From a164a2e64b65fbe0729f6d4326b0219f1914c139 Mon Sep 17 00:00:00 2001
From: alecpl <alec@alec.pl>
Date: Mon, 06 Oct 2008 05:32:09 -0400
Subject: [PATCH] - #1485463: fixed css classes setting in messages list
---
program/steps/mail/func.inc | 208 +++++++++++++++++++++++++++++----------------------
1 files changed, 117 insertions(+), 91 deletions(-)
diff --git a/program/steps/mail/func.inc b/program/steps/mail/func.inc
index 7de78a1..43e21ee 100644
--- a/program/steps/mail/func.inc
+++ b/program/steps/mail/func.inc
@@ -53,25 +53,26 @@
$OUTPUT->set_env('search_text', $_SESSION['last_text_search']);
}
-
-// set current mailbox in client environment
-$OUTPUT->set_env('mailbox', $IMAP->get_mailbox_name());
-$OUTPUT->set_env('quota', $IMAP->get_capability('quota'));
-$OUTPUT->set_env('delimiter', $IMAP->get_hierarchy_delimiter());
-
-if ($CONFIG['trash_mbox'])
- $OUTPUT->set_env('trash_mailbox', $CONFIG['trash_mbox']);
-if ($CONFIG['drafts_mbox'])
- $OUTPUT->set_env('drafts_mailbox', $CONFIG['drafts_mbox']);
-if ($CONFIG['junk_mbox'])
- $OUTPUT->set_env('junk_mailbox', $CONFIG['junk_mbox']);
-
-if (!$OUTPUT->ajax_call)
- rcube_add_label('checkingmail', 'deletemessage', 'movemessagetotrash', 'movingmessage');
-
-// set page title
+// set main env variables, labels and page title
if (empty($RCMAIL->action) || $RCMAIL->action == 'list')
+ {
+ // set current mailbox in client environment
+ $OUTPUT->set_env('mailbox', $IMAP->get_mailbox_name());
+ $OUTPUT->set_env('quota', $IMAP->get_capability('quota'));
+ $OUTPUT->set_env('delimiter', $IMAP->get_hierarchy_delimiter());
+
+ if ($CONFIG['trash_mbox'])
+ $OUTPUT->set_env('trash_mailbox', $CONFIG['trash_mbox']);
+ if ($CONFIG['drafts_mbox'])
+ $OUTPUT->set_env('drafts_mailbox', $CONFIG['drafts_mbox']);
+ if ($CONFIG['junk_mbox'])
+ $OUTPUT->set_env('junk_mailbox', $CONFIG['junk_mbox']);
+
+ if (!$OUTPUT->ajax_call)
+ $OUTPUT->add_label('checkingmail', 'deletemessage', 'movemessagetotrash', 'movingmessage');
+
$OUTPUT->set_pagetitle(rcmail_localize_foldername($IMAP->get_mailbox_name()));
+ }
/**
@@ -89,7 +90,7 @@
$sort_order = $_SESSION['sort_order'];
// add some labels to client
- rcube_add_label('from', 'to');
+ $OUTPUT->add_label('from', 'to');
// get message headers
$a_headers = $IMAP->list_headers('', '', $sort_col, $sort_order);
@@ -182,7 +183,7 @@
$out .= '<td class="'.$col.$sort_class.'" id="rcmHead'.$col.'">' . "$col_name$sort</td>\n";
}
- $out .= '<td class="icon">'.($attrib['attachmenticon'] ? sprintf($image_tag, $skin_path, $attrib['attachmenticon'], '') : '')."</td>\n";
+ $out .= '<td class="icon">'.($attrib['attachmenticon'] ? sprintf($image_tag, $skin_path, $attrib['attachmenticon'], '') : ' ')."</td>\n";
$out .= "</tr></thead>\n<tbody>\n";
// no messages in this mailbox
@@ -197,7 +198,7 @@
{
$message_icon = $attach_icon = $flagged_icon = '';
$js_row_arr = array();
- $zebra_class = $i%2 ? 'even' : 'odd';
+ $zebra_class = $i%2 ? ' even' : ' odd';
// set messag attributes to javascript array
if ($header->deleted)
@@ -206,16 +207,25 @@
$js_row_arr['unread'] = true;
if ($header->answered)
$js_row_arr['replied'] = true;
+ if ($header->forwarded)
+ $js_row_arr['forwarded'] = true;
if ($header->flagged)
$js_row_arr['flagged'] = true;
// set message icon
if ($attrib['deletedicon'] && $header->deleted)
$message_icon = $attrib['deletedicon'];
+ else if ($attrib['repliedicon'] && $header->answered)
+ {
+ if ($attrib['forwardedrepliedicon'] && $header->forwarded)
+ $message_icon = $attrib['forwardedrepliedicon'];
+ else
+ $message_icon = $attrib['repliedicon'];
+ }
+ else if ($attrib['forwardedicon'] && $header->forwarded)
+ $message_icon = $attrib['forwardedicon'];
else if ($attrib['unreadicon'] && !$header->seen)
$message_icon = $attrib['unreadicon'];
- else if ($attrib['repliedicon'] && $header->answered)
- $message_icon = $attrib['repliedicon'];
else if ($attrib['messageicon'])
$message_icon = $attrib['messageicon'];
@@ -228,12 +238,12 @@
if ($attrib['attachmenticon'] && preg_match("/multipart\/[mr]/i", $header->ctype))
$attach_icon = $attrib['attachmenticon'];
- $out .= sprintf('<tr id="rcmrow%d" class="message%s%s %s">'."\n",
+ $out .= sprintf('<tr id="rcmrow%d" class="message%s%s%s%s">'."\n",
$header->uid,
$header->seen ? '' : ' unread',
$header->deleted ? ' deleted' : '',
$header->flagged ? ' flagged' : '',
- $zebra_class);
+ $zebra_class);
$out .= sprintf("<td class=\"icon\">%s</td>\n", $message_icon ? sprintf($image_tag, $skin_path, $message_icon, '') : '');
@@ -250,9 +260,9 @@
{
$action = $mbox==$CONFIG['drafts_mbox'] ? 'compose' : 'show';
$uid_param = $mbox==$CONFIG['drafts_mbox'] ? '_draft_uid' : '_uid';
- $cont = Q($IMAP->decode_header($header->$col));
- if (empty($cont)) $cont = Q(rcube_label('nosubject'));
- $cont = sprintf('<a href="%s" onclick="return rcube_event.cancel(event)">%s</a>', Q(rcmail_url($action, array($uid_param=>$header->uid, '_mbox'=>$mbox))), $cont);
+ $cont = abbreviate_string(trim($IMAP->decode_header($header->$col)), 160);
+ if (empty($cont)) $cont = rcube_label('nosubject');
+ $cont = sprintf('<a href="%s" onclick="return rcube_event.cancel(event)">%s</a>', Q(rcmail_url($action, array($uid_param=>$header->uid, '_mbox'=>$mbox))), Q($cont));
}
else if ($col=='flag')
$cont = $flagged_icon ? sprintf($image_tag, $skin_path, $flagged_icon, '') : '';
@@ -296,6 +306,10 @@
$OUTPUT->set_env('unreadicon', $skin_path . $attrib['unreadicon']);
if ($attrib['repliedicon'])
$OUTPUT->set_env('repliedicon', $skin_path . $attrib['repliedicon']);
+ if ($attrib['forwardedicon'])
+ $OUTPUT->set_env('forwardedicon', $skin_path . $attrib['forwardedicon']);
+ if ($attrib['forwardedrepliedicon'])
+ $OUTPUT->set_env('forwardedrepliedicon', $skin_path . $attrib['forwardedrepliedicon']);
if ($attrib['attachmenticon'])
$OUTPUT->set_env('attachmenticon', $skin_path . $attrib['attachmenticon']);
if ($attrib['flaggedicon'])
@@ -350,9 +364,9 @@
{
$action = $mbox==$CONFIG['drafts_mbox'] ? 'compose' : 'show';
$uid_param = $mbox==$CONFIG['drafts_mbox'] ? '_draft_uid' : '_uid';
- $cont = Q($IMAP->decode_header($header->$col));
- if (!$cont) $cont = Q(rcube_label('nosubject'));
- $cont = sprintf('<a href="%s" onclick="return rcube_event.cancel(event)">%s</a>', Q(rcmail_url($action, array($uid_param=>$header->uid, '_mbox'=>$mbox))), $cont);
+ $cont = abbreviate_string(trim($IMAP->decode_header($header->$col)), 160);
+ if (!$cont) $cont = rcube_label('nosubject');
+ $cont = sprintf('<a href="%s" onclick="return rcube_event.cancel(event)">%s</a>', Q(rcmail_url($action, array($uid_param=>$header->uid, '_mbox'=>$mbox))), Q($cont));
}
else if ($col=='size')
$cont = show_bytes($header->$col);
@@ -367,6 +381,7 @@
$a_msg_flags['deleted'] = $header->deleted ? 1 : 0;
$a_msg_flags['unread'] = $header->seen ? 0 : 1;
$a_msg_flags['replied'] = $header->answered ? 1 : 0;
+ $a_msg_flags['forwarded'] = $header->forwarded ? 1 : 0;
$a_msg_flags['flagged'] = $header->flagged ? 1 : 0;
$OUTPUT->command('add_message_row',
@@ -389,18 +404,12 @@
if (empty($attrib['id']))
$attrib['id'] = 'rcmailcontentwindow';
- // allow the following attributes to be added to the <iframe> tag
- $attrib_str = create_attrib_string($attrib, array('id', 'class', 'style', 'src', 'width', 'height', 'frameborder'));
- $framename = $attrib['id'];
+ $attrib['name'] = $attrib['id'];
- $out = sprintf('<iframe name="%s"%s></iframe>'."\n",
- $framename,
- $attrib_str);
-
- $OUTPUT->set_env('contentframe', $framename);
+ $OUTPUT->set_env('contentframe', $attrib['id']);
$OUTPUT->set_env('blankpage', $attrib['src'] ? $OUTPUT->abs_url($attrib['src']) : 'program/blank.gif');
- return $out;
+ return html::iframe($attrib);
}
@@ -416,14 +425,7 @@
$OUTPUT->add_gui_object('countdisplay', $attrib['id']);
- // allow the following attributes to be added to the <span> tag
- $attrib_str = create_attrib_string($attrib, array('style', 'class', 'id'));
-
-
- $out = '<span' . $attrib_str . '>';
- $out .= rcmail_get_messagecount_text();
- $out .= '</span>';
- return $out;
+ return html::span($attrib, rcmail_get_messagecount_text());
}
@@ -442,20 +444,14 @@
$OUTPUT->add_gui_object('quotadisplay', $attrib['id']);
- // allow the following attributes to be added to the <span> tag
- $attrib_str = create_attrib_string($attrib, array('style', 'class', 'id', 'display'));
-
- $out = '<span' . $attrib_str . '>';
- $out .= rcmail_quota_content();
- $out .= '</span>';
- return $out;
+ return html::span($attrib, rcmail_quota_content(NULL, $attrib));
}
/**
*
*/
-function rcmail_quota_content($quota=NULL)
+function rcmail_quota_content($quota=NULL, $attrib=NULL)
{
global $IMAP, $COMM_PATH, $RCMAIL;
@@ -481,14 +477,23 @@
// show quota as image (by Brett Patterson)
if ($display == 'image' && function_exists('imagegif'))
{
- $attrib = array('width' => 100, 'height' => 14);
+ if (!$attrib['width'])
+ $attrib['width'] = isset($_SESSION['quota_width']) ? $_SESSION['quota_width'] : 100;
+ else
+ $_SESSION['quota_width'] = $attrib['width'];
+
+ if (!$attrib['height'])
+ $attrib['height'] = isset($_SESSION['quota_height']) ? $_SESSION['quota_height'] : 14;
+ else
+ $_SESSION['quota_height'] = $attrib['height'];
+
$quota_text = sprintf('<img src="./bin/quotaimg.php?u=%s&q=%d&w=%d&h=%d" width="%d" height="%d" alt="%s" title="%s / %s" />',
$quota['used'], $quota['total'],
$attrib['width'], $attrib['height'],
$attrib['width'], $attrib['height'],
$quota_text,
- show_bytes($quota["used"] * 1024),
- show_bytes($quota["total"] * 1024));
+ show_bytes($quota['used'] * 1024),
+ show_bytes($quota['total'] * 1024));
}
}
else
@@ -574,19 +579,34 @@
}
// text/html
else if ($part->ctype_secondary == 'html') {
+ $html = $part->body;
+
+ // special replacements (not properly handled by washtml class)
+ $html_search = array(
+ '/(<\/nobr>)(\s+)(<nobr>)/i', // space(s) between <NOBR>
+ '/(<[\/]*st1:[^>]+>)/i', // Microsoft's Smart Tags <ST1>
+ '/<title>.*<\/title>/i', // PHP bug #32547 workaround: remove title tag
+ '/<html[^>]*>/im', // malformed html: remove html tags (#1485139)
+ '/<\/html>/i', // malformed html: remove html tags (#1485139)
+ );
+ $html_replace = array(
+ '\\1'.' '.'\\3',
+ '',
+ '',
+ '',
+ '',
+ );
+ $html = preg_replace($html_search, $html_replace, $html);
+
// charset was converted to UTF-8 in rcube_imap::get_message_part() -> change charset specification in HTML accordingly
- $html = $part->body;
if (preg_match('/(\s+content=[\'"]\w+\/\w+;\s*charset)=([a-z0-9-_]+)/i', $html))
$html = preg_replace('/(\s+content=[\'"]\w+\/\w+;\s*charset)=([a-z0-9-_]+)/i', '\\1='.RCMAIL_CHARSET, $html);
else {
- // add <head> for malformed messages, washtml cannot work without that
- if (!preg_match('/<head>(.*)<\\/head>/Uims', $html))
- $html = '<head></head>' . $html;
+ // add head for malformed messages, washtml cannot work without that
+ if (!preg_match('/<head[^>]*>(.*)<\/head>/Uims', $html))
+ $html = '<head></head>'. $html;
$html = substr_replace($html, '<meta http-equiv="Content-Type" content="text/html; charset='.RCMAIL_CHARSET.'" />', intval(stripos($html, '</head>')), 0);
}
-
- // PHP bug #32547 workaround: remove title tag
- $html = preg_replace('/<title>.*<\/title>/', '', $html);
// clean HTML with washhtml by Frederic Motte
$wash_opts = array(
@@ -602,15 +622,13 @@
$wash_opts['html_elements'] = array('html','head','title','body');
}
- /* CSS styles need to be sanitized!
- if ($p['safe']) {
- $wash_opts['html_elements'][] = 'style';
- $wash_opts['html_attribs'] = array('type');
- }
- */
-
$washer = new washtml($wash_opts);
$washer->add_callback('form', 'rcmail_washtml_callback');
+
+ if ($p['safe']) { // allow CSS styles, will be sanitized by rcmail_washtml_callback()
+ $washer->add_callback('style', 'rcmail_washtml_callback');
+ }
+
$body = $washer->wash($html);
$REMOTE_OBJECTS = $washer->extlinks;
@@ -698,6 +716,16 @@
$out = html::div('form', $content);
break;
+ case 'style':
+ // decode all escaped entities and reduce to ascii strings
+ $stripped = preg_replace('/[^a-zA-Z\(:]/', '', rcmail_xss_entitiy_decode($content));
+
+ // now check for evil strings like expression, behavior or url()
+ if (!preg_match('/expression|behavior|url\(|import/', $stripped)) {
+ $out = html::tag('style', array('type' => 'text/css'), $content);
+ break;
+ }
+
default:
$out = '';
}
@@ -728,10 +756,6 @@
if (!$headers)
$headers = is_object($MESSAGE->headers) ? get_object_vars($MESSAGE->headers) : $MESSAGE->headers;
- // add empty subject if none exsists
- if (empty($headers['subject']))
- $headers['subject'] = rcube_label('nosubject');
-
$header_count = 0;
// allow the following attributes to be added to the <table> tag
@@ -762,8 +786,10 @@
}
else if (in_array($hkey, array('from', 'to', 'cc', 'bcc')))
$header_value = Q(rcmail_address_string($headers[$hkey], null, true, $attrib['addicon']), 'show');
+ else if ($hkey == 'subject' && empty($headers[$hkey]))
+ $header_value = Q(rcube_label('nosubject'));
else
- $header_value = Q($IMAP->decode_header($headers[$hkey]));
+ $header_value = Q(trim($IMAP->decode_header($headers[$hkey])));
$out .= "\n<tr>\n";
$out .= '<td class="header-title">'.Q(rcube_label($hkey)).": </td>\n";
@@ -931,23 +957,26 @@
* parse link attributes and set correct target
*/
function rcmail_alter_html_link($tag, $attrs, $container_id)
- {
+{
$attrib = parse_attrib_string($attrs);
+ $end = '>';
- if ($tag == 'link' && preg_match('/^https?:\/\//i', $attrib['href']))
+ if ($tag == 'link' && preg_match('/^https?:\/\//i', $attrib['href'])) {
$attrib['href'] = "./bin/modcss.php?u=" . urlencode($attrib['href']) . "&c=" . urlencode($container_id);
-
- else if (stristr((string)$attrib['href'], 'mailto:'))
+ $end = ' />';
+ }
+ else if (stristr((string)$attrib['href'], 'mailto:')) {
$attrib['onclick'] = sprintf(
"return %s.command('compose','%s',this)",
JS_OBJECT_NAME,
JQ(substr($attrib['href'], 7)));
-
- else if (!empty($attrib['href']) && $attrib['href']{0}!='#')
- $attrib['target'] = '_blank';
-
- return "<$tag" . create_attrib_string($attrib, array('href','name','target','onclick','id','class','style','title','rel','type','media')) . ' />';
}
+ else if (!empty($attrib['href']) && $attrib['href'][0] != '#') {
+ $attrib['target'] = '_blank';
+ }
+
+ return "<$tag" . html::attrib_string($attrib, array('href','name','target','onclick','id','class','style','title','rel','type','media')) . $end;
+}
/**
@@ -1097,12 +1126,9 @@
$part = $MESSAGE->mime_parts[asciiwords(get_input_value('_part', RCUBE_INPUT_GPC))];
$ctype_primary = strtolower($part->ctype_primary);
- $attrib['src'] = Q('./?'.str_replace('_frame=', ($ctype_primary=='text' ? '_show=' : '_preload='), $_SERVER['QUERY_STRING']));
+ $attrib['src'] = './?' . str_replace('_frame=', ($ctype_primary=='text' ? '_show=' : '_preload='), $_SERVER['QUERY_STRING']);
- $attrib_str = create_attrib_string($attrib, array('id', 'class', 'style', 'src', 'width', 'height'));
- $out = '<iframe '. $attrib_str . "></iframe>";
-
- return $out;
+ return html::iframe($attrib);
}
--
Gitblit v1.9.1