From: Tomas K. <to...@us...> - 2004-08-27 11:43:45
|
http://cvs.sf.net/viewcvs.py/squirrelmail/squirrelmail/functions/options.php?r1=1.44&r2=1.45 in function createWidget_StrList() squirrelmail sanitizes select box with htmlspecialchars. htmlspecialchars($disp_value) Why is it needed? select box contains strings that are controled by interface, not by end user. SquirrelMail uses html entities in order to display symbols unsupported by used charset. Options -> Display Prefs -> Language is affected. In default config htmlspecialchars() breaks Norwegian Bokmål. When alternative language names are enabled, htmlspecialchars() breaks some alternative language names. -- Tomas |
From: Brad D. <buc...@us...> - 2004-08-27 19:44:58
|
Tomas Kuliavas wrote: > http://cvs.sf.net/viewcvs.py/squirrelmail/squirrelmail/functions/option= s.php?r1=3D1.44&r2=3D1.45 > > in function createWidget_StrList() squirrelmail sanitizes select box wi= th htmlspecialchars. htmlspecialchars($disp_value) > > Why is it needed? > > select box contains strings that are controled by interface, not by end user. > > SquirrelMail uses html entities in order to display symbols unsupported= by used charset. Options -> Display Prefs -> Language is affected. In defaul= t config htmlspecialchars() breaks Norwegian Bokm=C3=A5l. When alternative language > names are enabled, htmlspecialchars() breaks some alternative language names. Isn't the list of folders displayed in the select box in a few places sanitized via that code? Folder names are controlled by the end user to a degree and need sanitizing at some stage of the game. Brad -- Last time I had this much fun was, ... uh ... |