| 1 | <?php |
| 2 | |
| 3 | /** |
| 4 | * page_header.php |
| 5 | * |
| 6 | * Prints the page header (duh) |
| 7 | * |
| 8 | * @copyright 1999-2014 The SquirrelMail Project Team |
| 9 | * @license http://opensource.org/licenses/gpl-license.php GNU Public License |
| 10 | * @version $Id$ |
| 11 | * @package squirrelmail |
| 12 | */ |
| 13 | |
| 14 | /** Include required files from SM */ |
| 15 | include_once(SM_PATH . 'functions/imap_mailbox.php'); |
| 16 | |
| 17 | /** |
| 18 | * Output a SquirrelMail page header, from <!doctype> to </head> |
| 19 | * Always set up the language before calling these functions. |
| 20 | * |
| 21 | * Since 1.5.1 function sends http headers. Function should be called |
| 22 | * before any output is started. |
| 23 | * @param string title the page title, default SquirrelMail. |
| 24 | * @param string xtra extra HTML to insert into the header |
| 25 | * @param bool do_hook whether to execute hooks, default true |
| 26 | * @param bool frames generate html frameset doctype (since 1.5.1) |
| 27 | * @param bool $browser_cache_ok When TRUE, it's OK to leave out the |
| 28 | * no-cache browser headers (OPTIONAL; |
| 29 | * default = FALSE, send no-cache headers) |
| 30 | * @return void |
| 31 | */ |
| 32 | function displayHtmlHeader( $title = 'SquirrelMail', $xtra = '', $do_hook = TRUE, $frames = FALSE, $browser_cache_ok=FALSE ) { |
| 33 | global $squirrelmail_language, $sTemplateID, $oErrorHandler, $oTemplate; |
| 34 | |
| 35 | if ( !sqgetGlobalVar('base_uri', $base_uri, SQ_SESSION) ) { |
| 36 | global $base_uri; |
| 37 | } |
| 38 | global $custom_css, $pageheader_sent, $theme, $theme_default, $text_direction, |
| 39 | $default_fontset, $chosen_fontset, $default_fontsize, $chosen_fontsize, |
| 40 | $chosen_theme, $chosen_theme_path, $user_themes, $user_theme_default; |
| 41 | |
| 42 | // add no cache headers here |
| 43 | // |
| 44 | if (!$browser_cache_ok) { |
| 45 | //FIXME: should change all header() calls in SM core to use $oTemplate->header()!! |
| 46 | $oTemplate->header('Pragma: no-cache'); // http 1.0 (rfc1945) |
| 47 | $oTemplate->header('Cache-Control: private, no-cache, no-store, must-revalidate, max-age=0'); // http 1.1 (rfc2616) |
| 48 | $oTemplate->header('Expires: Sat, 1 Jan 2000 00:00:00 GMT'); |
| 49 | //TODO: is this needed? $oTemplate->header('Last-Modified: ' . gmdate('D, d M Y H:i:s') . 'GMT'); |
| 50 | } |
| 51 | /* prevent information leakage about read emails by forbidding Firefox |
| 52 | * to do preemptive DNS requests for any links in the message body. */ |
| 53 | $oTemplate->header('X-DNS-Prefetch-Control: off'); |
| 54 | |
| 55 | // don't show version as a security measure |
| 56 | //$oTemplate->header('X-Powered-By: SquirrelMail/' . SM_VERSION, FALSE); |
| 57 | $oTemplate->header('X-Powered-By: SquirrelMail', FALSE); |
| 58 | |
| 59 | // prevent clickjack attempts |
| 60 | // FIXME: should we use DENY instead? We can also make this a configurable value, including giving the admin the option of removing this entirely in case they WANT to be framed by an external domain |
| 61 | $oTemplate->header('X-Frame-Options: SAMEORIGIN'); |
| 62 | |
| 63 | // prevent clickjack attempts using JavaScript for browsers that |
| 64 | // don't support the X-Frame-Options header... |
| 65 | // we check to see if we are *not* the top page, and if not, check |
| 66 | // whether or not the top page is in the same domain as we are... |
| 67 | // if not, log out immediately -- this is an attempt to do the same |
| 68 | // thing that the X-Frame-Options does using JavaScript (never a good |
| 69 | // idea to rely on JavaScript-based solutions, though) |
| 70 | //FIXME: is it a problem that we still force the clickjack protection code whether or not JavaScript is supported or desired by the user? |
| 71 | $header_tags = '<script type="text/javascript" language="JavaScript">' |
| 72 | . "\n<!--\n" |
| 73 | . 'if (self != top) { try { if (document.domain != top.document.domain) {' |
| 74 | . ' throw "Clickjacking security violation! Please log out immediately!"; /* this code should never execute - exception should already have been thrown since it\'s a security violation in this case to even try to access top.document.domain (but it\'s left here just to be extra safe) */ } } catch (e) { self.location = "' |
| 75 | . sqm_baseuri() . 'src/signout.php"; top.location = "' |
| 76 | . sqm_baseuri() . 'src/signout.php" } }' |
| 77 | . "\n// -->\n</script>\n"; |
| 78 | |
| 79 | $oTemplate->assign('frames', $frames); |
| 80 | $oTemplate->assign('lang', $squirrelmail_language); |
| 81 | |
| 82 | $header_tags .= "<meta name=\"robots\" content=\"noindex,nofollow\" />\n"; |
| 83 | |
| 84 | $used_fontset = (!empty($chosen_fontset) ? $chosen_fontset : $default_fontset); |
| 85 | $used_fontsize = (!empty($chosen_fontsize) ? $chosen_fontsize : $default_fontsize); |
| 86 | $used_theme = !isset($chosen_theme) && $user_theme_default != 'none' && is_dir($chosen_theme) && is_readable($chosen_theme)? $user_themes[$user_theme_default]['PATH'].'/default.css' : $chosen_theme_path; |
| 87 | |
| 88 | /** |
| 89 | * Stylesheets are loaded in the following order: |
| 90 | * 1) All stylesheets provided by the template. Normally, these are |
| 91 | * stylsheets in templates/<template>/css/. This is accomplished by calling |
| 92 | * $oTemplate->fetch_standard_stylesheet_links(). |
| 93 | * 2) An optional user-defined stylesheet. This is set in the Display |
| 94 | * Preferences. |
| 95 | * 3) src/style.php which sets some basic font prefs. |
| 96 | * 4) If we are dealing with an RTL language, we load rtl.css from the |
| 97 | * template set. |
| 98 | */ |
| 99 | |
| 100 | // 1. Stylesheets from the template. |
| 101 | $header_tags .= $oTemplate->fetch_standard_stylesheet_links(); |
| 102 | |
| 103 | $aUserStyles = array(); |
| 104 | |
| 105 | // 2. Option user-defined stylesheet from preferences. |
| 106 | if (!empty($used_theme) && $used_theme != 'none') { |
| 107 | /** |
| 108 | * All styles (except "none" - ugh) just point to a directory, |
| 109 | * so we need to include all .css files in that directory. |
| 110 | */ |
| 111 | //FIXME: rid ourselves of "none" strings! I didn't do it here because I think the problem is that the theme itself should never be "none" (? well, what else would it be? if "none" theme is actually OK, then is there a constant to use below in stead of a hard-coded string?) |
| 112 | $styles = $used_theme == 'none' ? array() |
| 113 | : list_files($used_theme, '.css'); |
| 114 | foreach ($styles as $sheet) { |
| 115 | $aUserStyles[] = $used_theme .'/'.$sheet; |
| 116 | } |
| 117 | } |
| 118 | |
| 119 | // 3. src/style.php |
| 120 | $aUserStyles[] = $base_uri .'src/style.php?' |
| 121 | . (!empty($used_fontset) ? '&fontset='.$used_fontset : '') |
| 122 | . (!empty($used_fontsize) ? '&fontsize='.$used_fontsize : ''); |
| 123 | |
| 124 | // 3.1. Load the stylesheets we have already |
| 125 | $header_tags .= $oTemplate->fetch_external_stylesheet_links($aUserStyles); |
| 126 | |
| 127 | // 4. Optional rtl.css stylesheet |
| 128 | if ($text_direction == 'rtl') { |
| 129 | $header_tags .= $oTemplate->fetch_right_to_left_stylesheet_link(); |
| 130 | } |
| 131 | |
| 132 | // 5. Printer friendly stylesheet |
| 133 | $header_tags .= create_css_link($base_uri . 'css/print.css', 'printerfriendly', false, 'print'); |
| 134 | |
| 135 | if ($squirrelmail_language == 'ja_JP') { |
| 136 | /* |
| 137 | * force correct detection of charset, when browser does not follow |
| 138 | * http content-type and tries to detect charset from page content. |
| 139 | * Shooting of browser's creator can't be implemented in php. |
| 140 | * We might get rid of it, if we follow http://www.w3.org/TR/japanese-xml/ |
| 141 | * recommendations and switch to unicode. |
| 142 | */ |
| 143 | $header_tags .= "<!-- \xfd\xfe -->\n"; |
| 144 | $header_tags .= '<meta http-equiv="Content-type" content="' . $oTemplate->get_content_type() . '; charset=euc-jp" />' . "\n"; |
| 145 | } |
| 146 | if ($do_hook) { |
| 147 | // NOTE! plugins here MUST assign output to template |
| 148 | // and NOT echo anything directly!! A common |
| 149 | // approach is if a plugin decides it needs to |
| 150 | // put something at page-top after the standard |
| 151 | // SM page header, to dynamically add itself to |
| 152 | // the page_header_bottom and/or compose_header_bottom |
| 153 | // hooks for the current page request. See |
| 154 | // the Sent Confirmation v1.7 or Restrict Senders v1.2 |
| 155 | // plugins for examples of this approach. |
| 156 | ob_start(); |
| 157 | $temp = array(&$header_tags); |
| 158 | do_hook('generic_header', $temp); |
| 159 | $output = ob_get_contents(); |
| 160 | ob_end_clean(); |
| 161 | // plugin authors can debug their errors with one of the following: |
| 162 | //sm_print_r($output); |
| 163 | //echo $output; |
| 164 | if (!empty($output)) trigger_error('A plugin on the "generic_header" hook has attempted to output directly to the browser', E_USER_ERROR); |
| 165 | } |
| 166 | |
| 167 | $header_tags .= $xtra; |
| 168 | $oTemplate->assign('page_title', $title); |
| 169 | |
| 170 | /* work around IE6's scrollbar bug */ |
| 171 | $header_tags .= <<<EOS |
| 172 | <!--[if IE 6]> |
| 173 | <style type="text/css"> |
| 174 | /* avoid stupid IE6 bug with frames and scrollbars */ |
| 175 | body { |
| 176 | width: expression(document.documentElement.clientWidth - 30); |
| 177 | } |
| 178 | </style> |
| 179 | <![endif]--> |
| 180 | |
| 181 | EOS; |
| 182 | |
| 183 | $oTemplate->assign('header_tags', $header_tags); |
| 184 | $oTemplate->display('protocol_header.tpl'); |
| 185 | |
| 186 | /* this is used to check elsewhere whether we should call this function */ |
| 187 | $pageheader_sent = TRUE; |
| 188 | if (isset($oErrorHandler)) { |
| 189 | $oErrorHandler->HeaderSent(); |
| 190 | } |
| 191 | |
| 192 | } |
| 193 | |
| 194 | /** |
| 195 | * Given a path to a SquirrelMail file, return a HTML link to it |
| 196 | * |
| 197 | * @param string $path The SquirrelMail file to link to |
| 198 | * (should start with something like "src/..." or |
| 199 | * "functions/..." or "plugins/..." etc.) |
| 200 | * @param string $text The link text |
| 201 | * @param string $target The target frame for this link |
| 202 | * @param string $accesskey The access key to be used, if any |
| 203 | */ |
| 204 | function makeInternalLink($path, $text, $target='', $accesskey='NONE') { |
| 205 | global $base_uri, $oTemplate; |
| 206 | // sqgetGlobalVar('base_uri', $base_uri, SQ_SESSION); |
| 207 | |
| 208 | // This is an inefficient hook and is only used by |
| 209 | // one plugin that still needs to patch this code, |
| 210 | // plus if we are templat-izing SM, visual hooks |
| 211 | // are not needed. However, I am leaving the code |
| 212 | // here just in case we find a good (non-visual?) |
| 213 | // use for the internal_link hook. |
| 214 | // |
| 215 | //do_hook('internal_link', $text); |
| 216 | |
| 217 | return create_hyperlink($base_uri . $path, $text, $target, |
| 218 | '', '', '', '', |
| 219 | ($accesskey == 'NONE' |
| 220 | ? array() |
| 221 | : array('accesskey' => $accesskey))); |
| 222 | } |
| 223 | |
| 224 | /** |
| 225 | * Outputs a complete SquirrelMail page header, starting with <!doctype> and |
| 226 | * including the default menu bar. Uses displayHtmlHeader and takes |
| 227 | * JavaScript and locale settings into account. |
| 228 | * |
| 229 | * @param array color the array of theme colors |
| 230 | * @param string mailbox the current mailbox name to display |
| 231 | * @param string sHeaderJs javascipt code to be inserted in a script block in the header |
| 232 | * @param string sOnload JavaScript code to be added inside the body's onload handler |
| 233 | * as of 1.5.2, this replaces $sBodyTagJs argument |
| 234 | * @return void |
| 235 | */ |
| 236 | function displayPageHeader($color, $mailbox='', $sHeaderJs='', $sOnload = '') { |
| 237 | |
| 238 | global $reply_focus, $hide_sm_attributions, $frame_top, |
| 239 | $provider_name, $provider_uri, $startMessage, |
| 240 | $action, $oTemplate, $org_title, $base_uri, |
| 241 | $data_dir, $username; |
| 242 | |
| 243 | if (empty($sOnload)) { |
| 244 | if (strpos($action, 'reply') !== FALSE && $reply_focus) { |
| 245 | if ($reply_focus == 'select') |
| 246 | $sOnload = 'checkForm(\'select\');'; |
| 247 | else if ($reply_focus == 'focus') |
| 248 | $sOnload = 'checkForm(\'focus\');'; |
| 249 | else if ($reply_focus != 'none') |
| 250 | $sOnload = 'checkForm();'; |
| 251 | } |
| 252 | else |
| 253 | $sOnload = 'checkForm();'; |
| 254 | } |
| 255 | |
| 256 | $startMessage = (int)$startMessage; |
| 257 | |
| 258 | sqgetGlobalVar('delimiter', $delimiter, SQ_SESSION ); |
| 259 | |
| 260 | if (!isset($frame_top)) { |
| 261 | $frame_top = '_top'; |
| 262 | } |
| 263 | |
| 264 | //FIXME: does checkForJavascript() make the 2nd part of the if() below unneccessary?? (that is, I think checkForJavascript() might already look for new_js_autodetect_results...(?)) |
| 265 | if( checkForJavascript() || strpos($sHeaderJs, 'new_js_autodetect_results.value') ) { |
| 266 | $js_includes = $oTemplate->get_javascript_includes(TRUE); |
| 267 | $sJsBlock = ''; |
| 268 | foreach ($js_includes as $js_file) { |
| 269 | $sJsBlock .= '<script src="'.$js_file.'" type="text/javascript"></script>' ."\n"; |
| 270 | } |
| 271 | if ($sHeaderJs) { |
| 272 | $sJsBlock .= "\n<script type=\"text/javascript\">" . |
| 273 | "\n<!--\n" . |
| 274 | $sHeaderJs . "\n\n// -->\n</script>\n"; |
| 275 | } |
| 276 | displayHtmlHeader ($org_title, $sJsBlock); |
| 277 | } else { |
| 278 | /* do not use JavaScript */ |
| 279 | displayHtmlHeader ($org_title); |
| 280 | $sOnload = ''; |
| 281 | } |
| 282 | if ($mailbox) { |
| 283 | /* |
| 284 | * this explains the imap_mailbox.php dependency. We should instead store |
| 285 | * the selected mailbox in the session and fallback to the session var. |
| 286 | */ |
| 287 | $shortBoxName = sm_encode_html_special_chars(imap_utf7_decode_local( |
| 288 | readShortMailboxName($mailbox, $delimiter))); |
| 289 | if (getPref($data_dir, $username, 'translate_special_folders')) { |
| 290 | global $sent_folder, $trash_folder, $draft_folder; |
| 291 | if ($mailbox == $sent_folder) |
| 292 | $shortBoxName = _("Sent"); |
| 293 | else if ($mailbox == $trash_folder) |
| 294 | $shortBoxName = _("Trash"); |
| 295 | else if ($mailbox == $sent_folder) |
| 296 | $shortBoxName = _("Drafts"); |
| 297 | } |
| 298 | $urlMailbox = urlencode($mailbox); |
| 299 | } else { |
| 300 | $shortBoxName = ''; |
| 301 | $urlMailbox = ''; |
| 302 | } |
| 303 | |
| 304 | $provider_link = ''; |
| 305 | if (!empty($provider_uri) && !empty($provider_name) && $provider_name != 'SquirrelMail') { |
| 306 | $provider_link = create_hyperlink($provider_uri, $provider_name, '_blank'); |
| 307 | } |
| 308 | |
| 309 | $oTemplate->assign('onload', $sOnload); |
| 310 | $oTemplate->assign('shortBoxName', $shortBoxName); |
| 311 | $oTemplate->assign('provider_link', $provider_link); |
| 312 | $oTemplate->assign('frame_top', $frame_top); |
| 313 | $oTemplate->assign('urlMailbox', $urlMailbox); |
| 314 | $oTemplate->assign('startMessage', $startMessage); |
| 315 | $oTemplate->assign('hide_sm_attributions', $hide_sm_attributions); |
| 316 | |
| 317 | // access keys |
| 318 | // |
| 319 | global $accesskey_menubar_compose, $accesskey_menubar_addresses, |
| 320 | $accesskey_menubar_folders, $accesskey_menubar_options, |
| 321 | $accesskey_menubar_search, $accesskey_menubar_help, |
| 322 | $accesskey_menubar_signout; |
| 323 | $oTemplate->assign('accesskey_menubar_compose', $accesskey_menubar_compose); |
| 324 | $oTemplate->assign('accesskey_menubar_addresses', $accesskey_menubar_addresses); |
| 325 | $oTemplate->assign('accesskey_menubar_folders', $accesskey_menubar_folders); |
| 326 | $oTemplate->assign('accesskey_menubar_options', $accesskey_menubar_options); |
| 327 | $oTemplate->assign('accesskey_menubar_search', $accesskey_menubar_search); |
| 328 | $oTemplate->assign('accesskey_menubar_help', $accesskey_menubar_help); |
| 329 | $oTemplate->assign('accesskey_menubar_signout', $accesskey_menubar_signout); |
| 330 | |
| 331 | $oTemplate->display('page_header.tpl'); |
| 332 | |
| 333 | global $null; |
| 334 | do_hook('page_header_bottom', $null); |
| 335 | } |
| 336 | |
| 337 | /** |
| 338 | * Blatantly copied/truncated/modified from displayPageHeader. |
| 339 | * Outputs a page header specifically for the compose_in_new popup window |
| 340 | * |
| 341 | * @param array color the array of theme colors |
| 342 | * @param string mailbox the current mailbox name to display |
| 343 | * @param string sHeaderJs javascipt code to be inserted in a script block in the header |
| 344 | * @param string sOnload JavaScript code to be added inside the body's onload handler |
| 345 | * as of 1.5.2, this replaces $sBodyTagJs argument |
| 346 | * @return void |
| 347 | */ |
| 348 | function compose_Header($color, $mailbox, $sHeaderJs='', $sOnload = '') { |
| 349 | |
| 350 | global $reply_focus, $action, $oTemplate; |
| 351 | |
| 352 | if (empty($sOnload)) { |
| 353 | if (strpos($action, 'reply') !== FALSE && $reply_focus) { |
| 354 | if ($reply_focus == 'select') |
| 355 | $sOnload = 'checkForm(\'select\');'; |
| 356 | else if ($reply_focus == 'focus') |
| 357 | $sOnload = 'checkForm(\'focus\');'; |
| 358 | else if ($reply_focus != 'none') |
| 359 | $sOnload = 'checkForm();'; |
| 360 | } |
| 361 | else |
| 362 | $sOnload = 'checkForm();'; |
| 363 | } |
| 364 | |
| 365 | |
| 366 | /* |
| 367 | * Locate the first displayable form element (only when JavaScript on) |
| 368 | */ |
| 369 | if(checkForJavascript()) { |
| 370 | if ($sHeaderJs) { |
| 371 | $sJsBlock = "\n<script type=\"text/javascript\">" . |
| 372 | "\n<!--\n" . |
| 373 | $sHeaderJs . "\n\n// -->\n</script>\n"; |
| 374 | } else { |
| 375 | $sJsBlock = ''; |
| 376 | } |
| 377 | $sJsBlock .= "\n"; |
| 378 | |
| 379 | $js_includes = $oTemplate->get_javascript_includes(TRUE); |
| 380 | foreach ($js_includes as $js_file) { |
| 381 | $sJsBlock .= '<script src="'.$js_file.'" type="text/javascript"></script>' ."\n"; |
| 382 | } |
| 383 | |
| 384 | displayHtmlHeader (_("Compose"), $sJsBlock); |
| 385 | } else { |
| 386 | /* javascript off */ |
| 387 | displayHtmlHeader(_("Compose")); |
| 388 | $sOnload = ''; |
| 389 | } |
| 390 | |
| 391 | // FIXME: change the colorization attributes below to a CSS class! |
| 392 | $class = ''; |
| 393 | $aAttribs = array('text' => $color[8], 'bgcolor' => $color[4], |
| 394 | 'link' => $color[7], 'vlink' => $color[7], |
| 395 | 'alink' => $color[7]); |
| 396 | |
| 397 | // this is template-safe (see create_body() function) |
| 398 | echo create_body($sOnload, $class, $aAttribs); |
| 399 | |
| 400 | global $null; |
| 401 | do_hook('compose_header_bottom', $null); |
| 402 | } |