From 607428ac12cc15ad782738b2fcb4a1e366a1f5e9 Mon Sep 17 00:00:00 2001 From: tokul Date: Sun, 8 Jan 2006 17:28:12 +0000 Subject: [PATCH] #1291081. Undo encoding of line feeds in calendar data. Code still need fixes because htmlspecialchars should not be used on $calendar data. Only functions that output data should do sanitizing. git-svn-id: https://svn.code.sf.net/p/squirrelmail/code/trunk/squirrelmail@10527 7612ce4b-ef26-0410-bec9-ea0150e637f0 --- plugins/calendar/calendar_data.php | 32 ++++++++++++++++++++++++++++-- plugins/calendar/day.php | 2 +- 2 files changed, 31 insertions(+), 3 deletions(-) diff --git a/plugins/calendar/calendar_data.php b/plugins/calendar/calendar_data.php index 1ae6ff62..7128841d 100644 --- a/plugins/calendar/calendar_data.php +++ b/plugins/calendar/calendar_data.php @@ -19,6 +19,34 @@ * $calendardata[date][time] = array(length,priority,title,message); */ $calendardata = array(); +/** + * Reads multilined calendar data + * + * Plugin stores multiline texts converted to single line with PHP nl2br(). + * Function undoes nl2br() conversion and sanitizes data with htmlspecialchars(). + * @param string $string calendar string + * @return string calendar string converted to multiline text + * @since 1.5.1 + */ +function calendar_readmultiline($string) { + // replace html line breaks with ASCII line feeds + $string = str_replace(array('
','
'),array("\n","\n"),$string); + // FIXME: don't sanitize data. Storage backend should not care about html data safety + $string = htmlspecialchars($string,ENT_NOQUOTES); + return $string; +} + +/** + * Callback function used to sanitize calendar data before saving it to file + * @param string $sValue array value + * @param string $sKey array key + * @since 1.5.1 + */ +function calendar_encodedata(&$sValue, $sKey) { + // add html line breaks and remove original ASCII line feeds and carriage returns + $sValue = str_replace(array("\n","\r"),array('',''),nl2br($sValue)); +} + /** * read events into array * @@ -39,7 +67,7 @@ function readcalendardata() { $calendardata[$fdata[0]][$fdata[1]] = array( 'length' => $fdata[2], 'priority' => $fdata[3], 'title' => htmlspecialchars($fdata[4],ENT_NOQUOTES), - 'message' => htmlspecialchars($fdata[5],ENT_NOQUOTES), + 'message' => calendar_readmultiline($fdata[5]), 'reminder' => $fdata[6] ); } fclose ($fp); @@ -65,6 +93,7 @@ function writecalendardata() { while ( $calfoo = each ($calendardata)) { while ( $calbar = each ($calfoo['value'])) { $calfoobar = $calendardata[$calfoo['key']][$calbar['key']]; + array_walk($calfoobar,'calendar_encodedata'); $calstr = "$calfoo[key]|$calbar[key]|$calfoobar[length]|$calfoobar[priority]|$calfoobar[title]|$calfoobar[message]|$calfoobar[reminder]\n"; if(sq_fwrite($fp, $calstr, 4096) === FALSE) { error_box(_("Could not write calendar file %s", "$username.$year.cal.tmp"), $color); @@ -125,5 +154,4 @@ function update_event($date, $time) { } } - ?> \ No newline at end of file diff --git a/plugins/calendar/day.php b/plugins/calendar/day.php index d98e4f94..a1816c61 100644 --- a/plugins/calendar/day.php +++ b/plugins/calendar/day.php @@ -138,7 +138,7 @@ function display_events() { html_tag( 'td', $ehour . ':' . $eminute . $elength, 'left' ) . html_tag( 'td', '', 'left' ) . '['; echo ($calbar['priority']==1) ? "$calbar[title]" : "$calbar[title]"; - echo"] $calbar[message] " . + echo']
'.nl2br($calbar['message']).'
' . html_tag( 'td', "\n" . "". -- 2.25.1