- Merge devel-framework branch, resolved conflicts

program/include/html.php

@@ -277,7 +277,7 @@ class html
         $attrib_arr = array();
         foreach ($attrib as $key => $value) {
             // skip size if not numeric
-            if (($key=='size' && !is_numeric($value))) {
+            if ($key == 'size' && !is_numeric($value)) {
                 continue;
             }
 
@@ -297,17 +297,57 @@ class html
                     $attrib_arr[] = $key . '="' . $key . '"';
                 }
             }
-            else if ($key=='value') {
-                $attrib_arr[] = $key . '="' . Q($value, 'strict', false) . '"';
-            }
             else {
-                $attrib_arr[] = $key . '="' . Q($value) . '"';
+                $attrib_arr[] = $key . '="' . self::quote($value) . '"';
             }
         }
+
         return count($attrib_arr) ? ' '.implode(' ', $attrib_arr) : '';
     }
+
+    /**
+     * Convert a HTML attribute string attributes to an associative array (name => value)
+     *
+     * @param string Input string
+     * @return array Key-value pairs of parsed attributes
+     */
+    public static function parse_attrib_string($str)
+    {
+        $attrib = array();
+        $regexp = '/\s*([-_a-z]+)=(["\'])??(?(2)([^\2]*)\2|(\S+?))/Ui';
+
+        preg_match_all($regexp, stripslashes($str), $regs, PREG_SET_ORDER);
+
+        // convert attributes to an associative array (name => value)
+        if ($regs) {
+            foreach ($regs as $attr) {
+                $attrib[strtolower($attr[1])] = html_entity_decode($attr[3] . $attr[4]);
+            }
+        }
+
+        return $attrib;
+    }
+
+    /**
+     * Replacing specials characters in html attribute value
+     *
+     * @param  string  $str  Input string
+     *
+     * @return string  The quoted string
+     */
+    public static function quote($str)
+    {
+        $str = htmlspecialchars($str, ENT_COMPAT, RCMAIL_CHARSET);
+
+        // avoid douple quotation of &
+        // @TODO: get rid of it?
+        $str = preg_replace('/&([A-Za-z]{2,6}|#[0-9]{2,4});/', '&\\1;', $str);
+
+        return $str;
+    }
 }
 
+
 /**
  * Class to create an HTML input field
  *
@@ -317,9 +357,11 @@ class html_inputfield extends html
 {
     protected $tagname = 'input';
     protected $type = 'text';
-    protected $allowed = array('type','name','value','size','tabindex',
+    protected $allowed = array(
+        'type','name','value','size','tabindex',
         'autocomplete','checked','onchange','onclick','disabled','readonly',
-        'spellcheck','results','maxlength','src','multiple','placeholder');
+        'spellcheck','results','maxlength','src','multiple','placeholder',
+    );
 
     /**
      * Object constructor
@@ -517,11 +559,11 @@ class html_textarea extends html
         }
 
         if (!empty($value) && !preg_match('/mce_editor/', $this->attrib['class'])) {
-            $value = Q($value, 'strict', false);
+            $value = self::quote($value);
         }
 
         return self::tag($this->tagname, $this->attrib, $value,
-	    array_merge(self::$common_attrib, $this->allowed));
+	        array_merge(self::$common_attrib, $this->allowed));
     }
 }
 
@@ -550,7 +592,7 @@ class html_select extends html
     protected $options = array();
     protected $allowed = array('name','size','tabindex','autocomplete',
 	'multiple','onchange','disabled','rel');
-    
+
     /**
      * Add a new option to this drop-down
      *
@@ -591,8 +633,9 @@ class html_select extends html
                 'selected' => (in_array($option['value'], $select, true) ||
                   in_array($option['text'], $select, true)) ? 1 : null);
 
-            $this->content .= self::tag('option', $attr, Q($option['text']));
+            $this->content .= self::tag('option', $attr, self::quote($option['text']));
         }
+
         return parent::show();
     }
 }
@@ -803,4 +846,3 @@ class html_table extends html
     }
 
 }
-