From 0a1dd5b073f0dfc42439ab168246ae0ae6921414 Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Tue, 22 May 2012 05:07:20 -0400
Subject: [PATCH] Add is_escaped attribute for html_select and html_textarea (#1488485)

---
 program/include/html.php |   24 ++++++++++++++++--------
 1 files changed, 16 insertions(+), 8 deletions(-)

diff --git a/program/include/html.php b/program/include/html.php
index 305a397..c76eb74 100644
--- a/program/include/html.php
+++ b/program/include/html.php
@@ -298,7 +298,7 @@
                 }
             }
             else {
-                $attrib_arr[] = $key . '="' . self::quote($value) . '"';
+                $attrib_arr[] = $key . '="' . self::quote($value, true) . '"';
             }
         }
 
@@ -331,17 +331,20 @@
     /**
      * Replacing specials characters in html attribute value
      *
-     * @param  string  $str  Input string
+     * @param  string  $str       Input string
+     * @param  bool    $validate  Enables double quotation prevention
      *
      * @return string  The quoted string
      */
-    public static function quote($str)
+    public static function quote($str, $validate = false)
     {
         $str = htmlspecialchars($str, ENT_COMPAT, RCMAIL_CHARSET);
 
         // avoid douple quotation of &
-        // @TODO: get rid of it?
-        $str = preg_replace('/&amp;([A-Za-z]{2,6}|#[0-9]{2,4});/', '&\\1;', $str);
+        // @TODO: get rid of it
+        if ($validate) {
+            $str = preg_replace('/&amp;([A-Za-z]{2,6}|#[0-9]{2,4});/', '&\\1;', $str);
+        }
 
         return $str;
     }
@@ -558,8 +561,8 @@
             unset($this->attrib['value']);
         }
 
-        if (!empty($value) && !preg_match('/mce_editor/', $this->attrib['class'])) {
-            $value = self::quote($value);
+        if (!empty($value) && empty($this->attrib['is_escaped'])) {
+            $value = self::quote($value, true);
         }
 
         return self::tag($this->tagname, $this->attrib, $value,
@@ -633,7 +636,12 @@
                 'selected' => (in_array($option['value'], $select, true) ||
                   in_array($option['text'], $select, true)) ? 1 : null);
 
-            $this->content .= self::tag('option', $attr, self::quote($option['text']));
+            $option_content = $option['text'];
+            if (empty($this->attrib['is_escaped'])) {
+                $option_content = self::quote($option_content, true);
+            }
+
+            $this->content .= self::tag('option', $attr, $option_content);
         }
 
         return parent::show();

--
Gitblit v1.9.1