Support for HTML special character notations in message list/header display

[rcubetrac]

Reported by hh on 8 Jun 2012 13:37 UTC as Trac ticket #1488523

It would be nice to have HTML special character notations shown verbatim in the Subject field of email. As of 0.8-rc, such notations, typically & and ©, are directly rendered by the browser. If you have © in the Subject field, for example, it appears as a copyright symbol () in the message list and header panes.

Note: With my setup, Q() in strict mode doesn't seem to work for this purpose, and I had no luck extending the underlying rep_specialchars_out() function - I'm now experimenting with something like:

*** program/include/main.inc.orig   Sat May 19 01:06:54 2012
--- program/include/main.inc    Fri Jun  8 20:29:23 2012
***************
*** 290,295 ****
--- 290,297 ----
   */
  function Q($str, $mode='strict', $newlines=TRUE)
    {
+   if ($mode == 'sanitize')
+     return htmlspecialchars($str);
    return rep_specialchars_output($str, 'html', $mode, $newlines);
    }

The following changes are against a7d5e3e:

*** program/steps/mail/func.inc.orig    Fri Jun  8 20:50:13 2012
--- program/steps/mail/func.inc Fri Jun  8 20:51:05 2012
***************
*** 264,270 ****
        if (in_array($col, array('from', 'to', 'cc', 'replyto')))
          $cont = Q(rcmail_address_string($header->$col, 3, false, null, $header->charset), 'show');
        else if ($col=='subject') {
!         $cont = trim(rcube_mime::decode_header($header->$col, $header->charset));
          if (!$cont) $cont = rcube_label('nosubject');
          $cont = Q($cont);
        }
--- 264,270 ----
        if (in_array($col, array('from', 'to', 'cc', 'replyto')))
          $cont = Q(rcmail_address_string($header->$col, 3, false, null, $header->charset), 'show');
        else if ($col=='subject') {
!         $cont = Q(trim(rcube_mime::decode_header($header->$col, $header->charset)), 'sanitize');
          if (!$cont) $cont = rcube_label('nosubject');
          $cont = Q($cont);
        }
***************
*** 947,953 ****

    // single header value is requested
    if (!empty($attrib[    return Q($plugin['output']('valueof']))
!)[($attrib['valueof']($attrib['valueof']]['value'],) == 'subject' ? 'strict' : 'show'));

    // compose html table
    $table = new html_table(array('cols' => 2));
--- 947,953 ----

    // single header value is requested
    if (!empty($attrib[
!     return Q($plugin['output']('valueof'])))[($attrib['valueof']($attrib['valueof']]['value'],) == 'subject' ? 'sanitize' : 'show'));

    // compose html table
    $table = new html_table(array('cols' => 2));

Keywords: header subject literal
Migrated-From: http://trac.roundcube.net/ticket/1488523

[rcubetrac]

Comment by hh on 9 Jun 2012 01:26 UTC

=== TO REPRODUCE ===
For example - let's say you have a Subject line like:

Subject: In HTML you can use &lt; to get <

As of 0.8-rc, this will be shown as:

Subject: In HTML you can use < to get <

[rcubetrac]

Comment by hh on 10 Jun 2012 12:12 UTC

=== SUPPLEMENTAL ===
If you reply to email with a Subject line like the one in the previous example (the one with <), the editable Subject form field returns raw HTML notations - i.e., you get < in place of <. (The Subject itself gets modified.) To prevent this, we also need something like:

*** program/steps/mail/compose.inc.orig Fri May 18 16:06:54 2012
--- program/steps/mail/compose.inc  Sun Jun 10 11:38:31 2012
***************
*** 1259,1265 ****
    }

    $out = $form_start ? "$form_start\n" : '';
!   $out .= $textfield->show($subject);
    $out .= $form_end ? "\n$form_end" : '';

    return $out;
--- 1259,1265 ----
    }

    $out = $form_start ? "$form_start\n" : '';
!   $out .= $textfield->show(Q($subject, 'sanitize'));
    $out .= $form_end ? "\n$form_end" : '';

    return $out;

Note: sanitize is my wording. Probably it should have been normalize or something.

[rcubetrac]

Comment by @alecpl on 3 Aug 2012 08:07 UTC

I think this is a bug that HTML entities in subject/headers are not "sanitized".

[rcubetrac]

Milestone changed by @alecpl on 3 Aug 2012 08:07 UTC

later => 0.8-stable

[rcubetrac]

Comment by @thomascube on 5 Aug 2012 11:19 UTC

I guess our duplicate quotation check (in rep_specialchars_output()) is causing this issue. We should remove that and test whether there are situations where indeed HTML characters are quoted twice.

[rcubetrac]

Comment by @alecpl on 15 Aug 2012 14:34 UTC

I've commented it and we have few issues now (mail subject in on reply, contact form inputs). Maybe this is one form-elements related issue. Need more testing.

[rcubetrac]

Comment by @alecpl on 17 Sep 2012 13:10 UTC

I commited two changes to a new branch 'html_ent'. Works for me, but I'd like to test this change with some plugins.

[rcubetrac]

Comment by @alecpl on 21 Sep 2012 08:15 UTC

Merged.

[rcubetrac]

Status changed by @alecpl on 21 Sep 2012 08:15 UTC

new => closed