layout of the widget and the "trailing text" can be customized - they are still hard coded here if ($password) - return addPwField('new_' . $this->name, $this->value, $width, 0, $this->aExtraAttribs) . ' ' . htmlspecialchars($this->trailing_text); + return addPwField('new_' . $this->name, $this->value, $width, 0, $this->aExtraAttribs) . ' ' . sm_encode_html_special_chars($this->trailing_text); else - return addInput('new_' . $this->name, $this->value, $width, 0, $this->aExtraAttribs) . ' ' . htmlspecialchars($this->trailing_text); + return addInput('new_' . $this->name, $this->value, $width, 0, $this->aExtraAttribs) . ' ' . sm_encode_html_special_chars($this->trailing_text); } /** @@ -547,7 +547,7 @@ class SquirrelOption { $height = 5; } - return addSelect('new_' . $this->name, $this->possible_values, $this->value, TRUE, $this->aExtraAttribs, $multiple_select, $height, !$this->htmlencoded) . htmlspecialchars($this->trailing_text); + return addSelect('new_' . $this->name, $this->possible_values, $this->value, TRUE, $this->aExtraAttribs, $multiple_select, $height, !$this->htmlencoded) . sm_encode_html_special_chars($this->trailing_text); } @@ -605,7 +605,7 @@ class SquirrelOption { $option_list = array('ignore' => _("unavailable")); - return addSelect('new_' . $this->name, $option_list, $this->value, TRUE, $this->aExtraAttribs, $multiple_select, $height) . htmlspecialchars($this->trailing_text); + return addSelect('new_' . $this->name, $option_list, $this->value, TRUE, $this->aExtraAttribs, $multiple_select, $height) . sm_encode_html_special_chars($this->trailing_text); } @@ -792,7 +792,7 @@ class SquirrelOption { */ function createWidget_Submit() { - return addSubmit($this->comment, $this->name, $this->aExtraAttribs) . htmlspecialchars($this->trailing_text); + return addSubmit($this->comment, $this->name, $this->aExtraAttribs) . sm_encode_html_special_chars($this->trailing_text); } diff --git a/functions/page_header.php b/functions/page_header.php index 8034acb1..0c762c56 100644 --- a/functions/page_header.php +++ b/functions/page_header.php @@ -284,7 +284,7 @@ function displayPageHeader($color, $mailbox='', $sHeaderJs='', $sOnload = '') { * this explains the imap_mailbox.php dependency. We should instead store * the selected mailbox in the session and fallback to the session var. */ - $shortBoxName = htmlspecialchars(imap_utf7_decode_local( + $shortBoxName = sm_encode_html_special_chars(imap_utf7_decode_local( readShortMailboxName($mailbox, $delimiter))); if (getPref($data_dir, $username, 'translate_special_folders')) { global $sent_folder, $trash_folder, $draft_folder; diff --git a/functions/strings.php b/functions/strings.php index b8166754..5a1c5b8f 100644 --- a/functions/strings.php +++ b/functions/strings.php @@ -1674,3 +1674,38 @@ function sm_validate_security_token($token, $validity_period=0, $show_error=FALS } +/** + * Wrapper for PHP's htmlspecialchars() that + * attempts to add the correct character encoding + * + * @param string $string The string to be converted + * @param int $flags A bitmask that controls the behavior of htmlspecialchars() + * (See http://php.net/manual/function.htmlspecialchars.php ) + * (OPTIONAL; default ENT_COMPAT) + * @param string $encoding The character encoding to use in the conversion + * (OPTIONAL; default automatic detection) + * @param boolean $double_encode Whether or not to convert entities that are + * already in the string (only supported in + * PHP 5.2.3+) (OPTIONAL; default TRUE) + * + * @return string The converted text + * + */ +function sm_encode_html_special_chars($string, $flags=ENT_COMPAT, + $encoding=NULL, $double_encode=TRUE) +{ + if (!$encoding) + { + global $default_charset; + if ($default_charset == 'iso-2022-jp') + $default_charset = 'EUC-JP'; + $encoding = $default_charset; + } + +// TODO: Is adding this check an unnecessary performance hit? + if (check_php_version(5, 2, 3)) + return htmlspecialchars($string, $flags, $encoding, $double_encode); + + return htmlspecialchars($string, $flags, $encoding); +} + diff --git a/include/init.php b/include/init.php index eb533653..fd769df7 100644 --- a/include/init.php +++ b/include/init.php @@ -274,20 +274,20 @@ if (function_exists('get_magic_quotes_gpc') && @get_magic_quotes_gpc()) { * or * contrib/decrypt_headers.php/%22%20onmouseover=%22alert(%27hello%20world%27)%22%3E * because it doesn't bother with broken tags. - * htmlspecialchars() is the preferred method. + * sm_encode_html_special_chars() is the preferred method. * QUERY_STRING also needs the same treatment since it is * used in php_self(). * Update again: the encoding of ampersands that occurs - * using htmlspecialchars() corrupts the query strings + * using sm_encode_html_special_chars() corrupts the query strings * in normal URIs, so we have to let those through. FIXME: will the de-sanitizing of ampersands create any security/XSS problems? */ if (isset($_SERVER['REQUEST_URI'])) - $_SERVER['REQUEST_URI'] = str_replace('&', '&', htmlspecialchars($_SERVER['REQUEST_URI'])); + $_SERVER['REQUEST_URI'] = str_replace('&', '&', sm_encode_html_special_chars($_SERVER['REQUEST_URI'])); if (isset($_SERVER['PHP_SELF'])) - $_SERVER['PHP_SELF'] = str_replace('&', '&', htmlspecialchars($_SERVER['PHP_SELF'])); + $_SERVER['PHP_SELF'] = str_replace('&', '&', sm_encode_html_special_chars($_SERVER['PHP_SELF'])); if (isset($_SERVER['QUERY_STRING'])) - $_SERVER['QUERY_STRING'] = str_replace('&', '&', htmlspecialchars($_SERVER['QUERY_STRING'])); + $_SERVER['QUERY_STRING'] = str_replace('&', '&', sm_encode_html_special_chars($_SERVER['QUERY_STRING'])); $PHP_SELF = php_self(); diff --git a/include/languages.php b/include/languages.php index 0e795d2d..c9bf4ccd 100644 --- a/include/languages.php +++ b/include/languages.php @@ -193,7 +193,7 @@ function sq_setlocale($category,$locale) { * @param string $string Text to be decoded * @param boolean $force_decode converts string to html without $charset!=$default_charset check. * Argument is available since 1.4.5 and 1.5.1. - * @param boolean $save_html disables htmlspecialchars() in order to preserve + * @param boolean $save_html disables sm_encode_html_special_chars() in order to preserve * html formating. Use with care. Available since 1.4.6 and 1.5.1 * @return string decoded string */ @@ -218,7 +218,7 @@ function charset_decode ($charset, $string, $force_decode=false, $save_html=fals // Don't do conversion if charset is the same. if ( ! $force_decode && $charset == strtolower($default_charset) ) - return ($save_html ? $string : htmlspecialchars($string)); + return ($save_html ? $string : sm_encode_html_special_chars($string)); // catch iso-8859-8-i thing if ( $charset == "iso-8859-8-i" ) @@ -234,10 +234,10 @@ function charset_decode ($charset, $string, $force_decode=false, $save_html=fals // other charsets can be converted to utf-8 without loss. // and output string is smaller $string = recode_string($charset . "..utf-8",$string); - return ($save_html ? $string : htmlspecialchars($string)); + return ($save_html ? $string : sm_encode_html_special_chars($string)); } else { $string = recode_string($charset . "..html",$string); - // recode does not convert single quote, htmlspecialchars does. + // recode does not convert single quote, sm_encode_html_special_chars does. $string = str_replace("'", ''', $string); // undo html specialchars if ($save_html) @@ -250,13 +250,13 @@ function charset_decode ($charset, $string, $force_decode=false, $save_html=fals // iconv functions does not have html target and can be used only with utf-8 if ( $use_php_iconv && $default_charset=='utf-8') { $string = iconv($charset,$default_charset,$string); - return ($save_html ? $string : htmlspecialchars($string)); + return ($save_html ? $string : sm_encode_html_special_chars($string)); } // If we don't use recode and iconv, we'll do it old way. /* All HTML special characters are 7 bit and can be replaced first */ - if (! $save_html) $string = htmlspecialchars ($string); + if (! $save_html) $string = sm_encode_html_special_chars ($string); /* controls cpu and memory intensive decoding cycles */ if (! isset($aggressive_decoding) || $aggressive_decoding=="" ) { @@ -279,7 +279,7 @@ function charset_decode ($charset, $string, $force_decode=false, $save_html=fals * @since 1.4.4 and 1.5.1 * @param string $string * @param string $charset - * @param boolean $htmlencode keep htmlspecialchars encoding + * @param boolean $htmlencode keep sm_encode_html_special_chars encoding * @return string */ function charset_encode($string,$charset,$htmlencode=true) { @@ -323,7 +323,7 @@ function charset_encode($string,$charset,$htmlencode=true) { * @param string $in_charset initial charset * @param string $string string that has to be converted * @param string $out_charset final charset - * @param boolean $htmlencode keep htmlspecialchars encoding + * @param boolean $htmlencode keep sm_encode_html_special_chars encoding * @return string converted string */ function charset_convert($in_charset,$string,$out_charset,$htmlencode=true) { diff --git a/include/options/display.php b/include/options/display.php index d2e82c2a..ef11c50e 100644 --- a/include/options/display.php +++ b/include/options/display.php @@ -82,14 +82,14 @@ function load_optpage_data_display() { $template_themes = $oTemplate->get_alternative_stylesheets(true); asort($template_themes); foreach ($template_themes as $sheet=>$name) { - $theme_values[$sheet] = 'Template Theme - '.htmlspecialchars($name); + $theme_values[$sheet] = 'Template Theme - '.sm_encode_html_special_chars($name); } // Next, list user-provided styles asort($user_themes); foreach ($user_themes as $style) { if ($style['PATH'] == 'none') continue; - $theme_values[$style['PATH']] = 'User Theme - '.htmlspecialchars($style['NAME']); + $theme_values[$style['PATH']] = 'User Theme - '.sm_encode_html_special_chars($style['NAME']); } if (count($user_themes) + count($template_themes) > 1) { diff --git a/include/options/personal.php b/include/options/personal.php index e25bb3e7..64801e7a 100644 --- a/include/options/personal.php +++ b/include/options/personal.php @@ -104,7 +104,7 @@ function load_optpage_data_personal() { 'caption' => _("E-mail Address"), 'type' => SMOPT_TYPE_COMMENT, 'refresh' => SMOPT_REFRESH_NONE, - 'comment' => htmlspecialchars($email_address) + 'comment' => sm_encode_html_special_chars($email_address) ); } diff --git a/plugins/administrator/options.php b/plugins/administrator/options.php index 3f7ad46e..e3d2617c 100644 --- a/plugins/administrator/options.php +++ b/plugins/administrator/options.php @@ -422,7 +422,7 @@ foreach ( $newcfg as $k => $v ) { } echo "$name" .""; if ( isset( $defcfg[$k]['comment'] ) ) { echo '   ' . $defcfg[$k]['comment']; @@ -440,7 +440,7 @@ foreach ( $newcfg as $k => $v ) { } echo "$name" ."'; if ( isset( $defcfg[$k]['comment'] ) ) { echo '   ' . $defcfg[$k]['comment']; diff --git a/plugins/calendar/calendar.php b/plugins/calendar/calendar.php index 2563be57..091250d2 100644 --- a/plugins/calendar/calendar.php +++ b/plugins/calendar/calendar.php @@ -114,11 +114,11 @@ function drawmonthview() { $calbar = $calendardata[$cdate][$calfoo['key']]; // FIXME: how to display multiline task $title = '['. $calfoo['key']. '] ' . - str_replace(array("\r","\n"),array(' ',' '),htmlspecialchars($calbar['message'])); + str_replace(array("\r","\n"),array(' ',' '),sm_encode_html_special_chars($calbar['message'])); // FIXME: link to nowhere echo "".htmlspecialchars($calbar['title'])."
\n"; + ."\" title=\"$title\">".sm_encode_html_special_chars($calbar['title'])."
\n"; $i=$i+1; if($i==2){ break; diff --git a/plugins/calendar/calendar_data.php b/plugins/calendar/calendar_data.php index d1feb75f..5e315e72 100644 --- a/plugins/calendar/calendar_data.php +++ b/plugins/calendar/calendar_data.php @@ -23,7 +23,7 @@ $calendardata = array(); * Plugin stores multiline texts converted to single line with PHP nl2br(). * Function undoes nl2br() conversion and html encoding of ASCII vertical bar. * - * Older plugin versions sanitized data with htmlspecialchars. Since 1.5.1 calendar + * Older plugin versions sanitized data with sm_encode_html_special_chars. Since 1.5.1 calendar * data is not sanitized. Output functions must make sure that data is correctly * encoded and sanitized. * @param string $string calendar string diff --git a/plugins/calendar/day.php b/plugins/calendar/day.php index 55dd8c4d..7926607b 100644 --- a/plugins/calendar/day.php +++ b/plugins/calendar/day.php @@ -127,9 +127,9 @@ function display_events() { html_tag( 'td', date_intl(_("H:i"),mktime($ehour,$eminute,0,1,1,0)) . $elength, 'left' ) . html_tag( 'td', '', 'left' ) . '['; echo ($calbar['priority']==1) ? - "".htmlspecialchars($calbar['title']).'' : - htmlspecialchars($calbar['title']); - echo']
'.nl2br(htmlspecialchars($calbar['message'])).'
' . + "".sm_encode_html_special_chars($calbar['title']).'' : + sm_encode_html_special_chars($calbar['title']); + echo']
'.nl2br(sm_encode_html_special_chars($calbar['message'])).'
' . html_tag( 'td', "\n" . "\n", '', $color[4], 'colspan="2"' ) ."\n" @@ -200,11 +200,11 @@ function confirm_update() { ) . html_tag( 'tr', html_tag( 'td', _("Title:") , 'right', $color[4] ) ."\n" . - html_tag( 'td', htmlspecialchars($event_title) , 'left', $color[4] ) ."\n" + html_tag( 'td', sm_encode_html_special_chars($event_title) , 'left', $color[4] ) ."\n" ) . html_tag( 'tr', html_tag( 'td', _("Message:") , 'right', $color[4] ) ."\n" . - html_tag( 'td', nl2br(htmlspecialchars($event_text)) , 'left', $color[4] ) ."\n" + html_tag( 'td', nl2br(sm_encode_html_special_chars($event_text)) , 'left', $color[4] ) ."\n" ) . html_tag( 'tr', html_tag( 'td', diff --git a/plugins/change_password/backend/ldap.php b/plugins/change_password/backend/ldap.php index 14921615..681d6f2e 100644 --- a/plugins/change_password/backend/ldap.php +++ b/plugins/change_password/backend/ldap.php @@ -646,7 +646,7 @@ function cpw_ldap_password_hash($pass,$crypto,&$msgs,$forced_salt='') { break; default: array_push($msgs,sprintf(_("Unsupported crypto: %s"), - (is_string($ldap_crypto) ? htmlspecialchars($ldap_crypto) : _("unknown")))); + (is_string($ldap_crypto) ? sm_encode_html_special_chars($ldap_crypto) : _("unknown")))); } return $ret; } diff --git a/plugins/change_password/backend/peardb.php b/plugins/change_password/backend/peardb.php index ede4ad8c..7f04a67b 100644 --- a/plugins/change_password/backend/peardb.php +++ b/plugins/change_password/backend/peardb.php @@ -152,16 +152,16 @@ function cpw_peardb_dochange($data) { // connect to database and make sure that table exists $cpw_db = DB::connect($cpw_peardb_dsn, $cpw_peardb_connect_opts); if (PEAR::isError($cpw_db)) { - array_push($msgs,sprintf(_("Connection error: %s"),htmlspecialchars($cpw_db->getMessage()))); + array_push($msgs,sprintf(_("Connection error: %s"),sm_encode_html_special_chars($cpw_db->getMessage()))); if ($cpw_peardb_debug) - array_push($msgs,htmlspecialchars($cpw_db->getuserinfo())); + array_push($msgs,sm_encode_html_special_chars($cpw_db->getuserinfo())); return $msgs; } // get table information $table_info = $cpw_db->tableinfo($cpw_peardb_table); if (PEAR::isError($table_info)) { - array_push($msgs,sprintf(_("Invalid table name: %s"),htmlspecialchars($cpw_peardb_table))); + array_push($msgs,sprintf(_("Invalid table name: %s"),sm_encode_html_special_chars($cpw_peardb_table))); $cpw_db->disconnect(); return $msgs; } @@ -210,7 +210,7 @@ function cpw_peardb_dochange($data) { ''); $cpw_res=$cpw_db->query($query); if (PEAR::isError($cpw_res)) { - array_push($msgs,sprintf(_("Query failed: %s"),htmlspecialchars($cpw_res->getMessage()))); + array_push($msgs,sprintf(_("Query failed: %s"),sm_encode_html_special_chars($cpw_res->getMessage()))); $cpw_db->disconnect(); return $msgs; } @@ -284,7 +284,7 @@ function cpw_peardb_dochange($data) { // check for update error if (PEAR::isError($cpw_res)) { - array_push($msgs,sprintf(_("Unable to set new password: %s"),htmlspecialchars($cpw_res->getMessage()))); + array_push($msgs,sprintf(_("Unable to set new password: %s"),sm_encode_html_special_chars($cpw_res->getMessage()))); } // close database connection @@ -427,7 +427,7 @@ function cpw_peardb_passwd_hash($password,$crypto,&$msgs,$forced_salt='') { $ret = $password; break; default: - array_push($msgs,sprintf(_("Unsupported crypto: %s"),htmlspecialchars($crypto))); + array_push($msgs,sprintf(_("Unsupported crypto: %s"),sm_encode_html_special_chars($crypto))); } return $ret; } diff --git a/plugins/change_password/options.php b/plugins/change_password/options.php index b1dafb21..474fe619 100644 --- a/plugins/change_password/options.php +++ b/plugins/change_password/options.php @@ -81,7 +81,7 @@ do_hook('change_password_init', $null); if (isset($Messages) && count($Messages) > 0) { echo "\n"; foreach ($Messages as $line) { - echo htmlspecialchars($line) . "
\n"; + echo sm_encode_html_special_chars($line) . "
\n"; } echo "\n"; } diff --git a/plugins/filters/options.php b/plugins/filters/options.php index 434bc98c..10aa6437 100644 --- a/plugins/filters/options.php +++ b/plugins/filters/options.php @@ -180,7 +180,7 @@ if (sqgetGlobalVar('filter_submit',$filter_submit,SQ_POST)) { html_tag( 'td', '', 'left' ) . ''. ''. @@ -243,7 +243,7 @@ if (count($filters)) { printf( _("If %s contains %s then move to %s"), ''.$filters[$i]['where'].'', ''.$filters[$i]['what'].'', - ''.htmlspecialchars(imap_utf7_decode_local($fdr)).''); + ''.sm_encode_html_special_chars(imap_utf7_decode_local($fdr)).''); echo ''; } diff --git a/plugins/filters/spamoptions.php b/plugins/filters/spamoptions.php index 4e4893e7..a5bc3973 100644 --- a/plugins/filters/spamoptions.php +++ b/plugins/filters/spamoptions.php @@ -175,7 +175,7 @@ if (isset($action) && $action == 'spam') { echo html_tag( 'p', '', 'center' ) . '[
' . _("Edit") . ']' . ' - [' . _("Done") . ']

'; - printf( _("Spam is sent to %s."), ($filters_spam_folder?''.htmlspecialchars(imap_utf7_decode_local($filters_spam_folder)).'':'['._("not set yet").']' ) ); + printf( _("Spam is sent to %s."), ($filters_spam_folder?''.sm_encode_html_special_chars(imap_utf7_decode_local($filters_spam_folder)).'':'['._("not set yet").']' ) ); echo '
'; printf( _("Spam scan is limited to %s."), '' . ( ($filters_spam_scan == 'new')?_("Unread messages only"):_("All messages") ) . '' ); echo '

'. diff --git a/plugins/fortune/functions.php b/plugins/fortune/functions.php index b0b84a3f..0989c721 100644 --- a/plugins/fortune/functions.php +++ b/plugins/fortune/functions.php @@ -50,7 +50,7 @@ function fortune_function() { } $oTemplate->assign('color', $color); - $oTemplate->assign('fortune', htmlspecialchars($fortune)); + $oTemplate->assign('fortune', sm_encode_html_special_chars($fortune)); $output = $oTemplate->fetch('plugins/fortune/mailbox_index_before.tpl'); return array('mailbox_index_before' => $output); diff --git a/plugins/info/functions.php b/plugins/info/functions.php index db36cfc7..2bf1c64b 100644 --- a/plugins/info/functions.php +++ b/plugins/info/functions.php @@ -37,7 +37,7 @@ function get_caps($imap_stream) { * @access private */ function imap_test($imap_stream, $string) { - print "".htmlspecialchars($string).""; + print "".sm_encode_html_special_chars($string).""; $response = sqimap_run_command_list($imap_stream, trim($string),false, $responses, $message,false); array_push($response, $responses . ' ' .$message); return $response; @@ -55,7 +55,7 @@ function print_response($response) { print_response($value); } else { - print htmlspecialchars($value)."
\n"; + print sm_encode_html_special_chars($value)."
\n"; } } } diff --git a/plugins/info/options.php b/plugins/info/options.php index 82f5d546..13328239 100644 --- a/plugins/info/options.php +++ b/plugins/info/options.php @@ -75,7 +75,7 @@ echo '
'._("IMAP server information")." "
\n"; foreach($caps_array[0] as $value) { - echo htmlspecialchars($value); + echo sm_encode_html_special_chars($value); } echo "\n"; @@ -92,8 +92,8 @@ if (!isset($submit) || $submit == 'default') { } } else { - echo 'folder_prefix = ' . htmlspecialchars($folder_prefix)."
\n" . - 'default_charset = '.htmlspecialchars($default_charset)."\n"; + echo 'folder_prefix = ' . sm_encode_html_special_chars($folder_prefix)."
\n" . + 'default_charset = '.sm_encode_html_special_chars($default_charset)."\n"; } echo "

\n"; diff --git a/plugins/listcommands/mailout.php b/plugins/listcommands/mailout.php index 9b56a0e6..c88425fa 100644 --- a/plugins/listcommands/mailout.php +++ b/plugins/listcommands/mailout.php @@ -40,13 +40,13 @@ switch ( $action ) { $out_string = _("This will send a message to %s requesting that you will be unsubscribed from this list. It will try to unsubscribe the adress below."); break; default: - error_box(sprintf(_("Unknown action: %s"),htmlspecialchars($action))); + error_box(sprintf(_("Unknown action: %s"),sm_encode_html_special_chars($action))); // display footer (closes html tags) and stop script execution $oTemplate->display('footer.tpl'); exit; } -$out_string = sprintf($out_string, '"' . htmlspecialchars($send_to) . '"'); +$out_string = sprintf($out_string, '"' . sm_encode_html_special_chars($send_to) . '"'); $idents = get_identities(); $fieldsdescr = listcommands_fieldsdescr(); $fielddescr = $fieldsdescr[$action]; diff --git a/plugins/listcommands/templates/default/mailout.tpl b/plugins/listcommands/templates/default/mailout.tpl index c9950315..6c33bab7 100644 --- a/plugins/listcommands/templates/default/mailout.tpl +++ b/plugins/listcommands/templates/default/mailout.tpl @@ -42,7 +42,7 @@ extract($t); foreach($idents as $nr=>$data) { echo '\n"; @@ -53,14 +53,14 @@ extract($t); } else { echo _("From:"); - echo htmlspecialchars($idents[0]['full_name'].' <'.$idents[0]['email_address'].'>'); + echo sm_encode_html_special_chars($idents[0]['full_name'].' <'.$idents[0]['email_address'].'>'); } ?>

- - - - + + + + " />
diff --git a/plugins/mail_fetch/fetch.php b/plugins/mail_fetch/fetch.php index 7086382c..05f50f96 100644 --- a/plugins/mail_fetch/fetch.php +++ b/plugins/mail_fetch/fetch.php @@ -35,7 +35,7 @@ sqgetGlobalVar('delimiter', $delimiter, SQ_SESSION); function Mail_Fetch_Status($msg) { echo html_tag( 'table', html_tag( 'tr', - html_tag( 'td', htmlspecialchars( $msg ) , 'left' ) + html_tag( 'td', sm_encode_html_special_chars( $msg ) , 'left' ) ), '', '', 'width="90%"' ); flush(); @@ -97,7 +97,7 @@ function Mail_Fetch_Select_Server($mailfetch) { '' . "\n"; } echo '' . @@ -109,7 +109,7 @@ function Mail_Fetch_Select_Server($mailfetch) { if ($mailfetch[$i]['pass'] == '') { echo html_tag( 'tr', html_tag( 'td', _("Password for") . ' ' . - htmlspecialchars($mailfetch[$i]['alias']) . + sm_encode_html_special_chars($mailfetch[$i]['alias']) . ':     ', 'right' ) . html_tag( 'td', '', 'left' ) @@ -177,7 +177,7 @@ for ($i_loop=$i_start;$i_loop<$i_stop;$i_loop++) { html_tag( 'tr', html_tag( 'td', '' . sprintf(_("Fetching from %s"), - htmlspecialchars($mailfetch[$i_loop]['alias'])) . + sm_encode_html_special_chars($mailfetch[$i_loop]['alias'])) . '', 'center' ) , '', $color[9] ) , @@ -209,13 +209,13 @@ for ($i_loop=$i_start;$i_loop<$i_stop;$i_loop++) { /* log into pop server*/ if (! $pop3->login($mailfetch_user, $mailfetch_pass)) { - Mail_Fetch_Status(_("Login Failed:") . ' ' . htmlspecialchars($pop3->error)); + Mail_Fetch_Status(_("Login Failed:") . ' ' . sm_encode_html_special_chars($pop3->error)); continue; } $aMsgStat = $pop3->command_stat(); if (is_bool($aMsgStat)) { - Mail_Fetch_Status(_("Can't get mailbox status:") . ' ' . htmlspecialchars($pop3->error) ); + Mail_Fetch_Status(_("Can't get mailbox status:") . ' ' . sm_encode_html_special_chars($pop3->error) ); continue; } @@ -229,7 +229,7 @@ for ($i_loop=$i_start;$i_loop<$i_stop;$i_loop++) { Mail_Fetch_Status(_("Fetching UIDL...")); $msglist = $pop3->command_uidl(); if (is_bool($msglist)) { - Mail_Fetch_Status(_("Server does not support UIDL.") . ' '.htmlspecialchars($pop3->error)); + Mail_Fetch_Status(_("Server does not support UIDL.") . ' '.sm_encode_html_special_chars($pop3->error)); // User asked to leave messages on server, but we can't do that. $pop3->command_quit(); continue; @@ -284,7 +284,7 @@ for ($i_loop=$i_start;$i_loop<$i_stop;$i_loop++) { $Message = $pop3->command_retr($i); if (is_bool($Message)) { - Mail_Fetch_Status(htmlspecialchars($pop3->error)); + Mail_Fetch_Status(sm_encode_html_special_chars($pop3->error)); continue; } @@ -297,7 +297,7 @@ for ($i_loop=$i_start;$i_loop<$i_stop;$i_loop++) { $response=(implode('',$response)); $message=(implode('',$message)); if ($response != 'OK') { - Mail_Fetch_Status(_("Error Appending Message!")." ".htmlspecialchars($message) ); + Mail_Fetch_Status(_("Error Appending Message!")." ".sm_encode_html_special_chars($message) ); Mail_Fetch_Status(_("Closing POP")); $pop3->command_quit(); Mail_Fetch_Status(_("Logging out from IMAP")); @@ -316,7 +316,7 @@ for ($i_loop=$i_start;$i_loop<$i_stop;$i_loop++) { if( $pop3->command_dele($i) ) { Mail_Fetch_Status(sprintf(_("Message %d deleted from remote server!"), $i)); } else { - Mail_Fetch_Status(_("Delete failed:") . htmlspecialchars($pop3->error) ); + Mail_Fetch_Status(_("Delete failed:") . sm_encode_html_special_chars($pop3->error) ); } } } else { diff --git a/plugins/mail_fetch/functions.php b/plugins/mail_fetch/functions.php index 1c4fcd9e..dad03ae4 100644 --- a/plugins/mail_fetch/functions.php +++ b/plugins/mail_fetch/functions.php @@ -139,7 +139,7 @@ function mail_fetch_login_function() { $aMsgStat = $pop3->command_stat(); if (is_bool($aMsgStat)) { - $outMsg .= _("Can't get mailbox status:") . ' ' . htmlspecialchars($pop3->error); + $outMsg .= _("Can't get mailbox status:") . ' ' . sm_encode_html_special_chars($pop3->error); continue; } @@ -152,7 +152,7 @@ function mail_fetch_login_function() { if ($mailfetch_lmos == 'on') { $msglist = $pop3->command_uidl(); if (is_bool($msglist)) { - $outMsg .= _("Server does not support UIDL.") . ' '.htmlspecialchars($pop3->error); + $outMsg .= _("Server does not support UIDL.") . ' '.sm_encode_html_special_chars($pop3->error); // User asked to leave messages on server, but we can't do that. $pop3->command_quit(); continue; @@ -191,7 +191,7 @@ function mail_fetch_login_function() { $Message = $pop3->command_retr($i); if (is_bool($Message)) { - $outMsg .= _("Warning:") . ' ' . htmlspecialchars($pop3->error); + $outMsg .= _("Warning:") . ' ' . sm_encode_html_special_chars($pop3->error); continue; } @@ -212,7 +212,7 @@ function mail_fetch_login_function() { $response=(implode('',$response)); $message=(implode('',$message)); if ($response != 'OK') { - $outMsg .= _("Error Appending Message!")." ".htmlspecialchars($message); + $outMsg .= _("Error Appending Message!")." ".sm_encode_html_special_chars($message); if ($mailfetch_lmos == 'on') { setPref($data_dir,$username,"mailfetch_uidl_$i_loop", $msglist[$i-1]); diff --git a/plugins/mail_fetch/options.php b/plugins/mail_fetch/options.php index aaec073d..dc0249a2 100644 --- a/plugins/mail_fetch/options.php +++ b/plugins/mail_fetch/options.php @@ -342,7 +342,7 @@ switch( $mf_action ) { echo '' . _("Server Name:") . ' '. '  '. @@ -368,7 +368,7 @@ switch( $mf_action ) { html_tag( 'td', "" . '' . - '
' . _("Selected Server:") . " " . htmlspecialchars($mailfetch_server_[$mf_sn]) . "
" . + '
' . _("Selected Server:") . " " . sm_encode_html_special_chars($mailfetch_server_[$mf_sn]) . "
" . _("Confirm delete of selected server?") . '

' . '' . '
' , @@ -396,27 +396,27 @@ switch( $mf_action ) { html_tag( 'tr', html_tag( 'th', _("Server:"), 'right' ) . html_tag( 'td', '', 'left' ) + sm_encode_html_special_chars($mailfetch_server_[$mf_sn]) . '" size="40" />', 'left' ) ) . html_tag( 'tr', html_tag( 'th', _("Port:"), 'right' ) . html_tag( 'td', '', 'left' ) + sm_encode_html_special_chars($mailfetch_port_[$mf_sn]) . '" size="40" />', 'left' ) ) . html_tag( 'tr', html_tag( 'th', _("Alias:"), 'right' ) . html_tag( 'td', '', 'left' ) + sm_encode_html_special_chars($mailfetch_alias_[$mf_sn]) . '" size="40" />', 'left' ) ) . html_tag( 'tr', html_tag( 'th', _("Username:"), 'right' ) . html_tag( 'td', '', 'left' ) + sm_encode_html_special_chars($mailfetch_user_[$mf_sn]) . '" size="20" />', 'left' ) ) . html_tag( 'tr', html_tag( 'th', _("Password:"), 'right' ) . html_tag( 'td', '', 'left' ) + sm_encode_html_special_chars($mailfetch_pass_[$mf_sn]) . '" size="20" />', 'left' ) ) . html_tag( 'tr', html_tag( 'th', _("Authentication type:"), 'right' ) . diff --git a/plugins/message_details/message_details_bottom.php b/plugins/message_details/message_details_bottom.php index 9f60e634..6d67f074 100644 --- a/plugins/message_details/message_details_bottom.php +++ b/plugins/message_details/message_details_bottom.php @@ -260,7 +260,7 @@ function get_message_details($mailbox, $passed_id, $passed_ent_id=0, $stripHTML= $entities["$entStr"]['contenttype']=$reg[2].'/'.$reg[3]; } } else if (!$nameset && preg_match("/^.*(name=\s*)\"(.*)\".*/i",$line,$reg)) { - $name = htmlspecialchars($reg[2]); + $name = sm_encode_html_special_chars($reg[2]); $content[$content_indx]['name'] = decodeHeader($name); $nameset = true; if (isset($entities["$entStr"])) { @@ -285,7 +285,7 @@ function get_message_details($mailbox, $passed_id, $passed_ent_id=0, $stripHTML= if ($stripHTML) { $message_body .= $line . "\r\n"; } else { - $line = htmlspecialchars($line); + $line = sm_encode_html_special_chars($line); if ($msgd_8bit_in_hex) $line = msgd_convert_to_hex($line); $message_body .= "$pre"."$line"."$end"."\r\n"; } diff --git a/plugins/newmail/functions.php b/plugins/newmail/functions.php index 839667aa..b04c23f1 100644 --- a/plugins/newmail/functions.php +++ b/plugins/newmail/functions.php @@ -691,7 +691,7 @@ function newmail_media_embed_close($type) { /** * Converts media attributes to string * Warning: - * * attribute values are automatically sanitized by htmlspecialchars() + * * attribute values are automatically sanitized by sm_encode_html_special_chars() * * This is internal function, use newmail_media_objects() instead * @param array $args array with object attributes * @return string string with object attributes @@ -699,7 +699,7 @@ function newmail_media_embed_close($type) { function newmail_media_prepare_args($args) { $ret_args=''; foreach ($args as $arg => $value) { - $ret_args.= $arg . '="' . htmlspecialchars($value) . '" '; + $ret_args.= $arg . '="' . sm_encode_html_special_chars($value) . '" '; } return $ret_args; } diff --git a/plugins/newmail/newmail_opt.php b/plugins/newmail/newmail_opt.php index 26f43ea9..6b4b67f9 100644 --- a/plugins/newmail/newmail_opt.php +++ b/plugins/newmail/newmail_opt.php @@ -153,8 +153,8 @@ if ($newmail_allowsound) { if ($entry == $newmail_media) { echo 'selected="selected" '; } - echo 'value="' . htmlspecialchars($entry) . '">' . - htmlspecialchars($entry) . "\n"; + echo 'value="' . sm_encode_html_special_chars($entry) . '">' . + sm_encode_html_special_chars($entry) . "\n"; } } $d->close(); @@ -165,7 +165,7 @@ if ($newmail_allowsound) { echo 'selected="selected" '; } echo 'value="mmedia_' . $newmail_mm_name . '">' - .htmlspecialchars($newmail_mm_name) . "\n"; + .sm_encode_html_special_chars($newmail_mm_name) . "\n"; } if($newmail_uploadsounds) { @@ -205,7 +205,7 @@ if ($newmail_allowsound) { // display currently uploaded file information echo html_tag('tr') . html_tag('td',_("Uploaded Media File:"),'right','','style="white-space: nowrap;"') - . html_tag('td',($newmail_userfile_name!='' ? htmlspecialchars($newmail_userfile_name) : _("unavailable"))) + . html_tag('td',($newmail_userfile_name!='' ? sm_encode_html_special_chars($newmail_userfile_name) : _("unavailable"))) ."\n"; if ($newmail_userfile_name!='') { @@ -218,8 +218,8 @@ if ($newmail_allowsound) { echo html_tag( 'tr', "\n" . html_tag( 'td', _("Current File:"), 'right', '', 'style="white-space: nowrap;"' ) . html_tag( 'td', '' . - htmlspecialchars($media_output) . '', 'left' ) + sm_encode_html_special_chars($newmail_media) . '" name="media_default" />' . + sm_encode_html_special_chars($media_output) . '', 'left' ) ) . "\n"; } echo html_tag( 'tr', "\n" . diff --git a/plugins/spamcop/options.php b/plugins/spamcop/options.php index 4c9b5a7e..4b983ffd 100755 --- a/plugins/spamcop/options.php +++ b/plugins/spamcop/options.php @@ -143,7 +143,7 @@ spamcop_load_function(); '(' . _("see below") . ')','right','','valign="top"'); ?>
- + \n"; diff --git a/plugins/spamcop/spamcop.php b/plugins/spamcop/spamcop.php index 9c904480..b821ef25 100644 --- a/plugins/spamcop/spamcop.php +++ b/plugins/spamcop/spamcop.php @@ -120,8 +120,8 @@ echo "

"; echo '\n"; } else { ?> - - + + "; } @@ -137,9 +137,9 @@ echo "

"; $form_action = sqm_baseuri() . 'src/compose.php'; ?> - - - + + + @@ -163,7 +163,7 @@ echo "

"; } ?> - + \n"; } diff --git a/plugins/squirrelspell/modules/check_me.mod b/plugins/squirrelspell/modules/check_me.mod index 76ad973c..7f24f705 100644 --- a/plugins/squirrelspell/modules/check_me.mod +++ b/plugins/squirrelspell/modules/check_me.mod @@ -106,7 +106,7 @@ if ($SQSPELL_SPELLCHECKER===1) { */ if (!empty($check->error)) { $msg= '
' - . nl2br(htmlspecialchars($check->error)) + . nl2br(sm_encode_html_special_chars($check->error)) . '' . '
'; @@ -125,7 +125,7 @@ $results = $check->check_text($sqspell_new_text); */ if (!empty($check->error)) { $msg= '
' - . nl2br(htmlspecialchars($check->error)) + . nl2br(sm_encode_html_special_chars($check->error)) . '
' . '
'; @@ -153,7 +153,7 @@ if (is_array($results)) { } } else { if (!empty($check->error)) { - $error_msg = nl2br(htmlspecialchars($check->error)); + $error_msg = nl2br(sm_encode_html_special_chars($check->error)); } else { $error_msg = _("Unknown error"); } diff --git a/plugins/squirrelspell/modules/edit_dic.mod b/plugins/squirrelspell/modules/edit_dic.mod index 8a19bbe3..442b143a 100644 --- a/plugins/squirrelspell/modules/edit_dic.mod +++ b/plugins/squirrelspell/modules/edit_dic.mod @@ -61,9 +61,9 @@ foreach ($langs as $lang) { $msg .= "\n"; } $msg .= "
\n"; + . sm_encode_html_special_chars($lang_words[$j]) . "
\n"; } $msg .= '' . "" diff --git a/plugins/squirrelspell/modules/forget_me.mod b/plugins/squirrelspell/modules/forget_me.mod index 961444f7..7138de8b 100644 --- a/plugins/squirrelspell/modules/forget_me.mod +++ b/plugins/squirrelspell/modules/forget_me.mod @@ -40,7 +40,7 @@ if (! empty($words_ary)){ // print list of deleted words foreach ($words_ary as $deleted_word) { - $msg.= '
  • '.htmlspecialchars($deleted_word)."
  • \n"; + $msg.= '
  • '.sm_encode_html_special_chars($deleted_word)."
  • \n"; } // rebuild dictionary diff --git a/plugins/squirrelspell/modules/lang_change.mod b/plugins/squirrelspell/modules/lang_change.mod index 75b9f358..b1a40b03 100644 --- a/plugins/squirrelspell/modules/lang_change.mod +++ b/plugins/squirrelspell/modules/lang_change.mod @@ -42,7 +42,7 @@ foreach ($use_langs as $lang) { if (sizeof($new_langs)>1) { $dsp_string = ''; foreach( $new_langs as $a) { - $dsp_string .= _(htmlspecialchars(trim($a))) . _(", "); + $dsp_string .= _(sm_encode_html_special_chars(trim($a))) . _(", "); } // remove last comma and space $dsp_string = substr( $dsp_string, 0, -2 ); @@ -52,15 +52,15 @@ if (sizeof($new_langs)>1) { // make sure that you don't use html codes in language name translations $msg = '

    ' . sprintf(_("Settings adjusted to: %s with %s as default dictionary."), - ''.htmlspecialchars($dsp_string).'', - ''.htmlspecialchars(_($lang_default)).'') + ''.sm_encode_html_special_chars($dsp_string).'', + ''.sm_encode_html_special_chars(_($lang_default)).'') . '

    '; } else { /** * Only one dictionary is selected. */ $msg = '

    ' - . sprintf(_("Using %s dictionary for spellcheck." ), ''.htmlspecialchars(_($new_langs[0])).'') + . sprintf(_("Using %s dictionary for spellcheck." ), ''.sm_encode_html_special_chars(_($new_langs[0])).'') . '

    '; } diff --git a/plugins/squirrelspell/sqspell_functions.php b/plugins/squirrelspell/sqspell_functions.php index 98cb00a7..2a843d87 100644 --- a/plugins/squirrelspell/sqspell_functions.php +++ b/plugins/squirrelspell/sqspell_functions.php @@ -849,12 +849,12 @@ function sqspell_handle_crypt_panic($lang=false) { . _("SquirrelSpell was unable to decrypt your personal dictionary. This is most likely due to the fact that you have changed your mailbox password. In order to proceed, you will have to supply your old password so that SquirrelSpell can decrypt your personal dictionary. It will be re-encrypted with your new password after this. If you haven't encrypted your dictionary, then it got mangled and is no longer valid. You will have to delete it and start anew. This is also true if you don't remember your old password -- without it, the encrypted data is no longer accessible.") , 'left' ) . "\n" . (($lang) ? html_tag('p',sprintf(_("Your %s dictionary is encrypted with password that differs from your current password."), - htmlspecialchars($lang)),'left') : '') + sm_encode_html_special_chars($lang)),'left') : '') . '
    ' . "\n" . '
    ' . "\n" . '' . "\n" . (($lang) ? - '' : + '' : '') . html_tag( 'p', "\n" . '' diff --git a/plugins/translate/functions.php b/plugins/translate/functions.php index f17f7a12..c515cdd4 100644 --- a/plugins/translate/functions.php +++ b/plugins/translate/functions.php @@ -456,7 +456,7 @@ function translate_new_form($action,$charset=null) { } if (! is_null($charset)) - echo ' accept-charset="'.htmlspecialchars($charset).'"'; + echo ' accept-charset="'.sm_encode_html_special_chars($charset).'"'; echo ">\n"; diff --git a/src/addrbook_search.php b/src/addrbook_search.php index 75c41a58..30f6f23b 100644 --- a/src/addrbook_search.php +++ b/src/addrbook_search.php @@ -70,7 +70,7 @@ set_my_charset(); /* Empty search */ if (empty($query) && empty($show) && !isset($listall)) { - $oTemplate->assign('note', htmlspecialchars(_("No persons matching your search were found"))); + $oTemplate->assign('note', sm_encode_html_special_chars(_("No persons matching your search were found"))); $oTemplate->display('note.tpl'); # exit; } @@ -125,7 +125,7 @@ if ($show == 'form' && ! isset($listall)) { } if (!is_array($res)) { - plain_error_message( _("Your search failed with the following error(s)") .':
    '. nl2br(htmlspecialchars($abook->error)) ); + plain_error_message( _("Your search failed with the following error(s)") .':
    '. nl2br(sm_encode_html_special_chars($abook->error)) ); } elseif (sizeof($res) == 0) { $oTemplate->assign('note', _("No persons matching your search were found")); $oTemplate->display('note.tpl'); diff --git a/src/addrbook_search_html.php b/src/addrbook_search_html.php index b1b97e1b..a9bd6c87 100644 --- a/src/addrbook_search_html.php +++ b/src/addrbook_search_html.php @@ -157,7 +157,7 @@ if ($addrquery == '' || ! empty($listall)) { } if (!is_array($res)) { - plain_error_message(_("Your search failed with the following error(s)") .':
    '. nl2br(htmlspecialchars($abook->error))); + plain_error_message(_("Your search failed with the following error(s)") .':
    '. nl2br(sm_encode_html_special_chars($abook->error))); } elseif (sizeof($res) == 0) { $oTemplate->assign('note', _("No persons matching your search were found")); $oTemplate->display('note.tpl'); diff --git a/src/addressbook.php b/src/addressbook.php index 75a337a1..d5081261 100644 --- a/src/addressbook.php +++ b/src/addressbook.php @@ -233,7 +233,7 @@ if(sqgetGlobalVar('REQUEST_METHOD', $req_method, SQ_SERVER) && $req_method == 'P $olddata = $abook->lookup($enick, $ebackend); // Test if $olddata really contains anything and return an error message if it doesn't if (!$olddata) { - error_box(nl2br(htmlspecialchars($abook->error))); + error_box(nl2br(sm_encode_html_special_chars($abook->error))); } else { /* Display the "new address" form */ echo abook_create_form($form_url, 'editaddr', @@ -255,7 +255,7 @@ if(sqgetGlobalVar('REQUEST_METHOD', $req_method, SQ_SERVER) && $req_method == 'P /* Handle error messages */ if (!$r) { /* Display error */ - plain_error_message( nl2br(htmlspecialchars($abook->error))); + plain_error_message( nl2br(sm_encode_html_special_chars($abook->error))); /* Display the "new address" form again */ echo abook_create_form($form_url, 'editaddr', @@ -299,7 +299,7 @@ if(sqgetGlobalVar('REQUEST_METHOD', $req_method, SQ_SERVER) && $req_method == 'P /* Display error messages */ if (!empty($formerror)) { - plain_error_message(nl2br(htmlspecialchars($formerror))); + plain_error_message(nl2br(sm_encode_html_special_chars($formerror))); } @@ -326,7 +326,7 @@ while (list($k, $backend) = each ($abook->backends)) { $addresses[$backend->bnum] = $a; } else { // list_addr() returns boolean - plain_error_message(nl2br(htmlspecialchars($abook->error))); + plain_error_message(nl2br(sm_encode_html_special_chars($abook->error))); } } else { $addresses[$backend->bnum] = $a; diff --git a/src/compose.php b/src/compose.php index 23c47c06..88a8c29f 100644 --- a/src/compose.php +++ b/src/compose.php @@ -1346,10 +1346,10 @@ function showInputForm ($session, $values=false) { $oTemplate->assign('identity_def', $identity); $oTemplate->assign('input_onfocus', 'onfocus="'.join(' ', $onfocus_array).'"'); - $oTemplate->assign('to', htmlspecialchars($send_to)); - $oTemplate->assign('cc', htmlspecialchars($send_to_cc)); - $oTemplate->assign('bcc', htmlspecialchars($send_to_bcc)); - $oTemplate->assign('subject', htmlspecialchars($subject)); + $oTemplate->assign('to', sm_encode_html_special_chars($send_to)); + $oTemplate->assign('cc', sm_encode_html_special_chars($send_to_cc)); + $oTemplate->assign('bcc', sm_encode_html_special_chars($send_to_bcc)); + $oTemplate->assign('subject', sm_encode_html_special_chars($subject)); // access keys... // @@ -1385,9 +1385,9 @@ function showInputForm ($session, $values=false) { } else { $body_str = "\n\n".($prefix_sig==true? "-- \n":'').decodeHeader($signature,false,false); } - $body_str .= "\n\n".htmlspecialchars(decodeHeader($body,false,false)); + $body_str .= "\n\n".sm_encode_html_special_chars(decodeHeader($body,false,false)); } else { - $body_str = "\n\n".htmlspecialchars(decodeHeader($body,false,false)); + $body_str = "\n\n".sm_encode_html_special_chars(decodeHeader($body,false,false)); // FIXME: test is specific to ja_JP translation implementation. See above comments. if ($default_charset == 'iso-2022-jp') { $body_str .= "\n\n".($prefix_sig==true? "-- \n":'').mb_convert_encoding($signature, 'EUC-JP'); @@ -1396,7 +1396,7 @@ function showInputForm ($session, $values=false) { } } } else { - $body_str = htmlspecialchars(decodeHeader($body,false,false)); + $body_str = sm_encode_html_special_chars(decodeHeader($body,false,false)); } $oTemplate->assign('editor_width', (int)$editor_size); @@ -1811,7 +1811,7 @@ function deliverMessage(&$composeMessage, $draft=false) { $composeMessage->purgeAttachments(); return $success; } else { - $msg = '
    '.sprintf(_("Error: Draft folder %s does not exist."), htmlspecialchars($draft_folder)); + $msg = '
    '.sprintf(_("Error: Draft folder %s does not exist."), sm_encode_html_special_chars($draft_folder)); plain_error_message($msg); return false; } @@ -1832,7 +1832,7 @@ function deliverMessage(&$composeMessage, $draft=false) { $msg .= '
    ' . _("Server replied:") . ' ' . (isset($deliver->dlv_ret_nr) ? $deliver->dlv_ret_nr . ' ' : '') - . nl2br(htmlspecialchars($deliver->dlv_server_msg)); + . nl2br(sm_encode_html_special_chars($deliver->dlv_server_msg)); } plain_error_message($msg); } else { diff --git a/src/configtest.php b/src/configtest.php index 36dfaced..ede53d58 100644 --- a/src/configtest.php +++ b/src/configtest.php @@ -267,7 +267,7 @@ else if (strpos($variables_order, 'G') === FALSE || strpos($variables_order, 'P') === FALSE || strpos($variables_order, 'C') === FALSE || strpos($variables_order, 'S') === FALSE) { - do_err('Your variables_order setting is insufficient for SquirrelMail to function. It needs at least "GPCS", but you have it set to "' . htmlspecialchars($variables_order) . '"', true); + do_err('Your variables_order setting is insufficient for SquirrelMail to function. It needs at least "GPCS", but you have it set to "' . sm_encode_html_special_chars($variables_order) . '"', true); } else { echo $IND . "variables_order OK: $variables_order.
    \n"; } @@ -283,7 +283,7 @@ if (!check_php_version(5)) { else if (strpos($gpc_order, 'G') === FALSE || strpos($gpc_order, 'P') === FALSE || strpos($gpc_order, 'C') === FALSE) { - do_err('Your gpc_order setting is insufficient for SquirrelMail to function. It needs to be set to "GPC", but you have it set to "' . htmlspecialchars($gpc_order) . '"', true); + do_err('Your gpc_order setting is insufficient for SquirrelMail to function. It needs to be set to "GPC", but you have it set to "' . sm_encode_html_special_chars($gpc_order) . '"', true); } else { echo $IND . "gpc_order OK: $gpc_order.
    \n"; } @@ -479,7 +479,7 @@ if (isset($plugins[0])) { // if plugin outputs more than newlines and spacing, stop script execution. if (!empty($output)) { - $plugin_load_error = 'Some output was produced when plugin ' . $name . ' was loaded. Usually this means there is an error in the plugin\'s setup or configuration file. The output was: '.htmlspecialchars($output); + $plugin_load_error = 'Some output was produced when plugin ' . $name . ' was loaded. Usually this means there is an error in the plugin\'s setup or configuration file. The output was: '.sm_encode_html_special_chars($output); do_err($plugin_load_error); } } @@ -588,9 +588,9 @@ if ( $squirrelmail_default_language != 'en_US' ) { echo $IND . "Default language OK.
    \n"; } -echo $IND . "Base URL detected as: " . htmlspecialchars($test_location) . +echo $IND . "Base URL detected as: " . sm_encode_html_special_chars($test_location) . " (location base " . (empty($config_location_base) ? 'autodetected' : 'set to ' . - htmlspecialchars($config_location_base)."") . ")
    \n"; + sm_encode_html_special_chars($config_location_base)."
    ") . ")
    \n"; /* check minimal requirements for other security options */ @@ -635,14 +635,14 @@ if($useSendmail) { $errorNumber, $errorString); if(!$stream) { do_err("Error connecting to SMTP server \"$smtpServerAddress:$smtpPort\".". - "Server error: ($errorNumber) ".htmlspecialchars($errorString)); + "Server error: ($errorNumber) ".sm_encode_html_special_chars($errorString)); } // check for SMTP code; should be 2xx to allow us access $smtpline = fgets($stream, 1024); if(((int) $smtpline{0}) > 3) { do_err("Error connecting to SMTP server. Server error: ". - htmlspecialchars($smtpline)); + sm_encode_html_special_chars($smtpline)); } /* smtp starttls checks */ @@ -694,7 +694,7 @@ if($useSendmail) { $starttls_response=fgets($stream, 1024); if ($starttls_response[0]!=2) { $starttls_cmd_err = 'SMTP STARTTLS failed. Server replied: ' - .htmlspecialchars($starttls_response); + .sm_encode_html_special_chars($starttls_response); do_err($starttls_cmd_err); } elseif(! stream_socket_enable_crypto($stream,true,STREAM_CRYPTO_METHOD_TLS_CLIENT)) { do_err('Failed to enable encryption on SMTP STARTTLS connection.'); @@ -707,7 +707,7 @@ if($useSendmail) { fputs($stream, 'QUIT'); fclose($stream); echo $IND . 'SMTP server OK ('. - trim(htmlspecialchars($smtpline)).")
    \n"; + trim(sm_encode_html_special_chars($smtpline)).")
    \n"; /* POP before SMTP */ if($pop_before_smtp) { @@ -715,13 +715,13 @@ if($useSendmail) { $stream = fsockopen($pop_before_smtp_host, 110, $err_no, $err_str); if (!$stream) { do_err("Error connecting to POP Server ($pop_before_smtp_host:110) " - . $err_no . ' : ' . htmlspecialchars($err_str)); + . $err_no . ' : ' . sm_encode_html_special_chars($err_str)); } $tmp = fgets($stream, 1024); if (substr($tmp, 0, 3) != '+OK') { do_err("Error connecting to POP Server ($pop_before_smtp_host:110)" - . ' '.htmlspecialchars($tmp)); + . ' '.sm_encode_html_special_chars($tmp)); } fputs($stream, 'QUIT'); fclose($stream); @@ -740,18 +740,18 @@ $stream = fsockopen( ($use_imap_tls==1?'tls://':'').$imapServerAddress, $imapPor if(!$stream) { do_err("Error connecting to IMAP server \"$imapServerAddress:$imapPort\".". "Server error: ($errorNumber) ". - htmlspecialchars($errorString)); + sm_encode_html_special_chars($errorString)); } /** Is the first response 'OK'? */ $imapline = fgets($stream, 1024); if(substr($imapline, 0,4) != '* OK') { do_err('Error connecting to IMAP server. Server error: '. - htmlspecialchars($imapline)); + sm_encode_html_special_chars($imapline)); } echo $IND . 'IMAP server ready ('. - htmlspecialchars(trim($imapline)).")
    \n"; + sm_encode_html_special_chars(trim($imapline)).")
    \n"; /** Check capabilities */ fputs($stream, "A001 CAPABILITY\r\n"); @@ -773,7 +773,7 @@ if ($use_imap_tls===2 && stristr($capline, 'STARTTLS') === false) { $starttls_line=fgets($stream, 1024); if (! preg_match("/^A002 OK.*/i",$starttls_line)) { $imap_starttls_err = 'IMAP STARTTLS failed. Server replied: ' - .htmlspecialchars($starttls_line); + .sm_encode_html_special_chars($starttls_line); do_err($imap_starttls_err); } elseif (! stream_socket_enable_crypto($stream,true,STREAM_CRYPTO_METHOD_TLS_CLIENT)) { do_err('Failed to enable encryption on IMAP connection.'); @@ -793,7 +793,7 @@ if ($use_imap_tls===2 && stristr($capline, 'STARTTLS') === false) { } } -echo $IND . 'Capabilities: '.htmlspecialchars($capline)."
    \n"; +echo $IND . 'Capabilities: '.sm_encode_html_special_chars($capline)."
    \n"; if($imap_auth_mech == 'login' && stristr($capline, 'LOGINDISABLED') !== FALSE) { do_err('Your server doesn\'t allow plaintext logins. '. @@ -854,7 +854,7 @@ if (function_exists('gettext')) { $display_locale = $setlocale; $locale_count = 1; } - $tested_locales_msg = 'Tested '.htmlspecialchars($display_locale).' ' + $tested_locales_msg = 'Tested '.sm_encode_html_special_chars($display_locale).' ' .($locale_count>1 ? 'locales':'locale'). '.'; echo $IND . $IND .$IND . $lang_data['NAME'].' (' .$lang_code. ') - '; @@ -865,7 +865,7 @@ if (function_exists('gettext')) { } else { echo 'supported. ' .$tested_locales_msg - .' setlocale() returned "'.htmlspecialchars($retlocale).'"'; + .' setlocale() returned "'.sm_encode_html_special_chars($retlocale).'"'; } echo "
    \n"; } @@ -918,7 +918,7 @@ if ( (!ini_get('safe_mode')) || function_exists('date_default_timezone_set') || echo "Webmail users can't change their time zone settings. \n"; } if (isset($_ENV['TZ'])) { - echo 'Default time zone is '.htmlspecialchars($_ENV['TZ']); + echo 'Default time zone is '.sm_encode_html_special_chars($_ENV['TZ']); } else { echo 'Current time zone is '.date('T'); } @@ -977,7 +977,7 @@ if($addrbook_dsn || $prefs_dsn || $addrbook_global_dsn) { $dbh = DB::connect($dsn, true); if (DB::isError($dbh)) { - do_err('Database error: '. htmlspecialchars(DB::errorMessage($dbh)) . + do_err('Database error: '. sm_encode_html_special_chars(DB::errorMessage($dbh)) . ' in ' .$type .' DSN.'); } $dbh->disconnect(); diff --git a/src/folders.php b/src/folders.php index cd6438a7..1a1f402d 100644 --- a/src/folders.php +++ b/src/folders.php @@ -112,7 +112,7 @@ if ( sqgetGlobalVar('smaction', $action, SQ_POST) ) { } if (isset($td_str)) { - $oTemplate->assign('note', htmlspecialchars($td_str)); + $oTemplate->assign('note', sm_encode_html_special_chars($td_str)); $oTemplate->display('note.tpl'); } @@ -197,8 +197,8 @@ if ($show_only_subscribed_folders && !$no_list_for_subscribe) { } if ($use_folder) { - $box_enc = htmlspecialchars($box_a['unformatted-dm']); - $box_disp = htmlspecialchars(imap_utf7_decode_local($box_a['unformatted-disp'])); + $box_enc = sm_encode_html_special_chars($box_a['unformatted-dm']); + $box_disp = sm_encode_html_special_chars(imap_utf7_decode_local($box_a['unformatted-disp'])); $subbox_option_list[] = array( 'Value' => $box_enc, 'Display' => $box_disp); } } diff --git a/src/login.php b/src/login.php index 9a7a6814..8a8c7458 100644 --- a/src/login.php +++ b/src/login.php @@ -63,7 +63,7 @@ $username_form_name = 'login_username'; $password_form_name = 'secretkey'; do_hook('login_cookie', $null); -$loginname_value = (sqGetGlobalVar('loginname', $loginname) ? htmlspecialchars($loginname) : ''); +$loginname_value = (sqGetGlobalVar('loginname', $loginname) ? sm_encode_html_special_chars($loginname) : ''); //FIXME: should be part of the template, not the core! /* Output the javascript onload function. */ diff --git a/src/options_highlight.php b/src/options_highlight.php index 55e1a32d..a1c6a545 100644 --- a/src/options_highlight.php +++ b/src/options_highlight.php @@ -124,10 +124,10 @@ $rules = array(); foreach($message_highlight_list as $index=>$rule) { $a = array(); - $a['Name'] = htmlspecialchars($rule['name']); + $a['Name'] = sm_encode_html_special_chars($rule['name']); $a['Color'] = $rule['color']; $a['MatchField'] = ''; - $a['MatchValue'] = htmlspecialchars($rule['value']); + $a['MatchValue'] = sm_encode_html_special_chars($rule['value']); switch ($rule['match_type']) { case 'from' : $a['MatchField'] = _("From"); diff --git a/src/options_identities.php b/src/options_identities.php index f463e10f..92a4600d 100644 --- a/src/options_identities.php +++ b/src/options_identities.php @@ -80,10 +80,10 @@ foreach ($identities as $key=>$ident) { $a['Title'] = $key==0 ? _("Default Identity") : sprintf(_("Alternate Identity %d"), $key); $a['New'] = false; $a['Default'] = $key==0; - $a['FullName'] = htmlspecialchars($ident['full_name']); - $a['Email'] = htmlspecialchars($ident['email_address']); - $a['ReplyTo'] = htmlspecialchars($ident['reply_to']); - $a['Signature'] = htmlspecialchars($ident['signature']); + $a['FullName'] = sm_encode_html_special_chars($ident['full_name']); + $a['Email'] = sm_encode_html_special_chars($ident['email_address']); + $a['ReplyTo'] = sm_encode_html_special_chars($ident['reply_to']); + $a['Signature'] = sm_encode_html_special_chars($ident['signature']); $i[$key] = $a; } @@ -195,7 +195,7 @@ function ShowIdentityInfo($title, $identity, $id ) { * Creates html formated table row with input field * @param string $title Name displayed next to input field * @param string $name Name of input field - * @param string $data Default value of input field (data is sanitized with htmlspecialchars) + * @param string $data Default value of input field (data is sanitized with sm_encode_html_special_chars) * @param string $bgcolor html attributes added to row element (tr) * @return string html formated table row with text input field * @since 1.2.0 (arguments differ since 1.4.5/1.5.1) @@ -207,7 +207,7 @@ function sti_input( $title, $name, $data, $bgcolor ) { $str = ''; $str .= '\n"; $str .= ' ' . $title . ' ' . "\n"; - $str .= ' ' . "\n"; + $str .= ' ' . "\n"; $str .= ''; return $str; @@ -218,7 +218,7 @@ function sti_input( $title, $name, $data, $bgcolor ) { * Creates html formated table row with textarea field * @param string $title Name displayed next to textarea field * @param string $name Name of textarea field - * @param string $data Default value of textarea field (data is sanitized with htmlspecialchars) + * @param string $data Default value of textarea field (data is sanitized with sm_encode_html_special_chars) * @param string $bgcolor html attributes added to row element (tr) * @return string html formated table row with textarea * @since 1.2.5 (arguments differ since 1.4.5/1.5.1) @@ -230,7 +230,7 @@ function sti_textarea( $title, $name, $data, $bgcolor ) { $str = ''; $str .= '\n"; $str .= ' ' . $title . ' ' . "\n"; - $str .= ' ' . "\n"; + $str .= ' ' . "\n"; $str .= ''; return $str; diff --git a/src/options_order.php b/src/options_order.php index b34c6351..a00860a2 100644 --- a/src/options_order.php +++ b/src/options_order.php @@ -31,7 +31,7 @@ if (sqgetGlobalVar('num', $num, SQ_GET)) { if (!sqgetGlobalVar('method', $method)) { $method = ''; } else { - $method = htmlspecialchars($method); + $method = sm_encode_html_special_chars($method); } if (!sqgetGlobalVar('positions', $pos, SQ_GET)) { $pos = 0; diff --git a/src/read_body.php b/src/read_body.php index fdc94730..63e4b448 100644 --- a/src/read_body.php +++ b/src/read_body.php @@ -273,7 +273,7 @@ function SendMDN ( $mailbox, $passed_id, $message, $imapConnection) { if (! empty($deliver->dlv_server_msg)) { $msg.= "\n" . _("Server replied:") . ' ' . $deliver->dlv_ret_nr . ' ' . - nl2br(htmlspecialchars($deliver->dlv_server_msg)); + nl2br(sm_encode_html_special_chars($deliver->dlv_server_msg)); } plain_error_message($msg); } else { @@ -358,7 +358,7 @@ function formatRecipientString($recipients, $item ) { $a[] = array( // note: decodeHeader is htmlsafe by default 'Name' => decodeHeader($r->getAddress(false)), - 'Email' => htmlspecialchars($r->getEmail()), + 'Email' => sm_encode_html_special_chars($r->getEmail()), 'Full' => decodeHeader($r->getAddress(true)) ); } diff --git a/src/right_main.php b/src/right_main.php index 05ad7eb4..d4622f41 100644 --- a/src/right_main.php +++ b/src/right_main.php @@ -319,7 +319,7 @@ if (isset($mail_sent) && $mail_sent == 'yes') { $note = _("Your mail has been sent."); } if (isset($note)) { - $oTemplate->assign('note', htmlspecialchars($note)); + $oTemplate->assign('note', sm_encode_html_special_chars($note)); $oTemplate->display('note.tpl'); } diff --git a/src/search.php b/src/search.php index 0b642bcb..e6dfe116 100644 --- a/src/search.php +++ b/src/search.php @@ -580,7 +580,7 @@ function asearch_get_query_display(&$color, &$mailbox_array, &$biop_array, &$uno $cur_mailbox = 'INBOX'; $biop = asearch_nz($biop_array[$crit_num]); if (($query_display == '') || ($cur_mailbox != $last_mailbox)) { - $mailbox_display = ' ' . htmlspecialchars(asearch_get_mailbox_display($cur_mailbox)) . ''; + $mailbox_display = ' ' . sm_encode_html_special_chars(asearch_get_mailbox_display($cur_mailbox)) . ''; if ($query_display == '') $biop_display = _("In"); else @@ -606,7 +606,7 @@ function asearch_get_query_display(&$color, &$mailbox_array, &$biop_array, &$uno if ($what_type == 'adate') $what_display = asearch_get_date_display($what); else - $what_display = htmlspecialchars($what); + $what_display = sm_encode_html_special_chars($what); $what_display = ' ' . $what_display . ''; } } @@ -782,7 +782,7 @@ function asearch_print_form($imapConnection, &$boxes, $mailbox_array, $biop_arra # Build the mailbox array $a = array(); if (($mailbox != 'All Folders') && (!asearch_mailbox_exists($mailbox, $boxes))) { - $a[$mailbox] = '[' . _("Missing") . '] ' . htmlspecialchars(asearch_get_mailbox_display($mailbox)); + $a[$mailbox] = '[' . _("Missing") . '] ' . sm_encode_html_special_chars(asearch_get_mailbox_display($mailbox)); } $a['All Folders'] = '[' . asearch_get_mailbox_display('All Folders') . ']'; $a = array_merge($a, sqimap_mailbox_option_array($imapConnection, 0, $boxes, NULL)); @@ -841,7 +841,7 @@ function asearch_print_form_basic($imapConnection, &$boxes, $mailbox_array, $bio # Build the mailbox array $a = array(); if (($mailbox != 'All Folders') && (!asearch_mailbox_exists($mailbox, $boxes))) { - $a[$mailbox] = '[' . _("Missing") . '] ' . htmlspecialchars(asearch_get_mailbox_display($mailbox)); + $a[$mailbox] = '[' . _("Missing") . '] ' . sm_encode_html_special_chars(asearch_get_mailbox_display($mailbox)); } $a['All Folders'] = '[' . asearch_get_mailbox_display('All Folders') . ']'; $a = array_merge($a, sqimap_mailbox_option_array($imapConnection, 0, $boxes, NULL)); @@ -862,7 +862,7 @@ function asearch_print_form_basic($imapConnection, &$boxes, $mailbox_array, $bio $oTemplate->assign('unary_options', $imap_asearch_unops); $oTemplate->assign('where_options', $imap_asearch_options); - $oTemplate->assign('mailbox_sel', strtolower(htmlspecialchars($mailbox))); + $oTemplate->assign('mailbox_sel', strtolower(sm_encode_html_special_chars($mailbox))); $oTemplate->assign('unary_sel', $unop); $oTemplate->assign('where_sel', $where); $oTemplate->assign('what_val', $what); @@ -1618,7 +1618,7 @@ if ($submit == $search_button_text) { $mailbox_display = imap_utf7_decode_local($mbx); } - $oTemplate->assign('mailbox_name', htmlspecialchars($mailbox_display)); + $oTemplate->assign('mailbox_name', sm_encode_html_special_chars($mailbox_display)); $oTemplate->display('search_result_mailbox.tpl'); $oTemplate->assign('page_selector', $page_selector); diff --git a/src/vcard.php b/src/vcard.php index cafe6017..c990d143 100644 --- a/src/vcard.php +++ b/src/vcard.php @@ -86,7 +86,7 @@ if ($vcard_nice['version'] == '2.1') { $vcard_nice['email;internet'] = $vcard_nice['email;pref;internet']; } } else { - $oTemplate->assign('note', sprintf(_("vCard Version %s is not supported. Some information might not be converted correctly."), htmlspecialchars($vcard_nice['version']))); + $oTemplate->assign('note', sprintf(_("vCard Version %s is not supported. Some information might not be converted correctly."), sm_encode_html_special_chars($vcard_nice['version']))); $oTemplate->display('note.tpl'); $vcard_nice['firstname'] = ''; @@ -94,7 +94,7 @@ if ($vcard_nice['version'] == '2.1') { } foreach ($vcard_nice as $k => $v) { - $v = htmlspecialchars($v); + $v = sm_encode_html_special_chars($v); $v = trim($v); $vcard_safe[$k] = trim(nl2br($v)); } diff --git a/src/view_header.php b/src/view_header.php index fe6e8aa4..1eac2dfc 100644 --- a/src/view_header.php +++ b/src/view_header.php @@ -39,7 +39,7 @@ function parse_viewheader($imapConnection,$id, $passed_ent_id) { } $cnum = 0; for ($i=1; $i < count($read); $i++) { - $line = htmlspecialchars($read[$i]); + $line = sm_encode_html_special_chars($read[$i]); switch (true) { case (preg_match('/^>/i', $line)): $second[$i] = $line; diff --git a/templates/default/addrbook_addedit.tpl b/templates/default/addrbook_addedit.tpl index 87f03ec3..54d19d0f 100644 --- a/templates/default/addrbook_addedit.tpl +++ b/templates/default/addrbook_addedit.tpl @@ -61,8 +61,8 @@ $formname = $edit ? 'editaddr' : 'addaddr'; if (is_array($values['Email'])) { echo ''."\n"; } else { @@ -107,10 +107,10 @@ $formname = $edit ? 'editaddr' : 'addaddr'; diff --git a/templates/default/addressbook_search_form.tpl b/templates/default/addressbook_search_form.tpl index e50e1d90..f0149fcb 100644 --- a/templates/default/addressbook_search_form.tpl +++ b/templates/default/addressbook_search_form.tpl @@ -47,7 +47,7 @@ extract($t); diff --git a/templates/default/input.tpl b/templates/default/input.tpl index 07aa8224..4bf9109f 100644 --- a/templates/default/input.tpl +++ b/templates/default/input.tpl @@ -28,8 +28,8 @@ extract($t); echo ' $value) { -//TODO: see the FIXME tag on line 68 of functions/forms.php - the htmlspecialchars() below should be migrated to the template class - echo ' ' . $key . (is_null($value) ? '' : '="' . htmlspecialchars($value) . '"'); +//TODO: see the FIXME tag on line 68 of functions/forms.php - the sm_encode_html_special_chars() below should be migrated to the template class + echo ' ' . $key . (is_null($value) ? '' : '="' . sm_encode_html_special_chars($value) . '"'); } echo ' />'; diff --git a/templates/default/options_order.tpl b/templates/default/options_order.tpl index edbc0898..a35a38f7 100644 --- a/templates/default/options_order.tpl +++ b/templates/default/options_order.tpl @@ -71,7 +71,7 @@ extract($t); diff --git a/templates/default_advanced/options_order.tpl b/templates/default_advanced/options_order.tpl index ce61bab5..ffc7a343 100644 --- a/templates/default_advanced/options_order.tpl +++ b/templates/default_advanced/options_order.tpl @@ -74,7 +74,7 @@ extract($t); foreach ($not_used as $field_id=>$name) { echo "\n" . "".getIcon($icon_theme_path, 'plus.png', _("Add"), _("Add"))."\n" . - "".htmlspecialchars($name)."\n" . + "".sm_encode_html_special_chars($name)."\n" . "\n"; } ?> diff --git a/templates/util_addressbook.php b/templates/util_addressbook.php index 3755604b..7ff05434 100644 --- a/templates/util_addressbook.php +++ b/templates/util_addressbook.php @@ -22,7 +22,7 @@ function composeLink ($row) { return makeComposeLink('src/compose.php?send_to=' . rawurlencode($row['RawFullAddress']), - htmlspecialchars($row['Email'])); + sm_encode_html_special_chars($row['Email'])); } /** @@ -41,17 +41,17 @@ function formatAddressList ($addresses) { $contacts = array(); while(list($undef,$row) = each($addresses)) { $contact = array ( - 'FirstName' => htmlspecialchars($row['firstname']), - 'LastName' => htmlspecialchars($row['lastname']), - 'FullName' => htmlspecialchars($row['name']), - 'NickName' => htmlspecialchars($row['nickname']), - 'Email' => htmlspecialchars($row['email']), - 'FullAddress' => htmlspecialchars(AddressBook::full_address($row)), + 'FirstName' => sm_encode_html_special_chars($row['firstname']), + 'LastName' => sm_encode_html_special_chars($row['lastname']), + 'FullName' => sm_encode_html_special_chars($row['name']), + 'NickName' => sm_encode_html_special_chars($row['nickname']), + 'Email' => sm_encode_html_special_chars($row['email']), + 'FullAddress' => sm_encode_html_special_chars(AddressBook::full_address($row)), 'RawFullAddress' => AddressBook::full_address($row), - 'Info' => htmlspecialchars($row['label']), + 'Info' => sm_encode_html_special_chars($row['label']), 'Extra' => (isset($row['extra']) ? $row['extra'] : NULL), - 'Source' => htmlspecialchars($row['source']), - 'JSEmail' => htmlspecialchars(addcslashes(AddressBook::full_address($row), "'"), ENT_QUOTES), + 'Source' => sm_encode_html_special_chars($row['source']), + 'JSEmail' => sm_encode_html_special_chars(addcslashes(AddressBook::full_address($row), "'"), ENT_QUOTES), ); $contacts[] = $contact; } diff --git a/templates/util_read.php b/templates/util_read.php index c285c750..6500633b 100644 --- a/templates/util_read.php +++ b/templates/util_read.php @@ -15,7 +15,7 @@ * Return a string representing the priority of a message */ function priorityStr($p) { - return htmlspecialchars(getPriorityStr($p)); + return sm_encode_html_special_chars(getPriorityStr($p)); } ?> \ No newline at end of file -- 2.25.1