Pass compose form attributes to template separately, otherwise, is same as constructing arbitrary HTML in the core

src/read_body.php

@@ -553,7 +553,7 @@ function formatMenubar($aMailbox, $passed_id, $passed_ent_id, $message, $removed
     // Start form for reply/reply all/forward..
     $target = '';
     $on_click='';
-    $method='method="post" ';
+    $method='post';
     $onsubmit='';
     if ($compose_new_win == '1') {
         if (!preg_match("/^[0-9]{3,4}$/", $compose_width)) {
@@ -565,10 +565,10 @@ function formatMenubar($aMailbox, $passed_id, $passed_ent_id, $message, $removed
         if ( checkForJavascript() ) {
           $on_click=' onclick="comp_in_new_form(\''.$comp_uri.'\', this, this.form,'. $compose_width .',' . $compose_height .')"';
           $comp_uri = 'javascript:void(0)';
-          $method='method="get" ';
-          $onsubmit = 'onsubmit="return false" ';
+          $method='get';
+          $onsubmit = 'return false';
         } else {
-          $target = 'target="_blank"';
+          $target = '_blank';
         }
     }
 
@@ -584,7 +584,10 @@ function formatMenubar($aMailbox, $passed_id, $passed_ent_id, $message, $removed
     $oTemplate->assign('message_list_href', $msg_list_href);
     $oTemplate->assign('search_href', $search_href);
 
-    $oTemplate->assign('form_extra', $method . $target . $onsubmit);
+    $oTemplate->assign('form_extra', '');
+    $oTemplate->assign('form_method', $method);
+    $oTemplate->assign('form_target', $target);
+    $oTemplate->assign('form_onsubmit', $onsubmit);
     $oTemplate->assign('compose_href', $comp_uri);
     $oTemplate->assign('button_onclick', $on_click);
     $oTemplate->assign('forward_as_attachment_enabled', $enable_forward_as_attachment==1);

templates/default/read_menubar_buttons.tpl

@@ -17,7 +17,10 @@
  *    $view_msg_href - URL to go back to the main message.  Empty if N/A.
  *    $msg_list_href - URL to go to the message list.
  *    $search_href   - URL to go back to the serach results.  Empty if N/A.
- *    $form_extra    - Extra elements required by the forms to delete, move or copy
+ *    $form_extra    - Extra elements that will be added to the <form> tag verbatim
+ *    $form_method   - The value of the <form>'s method attribute (optional, may be blank)
+ *    $form_target   - The value of the <form>'s target attribute (optional, may be blank)
+ *    $form_onsubmit - The value of the <form>'s onsubmit handler (optional, may be blank)
  *    $compose_href  - Base URL to forward, reply, etc.  Note that a specific action
  *                     must also be given by the form or in this URL.
  *    $on_click      - Onclick event string for all buttons
@@ -50,6 +53,17 @@
 /** extract template variables **/
 extract($t);
 
+/*FIXME: This is a place where Marc's idea for putting all the buttons and 
+         links and other widgets into an array is sorely needed instead of
+         hard-coding everything.  Whomever implements that, PLEASE, PLEASE
+         look at how the preview pane plugin code is used in this same template
+         file for the *default_advanced* set to change some links and buttons 
+         and make sure your implementation can support it (tip: it may or may 
+         not be OK to let a plugin do the modification of the widgets, since 
+         a template set can turn on the needed plugin, but that might not be 
+         the most clear way to solve said issue).*/
+
+
 /** Begin template **/
 if ($nav_on_top) {
     $table_class = 'bottom';
@@ -63,7 +77,12 @@ if ($nav_on_top) {
 <table class="<?php echo $table_class; ?>" cellspacing="0">
  <tr class="buttons">
   <td class="buttons">
-   <form name="composeForm" action="<?php echo $compose_href; ?>" <?php echo $form_extra; ?> >
+   <form name="composeForm" action="<?php 
+                  echo $compose_href . '" '  
+                     . (!empty($form_method) ? 'method="' . $form_method . '" ' : '')
+                     . (!empty($form_target) ? 'target="' . $form_target . '" ' : '')
+                     . (!empty($form_onsubmit) ? 'onsubmit="' . $form_onsubmit . '" ' : '')
+                     . $form_extra; ?> >
    <small>
     <?php
         if ($can_resume_draft) {

templates/default_advanced/read_menubar_buttons.tpl

@@ -17,7 +17,10 @@
  *    $view_msg_href - URL to go back to the main message.  Empty if N/A.
  *    $msg_list_href - URL to go to the message list.
  *    $search_href   - URL to go back to the serach results.  Empty if N/A.
- *    $form_extra    - Extra elements required by the forms to delete, move or copy
+ *    $form_extra    - Extra elements that will be added to the <form> tag verbatim
+ *    $form_method   - The value of the <form>'s method attribute (optional, may be blank)
+ *    $form_target   - The value of the <form>'s target attribute (optional, may be blank)
+ *    $form_onsubmit - The value of the <form>'s onsubmit handler (optional, may be blank)
  *    $compose_href  - Base URL to forward, reply, etc.  Note that a specific action
  *                     must also be given by the form or in this URL.
  *    $on_click      - Onclick event string for all buttons
@@ -90,7 +93,12 @@ if ($nav_on_top) {
 <table class="<?php echo $table_class; ?>" cellspacing="0">
  <tr class="buttons">
   <td class="buttons">
-   <form name="composeForm" action="<?php echo $compose_href; ?>" <?php echo $form_extra; ?> >
+   <form name="composeForm" action="<?php
+                  echo $compose_href . '" '
+                     . (!empty($form_method) ? 'method="' . $form_method . '" ' : '')
+                     . (!empty($form_target) ? 'target="' . $form_target . '" ' : '')
+                     . (!empty($form_onsubmit) ? 'onsubmit="' . $form_onsubmit . '" ' : '')
+                     . $form_extra; ?> >
    <small>
     <?php
         if ($can_resume_draft) {