Replace calls to htmlspecialchars() with sm_encode_html_special_chars().

New function sm_encode_html_special_chars() encodes HTML special
characters by calling htmlspecialchars(). It sets the character set
to ISO-8859-1, to fix compatibility with PHP >= 5.4.

Patch by Paul Lesniewski.

See #3491925

class/mime/Rfc822Header.class.php

@@ -736,7 +736,7 @@ class Rfc822Header {
             $value = substr($value,strlen($charset)+1);
             /* FIXME: What's the status of charset decode with language information ????
              * Maybe language information contains only ascii text and charset_decode() 
-             * only runs htmlspecialchars() on it. If it contains 8bit information, you 
+             * only runs sm_encode_html_special_chars() on it. If it contains 8bit information, you 
              * get html encoded text in charset used by selected translation.
              */
             $value = charset_decode($charset,$value);

class/template/PHP_Template.class.php

@@ -65,7 +65,7 @@ class PHP_Template extends Template
       * @param mixed $value the value to assign
 FIXME: Proposed idea to add a parameter here that turns variable 
        encoding on, so that we can make sure output is always
-       run through something like htmlspecialchars() (maybe even nl2br()?)
+       run through something like sm_encode_html_special_chars() (maybe even nl2br()?)
       *
       */
     function assign($tpl_var, $value = NULL) {
@@ -93,7 +93,7 @@ FIXME: Proposed idea to add a parameter here that turns variable
       * @param mixed $value the referenced value to assign
 FIXME: Proposed idea to add a parameter here that turns variable 
        encoding on, so that we can make sure output is always
-       run through something like htmlspecialchars() (maybe even nl2br()?)
+       run through something like sm_encode_html_special_chars() (maybe even nl2br()?)
       *
       */
     function assign_by_ref($tpl_var, &$value) {
@@ -159,7 +159,7 @@ FIXME: Proposed idea to add a parameter here that turns variable
       *                       variable values
 FIXME: Proposed idea to add a parameter here that turns variable 
        encoding on, so that we can make sure output is always
-       run through something like htmlspecialchars() (maybe even nl2br()?)
+       run through something like sm_encode_html_special_chars() (maybe even nl2br()?)
       *
       */
     function append($tpl_var, $value = NULL, $merge = FALSE)
@@ -220,7 +220,7 @@ FIXME: Proposed idea to add a parameter here that turns variable
       *                       variable values
 FIXME: Proposed idea to add a parameter here that turns variable 
        encoding on, so that we can make sure output is always
-       run through something like htmlspecialchars() (maybe even nl2br()?)
+       run through something like sm_encode_html_special_chars() (maybe even nl2br()?)
       *
       */
     function append_by_ref($tpl_var, &$value, $merge = FALSE)

class/template/Smarty_Template.class.php

@@ -84,7 +84,7 @@ class Smarty_Template extends Template
       * @param mixed $value the value to assign
 FIXME: Proposed idea to add a parameter here that turns variable
        encoding on, so that we can make sure output is always
-       run through something like htmlspecialchars() (maybe even nl2br()?)
+       run through something like sm_encode_html_special_chars() (maybe even nl2br()?)
       *
       */
     function assign($tpl_var, $value = NULL) {
@@ -100,7 +100,7 @@ FIXME: Proposed idea to add a parameter here that turns variable
       * @param mixed $value the referenced value to assign
 FIXME: Proposed idea to add a parameter here that turns variable
        encoding on, so that we can make sure output is always
-       run through something like htmlspecialchars() (maybe even nl2br()?)
+       run through something like sm_encode_html_special_chars() (maybe even nl2br()?)
       *
       */
     function assign_by_ref($tpl_var, &$value) {
@@ -152,7 +152,7 @@ FIXME: Proposed idea to add a parameter here that turns variable
       *                       variable values
 FIXME: Proposed idea to add a parameter here that turns variable
        encoding on, so that we can make sure output is always
-       run through something like htmlspecialchars() (maybe even nl2br()?)
+       run through something like sm_encode_html_special_chars() (maybe even nl2br()?)
       *
       */
     function append($tpl_var, $value = NULL, $merge = FALSE) {
@@ -175,7 +175,7 @@ FIXME: Proposed idea to add a parameter here that turns variable
       *                       variable values
 FIXME: Proposed idea to add a parameter here that turns variable
        encoding on, so that we can make sure output is always
-       run through something like htmlspecialchars() (maybe even nl2br()?)
+       run through something like sm_encode_html_special_chars() (maybe even nl2br()?)
       *
       */
     function append_by_ref($tpl_var, &$value, $merge = FALSE) {

class/template/Template.class.php

@@ -1480,7 +1480,7 @@ FIXME: We could make the incoming array more complex so it can
 
         if (empty($template)) {
 
-            trigger_error('The template "' . htmlspecialchars($file)
+            trigger_error('The template "' . sm_encode_html_special_chars($file)
                           . '" could not be fetched!', E_USER_ERROR);
 
         } else {

functions/addressbook.php

@@ -162,7 +162,7 @@ function addressbook_init($showerr = true, $onlylocal = false) {
      * display address book init errors.
      */
     if ($abook_init_error!='' && $showerr) {
-        error_box(nl2br(htmlspecialchars($abook_init_error)));
+        error_box(nl2br(sm_encode_html_special_chars($abook_init_error)));
     }
 
     /* Return the initialized object */
@@ -414,7 +414,7 @@ class AddressBook {
      *
      * Extra field can be used to add link to form, which allows
      * to modify all fields supported by backend. This is the only field
-     * that is not sanitized with htmlspecialchars. Backends MUST make
+     * that is not sanitized with sm_encode_html_special_chars. Backends MUST make
      * sure that field data is sanitized and displayed correctly inside
      * table cell. Use of html formating in other address book fields is
      * not allowed. Backends that don't return 'extra' row in address book

functions/attachment_common.php

@@ -147,7 +147,7 @@ function attachment_common_link_text(&$Args) {
        $Args[0]['attachment_common']['href'] = Where it links to */
     sqgetGlobalVar('QUERY_STRING', $QUERY_STRING, SQ_SERVER);
 
-    // if htmlspecialchars() breaks something - find other way to encode & in url.
+    // if sm_encode_html_special_chars() breaks something - find other way to encode & in url.
     $Args[0]['attachment_common']['href'] = $base_uri  . 'src/view_text.php?'. $QUERY_STRING;
     $Args[0]['attachment_common']['href'] =
           set_url_var($Args[0]['attachment_common']['href'],

functions/display_messages.php

@@ -28,7 +28,7 @@ function error_message($message, $mailbox, $sort, $startMessage) {
     $link = array (
         'URL'   => sqm_baseuri()."src/right_main.php?sort=$sort&startMessage=$startMessage&mailbox=$urlMailbox",
         'TEXT'  => sprintf (_("Click here to return to %s"),
-                            strtoupper($mailbox) == 'INBOX' ? _("INBOX") : htmlspecialchars(imap_utf7_decode_local($mailbox))) 
+                            strtoupper($mailbox) == 'INBOX' ? _("INBOX") : sm_encode_html_special_chars(imap_utf7_decode_local($mailbox))) 
                    );
     error_box($message, $link);
 }

functions/folder_manip.php

@@ -124,9 +124,9 @@ function folders_rename_getname ($imapConnection, $delimiter, $old) {
     sqimap_logout($imapConnection);
 
     $oTemplate->assign('dialog_type', 'rename');
-    $oTemplate->assign('parent_folder', htmlspecialchars($old_parent));
-    $oTemplate->assign('current_full_name', htmlspecialchars($old));
-    $oTemplate->assign('current_folder_name', htmlspecialchars($old_name));
+    $oTemplate->assign('parent_folder', sm_encode_html_special_chars($old_parent));
+    $oTemplate->assign('current_full_name', sm_encode_html_special_chars($old));
+    $oTemplate->assign('current_folder_name', sm_encode_html_special_chars($old_name));
     $oTemplate->assign('is_folder', $isfolder);
     
     $oTemplate->display('folder_manip_dialog.tpl');
@@ -198,8 +198,8 @@ function folders_delete_ask ($imapConnection, $folder_name)
     sqimap_logout($imapConnection);
 
     $oTemplate->assign('dialog_type', 'delete');
-    $oTemplate->assign('folder_name', htmlspecialchars($folder_name));
-    $oTemplate->assign('visible_folder_name', htmlspecialchars($visible_folder_name));
+    $oTemplate->assign('folder_name', sm_encode_html_special_chars($folder_name));
+    $oTemplate->assign('visible_folder_name', sm_encode_html_special_chars($visible_folder_name));
     
     $oTemplate->display('folder_manip_dialog.tpl');
     $oTemplate->display('footer.tpl');

functions/forms.php

@@ -4,7 +4,7 @@
  * forms.php - html form functions
  *
  * Functions to build forms in a safe and consistent manner.
- * All attribute values are sanitized with htmlspecialchars().
+ * All attribute values are sanitized with sm_encode_html_special_chars().
 //FIXME: I think the Template class might be better place to sanitize inside assign() method
  *
  * Currently functions don't provide simple wrappers for file and 
@@ -65,7 +65,7 @@ function addInputField($sType, $aAttribs=array()) {
     global $oTemplate;
 
     $oTemplate->assign('type', $sType);
-//FIXME: all the values in the $aAttribs list used to go thru htmlspecialchars()... I would propose that most everything that is assigned to the template should go thru that *in the template class* on its way between here and the actual template file.  Otherwise we have to do something like:  foreach ($aAttribs as $key => $value) $aAttribs[$key] = htmlspecialchars($value);
+//FIXME: all the values in the $aAttribs list used to go thru sm_encode_html_special_chars()... I would propose that most everything that is assigned to the template should go thru that *in the template class* on its way between here and the actual template file.  Otherwise we have to do something like:  foreach ($aAttribs as $key => $value) $aAttribs[$key] = sm_encode_html_special_chars($value);
     $oTemplate->assign('aAttribs', $aAttribs);
 
     return $oTemplate->fetch('input.tpl');
@@ -187,7 +187,7 @@ function addSelect($sName, $aValues, $default = null, $bUsekeys = false, $aAttri
     if (!$bMultiple && count($aValues) == 1) {
         $k = key($aValues); $v = array_pop($aValues);
         return addHidden($sName, ($bUsekeys ? $k : $v), $aAttribs)
-             . htmlspecialchars($v);
+             . sm_encode_html_special_chars($v);
     }
 
     if (! isset($aAttribs['id'])) $aAttribs['id'] = $sName;
@@ -201,7 +201,7 @@ function addSelect($sName, $aValues, $default = null, $bUsekeys = false, $aAttri
 
     global $oTemplate;
 
-//FIXME: all the values in the $aAttribs list and $sName and both the keys and values in $aValues used to go thru htmlspecialchars()... I would propose that most everything that is assigned to the template should go thru that *in the template class* on its way between here and the actual template file.  Otherwise we have to do something like:  foreach ($aAttribs as $key => $value) $aAttribs[$key] = htmlspecialchars($value); $sName = htmlspecialchars($sName); $aNewValues = array(); foreach ($aValues as $key => $value) $aNewValues[htmlspecialchars($key)] = htmlspecialchars($value); $aValues = $aNewValues;   And probably this too because it has to be matched to a value that has already been sanitized: $default = htmlspecialchars($default);  (oops, watch out for when $default is an array! (multiple select lists))
+//FIXME: all the values in the $aAttribs list and $sName and both the keys and values in $aValues used to go thru sm_encode_html_special_chars()... I would propose that most everything that is assigned to the template should go thru that *in the template class* on its way between here and the actual template file.  Otherwise we have to do something like:  foreach ($aAttribs as $key => $value) $aAttribs[$key] = sm_encode_html_special_chars($value); $sName = sm_encode_html_special_chars($sName); $aNewValues = array(); foreach ($aValues as $key => $value) $aNewValues[sm_encode_html_special_chars($key)] = sm_encode_html_special_chars($value); $aValues = $aNewValues;   And probably this too because it has to be matched to a value that has already been sanitized: $default = sm_encode_html_special_chars($default);  (oops, watch out for when $default is an array! (multiple select lists))
     $oTemplate->assign('aAttribs', $aAttribs);
     $oTemplate->assign('aValues', $aValues);
     $oTemplate->assign('bUsekeys', $bUsekeys);
@@ -300,7 +300,7 @@ function addTextArea($sName, $sText = '', $iCols = 40, $iRows = 10, $aAttribs =
 
     global $oTemplate;
 
-//FIXME: all the values in the $aAttribs list as well as $sName and $sText used to go thru htmlspecialchars()... I would propose that most everything that is assigned to the template should go thru that *in the template class* on its way between here and the actual template file.  Otherwise we have to do something like:  foreach ($aAttribs as $key => $value) $aAttribs[$key] = htmlspecialchars($value); $sName = htmlspecialchars($sName); $sText = htmlspecialchars($sText);
+//FIXME: all the values in the $aAttribs list as well as $sName and $sText used to go thru sm_encode_html_special_chars()... I would propose that most everything that is assigned to the template should go thru that *in the template class* on its way between here and the actual template file.  Otherwise we have to do something like:  foreach ($aAttribs as $key => $value) $aAttribs[$key] = sm_encode_html_special_chars($value); $sName = sm_encode_html_special_chars($sName); $sText = sm_encode_html_special_chars($sText);
     $oTemplate->assign('aAttribs', $aAttribs);
     $oTemplate->assign('name', $sName);
     $oTemplate->assign('text', $sText);
@@ -336,7 +336,7 @@ function addForm($sAction, $sMethod = 'post', $sName = '', $sEnctype = '', $sCha
 
     global $oTemplate;
 
-//FIXME: all the values in the $aAttribs list as well as $charset used to go thru htmlspecialchars()... I would propose that most everything that is assigned to the template should go thru that *in the template class* on its way between here and the actual template file.  Otherwise we have to do something like:  foreach ($aAttribs as $key => $value) $aAttribs[$key] = htmlspecialchars($value); $sCharset = htmlspecialchars($sCharset);
+//FIXME: all the values in the $aAttribs list as well as $charset used to go thru sm_encode_html_special_chars()... I would propose that most everything that is assigned to the template should go thru that *in the template class* on its way between here and the actual template file.  Otherwise we have to do something like:  foreach ($aAttribs as $key => $value) $aAttribs[$key] = sm_encode_html_special_chars($value); $sCharset = sm_encode_html_special_chars($sCharset);
     $oTemplate->assign('aAttribs', $aAttribs);
     $oTemplate->assign('name', $sName);
     $oTemplate->assign('method', $sMethod);

functions/global.php

@@ -764,8 +764,8 @@ function sm_print_r() {
 
 
 /**
-  * Sanitize a value using htmlspecialchars() or similar, but also
-  * recursively run htmlspecialchars() (or similar) on array keys
+  * Sanitize a value using sm_encode_html_special_chars() or similar, but also
+  * recursively run sm_encode_html_special_chars() (or similar) on array keys
   * and values.
   *
   * If $value is not a string or an array with strings in it,
@@ -811,7 +811,7 @@ function sq_htmlspecialchars($value, $quote_style=ENT_QUOTES) {
         if ($quote_style === TRUE)
             return str_replace(array('\'', '"'), array(''', '"'), $value);
         else
-            return htmlspecialchars($value, $quote_style);
+            return sm_encode_html_special_chars($value, $quote_style);
     }
 
     // anything else gets returned with no changes

functions/imap_general.php

@@ -349,7 +349,7 @@ function sqimap_read_data_list($imap_stream, $tag, $handle_errors,
           'sqimap_run_command or sqimap_run_command_list instead<br /><br />'.
           'The following query was issued:<br />'.
 //FIXME: NO HTML IN CORE!
-           htmlspecialchars($query) . '<br />' . "</font><br />\n";
+           sm_encode_html_special_chars($query) . '<br />' . "</font><br />\n";
     error_box($string);
     $oTemplate->display('footer.tpl');
     exit;
@@ -376,11 +376,11 @@ function sqimap_error_box($title, $query = '', $message_title = '', $message = '
     $cmd= strtolower($cmd[0]);
 
     if ($query != '' &&  $cmd != 'login')
-        $string .= _("Query:") . ' ' . htmlspecialchars($query) . '<br />';
+        $string .= _("Query:") . ' ' . sm_encode_html_special_chars($query) . '<br />';
     if ($message_title != '')
         $string .= $message_title;
     if ($message != '')
-        $string .= htmlspecialchars($message);
+        $string .= sm_encode_html_special_chars($message);
 //FIXME: NO HTML IN CORE!
     $string .= "</font><br />\n";
     if ($link != '')
@@ -941,7 +941,7 @@ function sqimap_login ($username, $password, $imap_server_address, $imap_port, $
 //FIXME: UUURG... We don't want HTML in error messages, should also do html sanitizing of error messages elsewhere; should't assume output is destined for an HTML browser here
             if ($response != 'NO') {
                 /* "BAD" and anything else gets reported here. */
-                $message = htmlspecialchars($message);
+                $message = sm_encode_html_special_chars($message);
                 set_up_language($squirrelmail_language, true);
                 if ($response == 'BAD') {
                     if ($hide == 3) return sprintf(_("Bad request: %s"), $message);
@@ -953,7 +953,7 @@ function sqimap_login ($username, $password, $imap_server_address, $imap_port, $
                 if (isset($read) && is_array($read)) {
                     $string .= '<br />' . _("Read data:") . "<br />\n";
                     foreach ($read as $line) {
-                        $string .= htmlspecialchars($line) . "<br />\n";
+                        $string .= sm_encode_html_special_chars($line) . "<br />\n";
                     }
                 }
                 error_box($string);

functions/imap_mailbox.php

@@ -432,7 +432,7 @@ function sqimap_mailbox_select ($imap_stream, $mailbox) {
      */
     if (strstr($mailbox, '../') || substr($mailbox, 0, 1) == '/') {
         global $oTemplate;
-        error_box(sprintf(_("Invalid mailbox name: %s"),htmlspecialchars($mailbox)));
+        error_box(sprintf(_("Invalid mailbox name: %s"),sm_encode_html_special_chars($mailbox)));
         sqimap_logout($imap_stream);
         $oTemplate->display('footer.tpl');
         die();
@@ -784,7 +784,7 @@ function sqimap_mailbox_option_array($imap_stream, $folder_skip = 0, $boxes = 0,
                           // i18n: Name of Drafts folder
                           $box2 = $pad . _("Drafts");
                       } else {
-                          $box2 = str_replace('  ', '. ', htmlspecialchars($boxes_part['formatted']));
+                          $box2 = str_replace('  ', '. ', sm_encode_html_special_chars($boxes_part['formatted']));
                       }
                     break;
                   case SMPREF_MAILBOX_SELECT_INDENTED:
@@ -798,16 +798,16 @@ function sqimap_mailbox_option_array($imap_stream, $folder_skip = 0, $boxes = 0,
                           $pad = str_pad('',12 * (count(explode($delimiter,$boxes_part['unformatted-dm']))-1),'  ');
                           $box2 = $pad . _("Drafts");
                       } else {
-                          $box2 = str_replace('  ', '  ', htmlspecialchars($boxes_part['formatted']));
+                          $box2 = str_replace('  ', '  ', sm_encode_html_special_chars($boxes_part['formatted']));
                       }
                     break;
                   default:  /* default, long names, style = 0 */
-                    $box2 = str_replace(' ', ' ', htmlspecialchars(imap_utf7_decode_local($boxes_part['unformatted-disp'])));
+                    $box2 = str_replace(' ', ' ', sm_encode_html_special_chars(imap_utf7_decode_local($boxes_part['unformatted-disp'])));
                     break;
                 }
             }
             
-            $a[htmlspecialchars($box)] = $box2;
+            $a[sm_encode_html_special_chars($box)] = $box2;
         }
     }
     
@@ -843,12 +843,12 @@ function sqimap_mailbox_option_list($imap_stream, $show_selected = 0, $folder_sk
     
     $str = '';
     foreach ($boxes as $value=>$option) {
-        $lowerbox = strtolower(htmlspecialchars($value));
+        $lowerbox = strtolower(sm_encode_html_special_chars($value));
         $sel = false;
         if ($show_selected != 0) {
             reset($show_selected);
             while (!$sel && (list($x, $val) = each($show_selected))) {
-                if (strtolower($value) == strtolower(htmlspecialchars($val))) {
+                if (strtolower($value) == strtolower(sm_encode_html_special_chars($val))) {
                     $sel = true;
                 }
             }

functions/imap_messages.php

@@ -622,7 +622,7 @@ function parseFetch(&$aResponse,$aMessageList = array()) {
         $aMsg['ID'] = $id;
         $fetch = substr($read,$i_space+1,5);
         if (!is_numeric($id) && $fetch !== 'FETCH') {
-            $aMsg['ERROR'] = $read; // htmlspecialchars should be done just before display. this is backend code
+            $aMsg['ERROR'] = $read; // sm_encode_html_special_chars should be done just before display. this is backend code
             break;
         }
         $i = strpos($read,'(',$i_space+5);

functions/mailbox_display.php

@@ -554,11 +554,11 @@ function prepareMessageList(&$aMailbox, $aProps) {
                             $sMailbox  = (isset($aAddr[SQM_ADDR_MAILBOX]))  ? $aAddr[SQM_ADDR_MAILBOX]  : '';
                             $sHost     = (isset($aAddr[SQM_ADDR_HOST]))     ? $aAddr[SQM_ADDR_HOST]     : '';
                             if ($sPersonal) {
-                                $title .= htmlspecialchars($sMailbox.'@'.$sHost).', ';
+                                $title .= sm_encode_html_special_chars($sMailbox.'@'.$sHost).', ';
                             } else {
                                 // if $value gets truncated we need to add the addresses with no
                                 // personal name as well
-                                $title_maybe .= htmlspecialchars($sMailbox.'@'.$sHost).', ';
+                                $title_maybe .= sm_encode_html_special_chars($sMailbox.'@'.$sHost).', ';
                             }
                         }
                         if ($title) {

functions/mime.php

@@ -63,7 +63,7 @@ function mime_structure ($bodystructure, $flags=array()) {
         displayPageHeader( $color, $mailbox );
         $errormessage  = _("SquirrelMail could not decode the bodystructure of the message");
         $errormessage .= '<br />'._("The bodystructure provided by your IMAP server:").'<br /><br />';
-        $errormessage .= '<pre>' . htmlspecialchars($read) . '</pre>';
+        $errormessage .= '<pre>' . sm_encode_html_special_chars($read) . '</pre>';
         plain_error_message( $errormessage );
         echo '</body></html>';
         exit;
@@ -632,7 +632,7 @@ function buildAttachmentArray($message, $exclude_id, $mailbox, $id) {
         $this_attachment['DownloadHREF'] = $links['download link']['href'];
         $this_attachment['ViewHREF'] = isset($links['attachment_common']) ? $links['attachment_common']['href'] : '';
         $this_attachment['Size'] = $header->size;
-        $this_attachment['ContentType'] = htmlspecialchars($type0 .'/'. $type1);
+        $this_attachment['ContentType'] = sm_encode_html_special_chars($type0 .'/'. $type1);
         $this_attachment['OtherLinks'] = array();
         foreach ($links as $val) {
             if ($val['text']==_("Download") || $val['text'] == _("View"))
@@ -831,7 +831,7 @@ function decodeHeader ($string, $utfencode=true,$htmlsafe=true,$decide=false) {
             $iLastMatch = $i;
             $j = $i;
             if ($htmlsafe) {
-                $ret .= htmlspecialchars($res[1]);
+                $ret .= sm_encode_html_special_chars($res[1]);
             } else {
                 $ret .= $res[1];
             }
@@ -860,7 +860,7 @@ function decodeHeader ($string, $utfencode=true,$htmlsafe=true,$decide=false) {
                         }
                     } else {
                         if ($htmlsafe) {
-                            $replace = htmlspecialchars($replace);
+                            $replace = sm_encode_html_special_chars($replace);
                         }
                         $ret.= $replace;
                     }
@@ -881,7 +881,7 @@ function decodeHeader ($string, $utfencode=true,$htmlsafe=true,$decide=false) {
                         }
                     } else {
                         if ($htmlsafe) {
-                            $replace = htmlspecialchars($replace);
+                            $replace = sm_encode_html_special_chars($replace);
                         }
                     }
                     $ret .= $replace;
@@ -901,7 +901,7 @@ function decodeHeader ($string, $utfencode=true,$htmlsafe=true,$decide=false) {
         }
 
         if (!$encoded && $htmlsafe) {
-            $ret .= htmlspecialchars($chunk);
+            $ret .= sm_encode_html_special_chars($chunk);
         } else {
             $ret .= $chunk;
         }

functions/options.php

@@ -475,9 +475,9 @@ class SquirrelOption {
 
 //TODO: might be better to have a separate template file for all widgets, because then the layout of the widget and the "trailing text" can be customized - they are still hard coded here
         if ($password)
-            return addPwField('new_' . $this->name, $this->value, $width, 0, $this->aExtraAttribs) . ' ' . htmlspecialchars($this->trailing_text);
+            return addPwField('new_' . $this->name, $this->value, $width, 0, $this->aExtraAttribs) . ' ' . sm_encode_html_special_chars($this->trailing_text);
         else
-            return addInput('new_' . $this->name, $this->value, $width, 0, $this->aExtraAttribs) . ' ' . htmlspecialchars($this->trailing_text);
+            return addInput('new_' . $this->name, $this->value, $width, 0, $this->aExtraAttribs) . ' ' . sm_encode_html_special_chars($this->trailing_text);
     }
 
     /**
@@ -547,7 +547,7 @@ class SquirrelOption {
                 $height = 5;
         }
 
-        return addSelect('new_' . $this->name, $this->possible_values, $this->value, TRUE, $this->aExtraAttribs, $multiple_select, $height, !$this->htmlencoded) . htmlspecialchars($this->trailing_text);
+        return addSelect('new_' . $this->name, $this->possible_values, $this->value, TRUE, $this->aExtraAttribs, $multiple_select, $height, !$this->htmlencoded) . sm_encode_html_special_chars($this->trailing_text);
 
     }
 
@@ -605,7 +605,7 @@ class SquirrelOption {
             $option_list = array('ignore' => _("unavailable"));
 
 
-        return addSelect('new_' . $this->name, $option_list, $this->value, TRUE, $this->aExtraAttribs, $multiple_select, $height) . htmlspecialchars($this->trailing_text);
+        return addSelect('new_' . $this->name, $option_list, $this->value, TRUE, $this->aExtraAttribs, $multiple_select, $height) . sm_encode_html_special_chars($this->trailing_text);
 
     }
 
@@ -792,7 +792,7 @@ class SquirrelOption {
      */
     function createWidget_Submit() {
 
-        return addSubmit($this->comment, $this->name, $this->aExtraAttribs) . htmlspecialchars($this->trailing_text);
+        return addSubmit($this->comment, $this->name, $this->aExtraAttribs) . sm_encode_html_special_chars($this->trailing_text);
 
     }
 

functions/page_header.php

@@ -284,7 +284,7 @@ function displayPageHeader($color, $mailbox='', $sHeaderJs='', $sOnload = '') {
         * this explains the imap_mailbox.php dependency. We should instead store
         * the selected mailbox in the session and fallback to the session var.
         */
-        $shortBoxName = htmlspecialchars(imap_utf7_decode_local(
+        $shortBoxName = sm_encode_html_special_chars(imap_utf7_decode_local(
                     readShortMailboxName($mailbox, $delimiter)));
         if (getPref($data_dir, $username, 'translate_special_folders')) {
             global $sent_folder, $trash_folder, $draft_folder;

functions/strings.php

@@ -1674,3 +1674,38 @@ function sm_validate_security_token($token, $validity_period=0, $show_error=FALS
 
 }
 
+/**
+  * Wrapper for PHP's htmlspecialchars() that
+  * attempts to add the correct character encoding
+  *
+  * @param string $string The string to be converted
+  * @param int $flags A bitmask that controls the behavior of htmlspecialchars()
+  *                   (See http://php.net/manual/function.htmlspecialchars.php )
+  *                   (OPTIONAL; default ENT_COMPAT)
+  * @param string $encoding The character encoding to use in the conversion
+  *                         (OPTIONAL; default automatic detection)
+  * @param boolean $double_encode Whether or not to convert entities that are
+  *                               already in the string (only supported in
+  *                               PHP 5.2.3+) (OPTIONAL; default TRUE)
+  *
+  * @return string The converted text
+  *
+  */
+function sm_encode_html_special_chars($string, $flags=ENT_COMPAT,
+                                      $encoding=NULL, $double_encode=TRUE)
+{
+   if (!$encoding)
+   {
+      global $default_charset;
+      if ($default_charset == 'iso-2022-jp')
+         $default_charset = 'EUC-JP';
+      $encoding = $default_charset;
+   }
+
+// TODO: Is adding this check an unnecessary performance hit?
+   if (check_php_version(5, 2, 3))
+      return htmlspecialchars($string, $flags, $encoding, $double_encode);
+
+   return htmlspecialchars($string, $flags, $encoding);
+}
+

include/init.php

@@ -274,20 +274,20 @@ if (function_exists('get_magic_quotes_gpc') && @get_magic_quotes_gpc()) {
  * or
  * contrib/decrypt_headers.php/%22%20onmouseover=%22alert(%27hello%20world%27)%22%3E
  * because it doesn't bother with broken tags.
- * htmlspecialchars() is the preferred method.
+ * sm_encode_html_special_chars() is the preferred method.
  * QUERY_STRING also needs the same treatment since it is
  * used in php_self().
  * Update again: the encoding of ampersands that occurs
- * using htmlspecialchars() corrupts the query strings
+ * using sm_encode_html_special_chars() corrupts the query strings
  * in normal URIs, so we have to let those through.
 FIXME: will the de-sanitizing of ampersands create any security/XSS problems?
  */
 if (isset($_SERVER['REQUEST_URI']))
-    $_SERVER['REQUEST_URI'] = str_replace('&', '&', htmlspecialchars($_SERVER['REQUEST_URI']));
+    $_SERVER['REQUEST_URI'] = str_replace('&', '&', sm_encode_html_special_chars($_SERVER['REQUEST_URI']));
 if (isset($_SERVER['PHP_SELF']))
-    $_SERVER['PHP_SELF'] = str_replace('&', '&', htmlspecialchars($_SERVER['PHP_SELF']));
+    $_SERVER['PHP_SELF'] = str_replace('&', '&', sm_encode_html_special_chars($_SERVER['PHP_SELF']));
 if (isset($_SERVER['QUERY_STRING']))
-    $_SERVER['QUERY_STRING'] = str_replace('&', '&', htmlspecialchars($_SERVER['QUERY_STRING']));
+    $_SERVER['QUERY_STRING'] = str_replace('&', '&', sm_encode_html_special_chars($_SERVER['QUERY_STRING']));
 
 $PHP_SELF = php_self();
 

include/languages.php

@@ -193,7 +193,7 @@ function sq_setlocale($category,$locale) {
  * @param string $string Text to be decoded
  * @param boolean $force_decode converts string to html without $charset!=$default_charset check.
  * Argument is available since 1.4.5 and 1.5.1.
- * @param boolean $save_html disables htmlspecialchars() in order to preserve
+ * @param boolean $save_html disables sm_encode_html_special_chars() in order to preserve
  *  html formating. Use with care. Available since 1.4.6 and 1.5.1
  * @return string decoded string
  */
@@ -218,7 +218,7 @@ function charset_decode ($charset, $string, $force_decode=false, $save_html=fals
 
     // Don't do conversion if charset is the same.
     if ( ! $force_decode && $charset == strtolower($default_charset) )
-        return ($save_html ? $string : htmlspecialchars($string));
+        return ($save_html ? $string : sm_encode_html_special_chars($string));
 
     // catch iso-8859-8-i thing
     if ( $charset == "iso-8859-8-i" )
@@ -234,10 +234,10 @@ function charset_decode ($charset, $string, $force_decode=false, $save_html=fals
             // other charsets can be converted to utf-8 without loss.
             // and output string is smaller
             $string = recode_string($charset . "..utf-8",$string);
-            return ($save_html ? $string : htmlspecialchars($string));
+            return ($save_html ? $string : sm_encode_html_special_chars($string));
         } else {
             $string = recode_string($charset . "..html",$string);
-            // recode does not convert single quote, htmlspecialchars does.
+            // recode does not convert single quote, sm_encode_html_special_chars does.
             $string = str_replace("'", ''', $string);
             // undo html specialchars
             if ($save_html)
@@ -250,13 +250,13 @@ function charset_decode ($charset, $string, $force_decode=false, $save_html=fals
     // iconv functions does not have html target and can be used only with utf-8
     if ( $use_php_iconv && $default_charset=='utf-8') {
         $string = iconv($charset,$default_charset,$string);
-        return ($save_html ? $string : htmlspecialchars($string));
+        return ($save_html ? $string : sm_encode_html_special_chars($string));
     }
 
     // If we don't use recode and iconv, we'll do it old way.
 
     /* All HTML special characters are 7 bit and can be replaced first */
-    if (! $save_html) $string = htmlspecialchars ($string);
+    if (! $save_html) $string = sm_encode_html_special_chars ($string);
 
     /* controls cpu and memory intensive decoding cycles */
     if (! isset($aggressive_decoding) || $aggressive_decoding=="" ) {
@@ -279,7 +279,7 @@ function charset_decode ($charset, $string, $force_decode=false, $save_html=fals
  * @since 1.4.4 and 1.5.1
  * @param string $string
  * @param string $charset
- * @param boolean $htmlencode keep htmlspecialchars encoding
+ * @param boolean $htmlencode keep sm_encode_html_special_chars encoding
  * @return string
  */
 function charset_encode($string,$charset,$htmlencode=true) {
@@ -323,7 +323,7 @@ function charset_encode($string,$charset,$htmlencode=true) {
  * @param string $in_charset initial charset
  * @param string $string string that has to be converted
  * @param string $out_charset final charset
- * @param boolean $htmlencode keep htmlspecialchars encoding
+ * @param boolean $htmlencode keep sm_encode_html_special_chars encoding
  * @return string converted string
  */
 function charset_convert($in_charset,$string,$out_charset,$htmlencode=true) {

include/options/display.php

@@ -82,14 +82,14 @@ function load_optpage_data_display() {
     $template_themes = $oTemplate->get_alternative_stylesheets(true);
     asort($template_themes);
     foreach ($template_themes as $sheet=>$name) {
-        $theme_values[$sheet] = 'Template Theme - '.htmlspecialchars($name);
+        $theme_values[$sheet] = 'Template Theme - '.sm_encode_html_special_chars($name);
     }
     // Next, list user-provided styles
     asort($user_themes);
     foreach ($user_themes as $style) {
         if ($style['PATH'] == 'none')
             continue;
-        $theme_values[$style['PATH']] = 'User Theme - '.htmlspecialchars($style['NAME']);
+        $theme_values[$style['PATH']] = 'User Theme - '.sm_encode_html_special_chars($style['NAME']);
     }
 
     if (count($user_themes) + count($template_themes) > 1) {

include/options/personal.php

@@ -104,7 +104,7 @@ function load_optpage_data_personal() {
             'caption' => _("E-mail Address"),
             'type'    => SMOPT_TYPE_COMMENT,
             'refresh' => SMOPT_REFRESH_NONE,
-            'comment' => htmlspecialchars($email_address)
+            'comment' => sm_encode_html_special_chars($email_address)
         );
     }
 

plugins/administrator/options.php

@@ -422,7 +422,7 @@ foreach ( $newcfg as $k => $v ) {
             }
             echo "<tr><td valign=\"top\">$name</td><td>"
                 ."<textarea cols=\"$size\" rows=\"4\" name=\"adm_$n\">" 
-                .htmlspecialchars(stripslashes(substr( $v, 1, strlen( $v ) - 2 )))
+                .sm_encode_html_special_chars(stripslashes(substr( $v, 1, strlen( $v ) - 2 )))
                 ."</textarea>";
             if ( isset( $defcfg[$k]['comment'] ) ) {
                 echo ' &nbsp; ' . $defcfg[$k]['comment'];
@@ -440,7 +440,7 @@ foreach ( $newcfg as $k => $v ) {
             }
             echo "<tr><td>$name</td><td>"
                 ."<input size=\"$size\" name=\"adm_$n\" value=\""
-                .htmlspecialchars(stripslashes(substr( $v, 1, strlen( $v ) - 2 )))
+                .sm_encode_html_special_chars(stripslashes(substr( $v, 1, strlen( $v ) - 2 )))
                 .'" />';
             if ( isset( $defcfg[$k]['comment'] ) ) {
                 echo ' &nbsp; ' . $defcfg[$k]['comment'];

plugins/calendar/calendar.php

@@ -114,11 +114,11 @@ function drawmonthview() {
                     $calbar = $calendardata[$cdate][$calfoo['key']];
                     // FIXME: how to display multiline task
                     $title = '['. $calfoo['key']. '] ' .
-                        str_replace(array("\r","\n"),array(' ',' '),htmlspecialchars($calbar['message']));
+                        str_replace(array("\r","\n"),array(' ',' '),sm_encode_html_special_chars($calbar['message']));
                     // FIXME: link to nowhere
                     echo "<a href=\"#\" style=\"text-decoration:none; color: "
                         .($calbar['priority']==1 ? $color[1] : $color[6])
-                        ."\" title=\"$title\">".htmlspecialchars($calbar['title'])."</a><br />\n";
+                        ."\" title=\"$title\">".sm_encode_html_special_chars($calbar['title'])."</a><br />\n";
                     $i=$i+1;
                     if($i==2){
                         break;

plugins/calendar/calendar_data.php

@@ -23,7 +23,7 @@ $calendardata = array();
  * Plugin stores multiline texts converted to single line with PHP nl2br().
  * Function undoes nl2br() conversion and html encoding of ASCII vertical bar.
  *
- * Older plugin versions sanitized data with htmlspecialchars. Since 1.5.1 calendar 
+ * Older plugin versions sanitized data with sm_encode_html_special_chars. Since 1.5.1 calendar 
  * data is not sanitized. Output functions must make sure that data is correctly 
  * encoded and sanitized.
  * @param string $string calendar string

plugins/calendar/day.php

@@ -127,9 +127,9 @@ function display_events() {
                         html_tag( 'td', date_intl(_("H:i"),mktime($ehour,$eminute,0,1,1,0)) . $elength, 'left' ) .
                         html_tag( 'td', '', 'left' ) . '[';
                             echo ($calbar['priority']==1) ?
-                                "<font color=\"$color[1]\">".htmlspecialchars($calbar['title']).'</font>' :
-                                htmlspecialchars($calbar['title']);
-                            echo'] <div style="margin-left:10px">'.nl2br(htmlspecialchars($calbar['message'])).'</div>' .
+                                "<font color=\"$color[1]\">".sm_encode_html_special_chars($calbar['title']).'</font>' :
+                                sm_encode_html_special_chars($calbar['title']);
+                            echo'] <div style="margin-left:10px">'.nl2br(sm_encode_html_special_chars($calbar['message'])).'</div>' .
                         html_tag( 'td',
                             "<font size=\"-1\"><nobr>\n" .
                             "<a href=\"event_edit.php?year=$year&amp;month=$month&amp;day=$day&amp;hour=".

plugins/calendar/event_create.php

@@ -159,11 +159,11 @@ if(!isset($event_text)){
                 ) .
                 html_tag( 'tr',
                     html_tag( 'td', _("Title:"), 'right', $color[4] ) . "\n" .
-                    html_tag( 'td', htmlspecialchars($event_title,ENT_NOQUOTES), 'left', $color[4] ) . "\n"
+                    html_tag( 'td', sm_encode_html_special_chars($event_title,ENT_NOQUOTES), 'left', $color[4] ) . "\n"
                 ) .
                 html_tag( 'tr',
                     html_tag( 'td', _("Message:"), 'right', $color[4] ) . "\n" .
-                    html_tag( 'td', nl2br(htmlspecialchars($event_text,ENT_NOQUOTES)), 'left', $color[4] ) . "\n"
+                    html_tag( 'td', nl2br(sm_encode_html_special_chars($event_text,ENT_NOQUOTES)), 'left', $color[4] ) . "\n"
                 ) .
                 html_tag( 'tr',
                     html_tag( 'td',

plugins/calendar/event_delete.php

@@ -74,11 +74,11 @@ function confirm_deletion() {
                ) .
                html_tag( 'tr',
                    html_tag( 'td', _("Title:"), 'right', $color[4] ) .
-                   html_tag( 'td', htmlspecialchars($tmparray['title']), 'left', $color[4] )
+                   html_tag( 'td', sm_encode_html_special_chars($tmparray['title']), 'left', $color[4] )
                ) .
                html_tag( 'tr',
                    html_tag( 'td', _("Message:"), 'right', $color[4] ) .
-                   html_tag( 'td', nl2br(htmlspecialchars($tmparray['message'])), 'left', $color[4] )
+                   html_tag( 'td', nl2br(sm_encode_html_special_chars($tmparray['message'])), 'left', $color[4] )
                ) .
                html_tag( 'tr',
                    html_tag( 'td',

plugins/calendar/event_edit.php

@@ -176,11 +176,11 @@ function confirm_update() {
                 ) .
                 html_tag( 'tr',
                     html_tag( 'td', _("Title:") , 'right', $color[4] ) ."\n" .
-                    html_tag( 'td', htmlspecialchars($tmparray['title']) , 'left', $color[4] ) ."\n"
+                    html_tag( 'td', sm_encode_html_special_chars($tmparray['title']) , 'left', $color[4] ) ."\n"
                 ) .
                 html_tag( 'tr',
                     html_tag( 'td', _("Message:") , 'right', $color[4] ) ."\n" .
-                    html_tag( 'td', nl2br(htmlspecialchars($tmparray['message'])) , 'left', $color[4] ) ."\n"
+                    html_tag( 'td', nl2br(sm_encode_html_special_chars($tmparray['message'])) , 'left', $color[4] ) ."\n"
                 ) .
                 html_tag( 'tr',
                     html_tag( 'th', _("to:") . "<br />\n", '', $color[4], 'colspan="2"' ) ."\n"
@@ -200,11 +200,11 @@ function confirm_update() {
                 ) .
                 html_tag( 'tr',
                     html_tag( 'td', _("Title:") , 'right', $color[4] ) ."\n" .
-                    html_tag( 'td', htmlspecialchars($event_title) , 'left', $color[4] ) ."\n"
+                    html_tag( 'td', sm_encode_html_special_chars($event_title) , 'left', $color[4] ) ."\n"
                 ) .
                 html_tag( 'tr',
                     html_tag( 'td', _("Message:") , 'right', $color[4] ) ."\n" .
-                    html_tag( 'td', nl2br(htmlspecialchars($event_text)) , 'left', $color[4] ) ."\n"
+                    html_tag( 'td', nl2br(sm_encode_html_special_chars($event_text)) , 'left', $color[4] ) ."\n"
                 ) .
                 html_tag( 'tr',
                     html_tag( 'td',

plugins/change_password/backend/ldap.php

@@ -646,7 +646,7 @@ function cpw_ldap_password_hash($pass,$crypto,&$msgs,$forced_salt='') {
         break;
     default:
         array_push($msgs,sprintf(_("Unsupported crypto: %s"),
-                                 (is_string($ldap_crypto) ? htmlspecialchars($ldap_crypto) : _("unknown"))));
+                                 (is_string($ldap_crypto) ? sm_encode_html_special_chars($ldap_crypto) : _("unknown"))));
     }
     return $ret;
 }

plugins/change_password/backend/peardb.php

@@ -152,16 +152,16 @@ function cpw_peardb_dochange($data) {
     // connect to database and make sure that table exists
     $cpw_db = DB::connect($cpw_peardb_dsn, $cpw_peardb_connect_opts);
     if (PEAR::isError($cpw_db)) {
-        array_push($msgs,sprintf(_("Connection error: %s"),htmlspecialchars($cpw_db->getMessage())));
+        array_push($msgs,sprintf(_("Connection error: %s"),sm_encode_html_special_chars($cpw_db->getMessage())));
         if ($cpw_peardb_debug)
-            array_push($msgs,htmlspecialchars($cpw_db->getuserinfo()));
+            array_push($msgs,sm_encode_html_special_chars($cpw_db->getuserinfo()));
         return $msgs;
     }
 
     // get table information
     $table_info = $cpw_db->tableinfo($cpw_peardb_table);
     if (PEAR::isError($table_info)) {
-        array_push($msgs,sprintf(_("Invalid table name: %s"),htmlspecialchars($cpw_peardb_table)));
+        array_push($msgs,sprintf(_("Invalid table name: %s"),sm_encode_html_special_chars($cpw_peardb_table)));
         $cpw_db->disconnect();
         return $msgs;
     }
@@ -210,7 +210,7 @@ function cpw_peardb_dochange($data) {
           '');
     $cpw_res=$cpw_db->query($query);
     if (PEAR::isError($cpw_res)) {
-        array_push($msgs,sprintf(_("Query failed: %s"),htmlspecialchars($cpw_res->getMessage())));
+        array_push($msgs,sprintf(_("Query failed: %s"),sm_encode_html_special_chars($cpw_res->getMessage())));
         $cpw_db->disconnect();
         return $msgs;
     }
@@ -284,7 +284,7 @@ function cpw_peardb_dochange($data) {
 
     // check for update error
     if (PEAR::isError($cpw_res)) {
-        array_push($msgs,sprintf(_("Unable to set new password: %s"),htmlspecialchars($cpw_res->getMessage())));
+        array_push($msgs,sprintf(_("Unable to set new password: %s"),sm_encode_html_special_chars($cpw_res->getMessage())));
     }
 
     // close database connection
@@ -427,7 +427,7 @@ function cpw_peardb_passwd_hash($password,$crypto,&$msgs,$forced_salt='') {
         $ret = $password;
         break;
     default:
-        array_push($msgs,sprintf(_("Unsupported crypto: %s"),htmlspecialchars($crypto)));
+        array_push($msgs,sprintf(_("Unsupported crypto: %s"),sm_encode_html_special_chars($crypto)));
     }
     return $ret;
 }

plugins/change_password/options.php

@@ -81,7 +81,7 @@ do_hook('change_password_init', $null);
 if (isset($Messages) && count($Messages) > 0) {
     echo "<tr><td>\n";
     foreach ($Messages as $line) {
-        echo htmlspecialchars($line) . "<br />\n";
+        echo sm_encode_html_special_chars($line) . "<br />\n";
     }
     echo "</td></tr>\n";
 }

plugins/filters/options.php

@@ -180,7 +180,7 @@ if (sqgetGlobalVar('filter_submit',$filter_submit,SQ_POST)) {
                 html_tag( 'td', '', 'left' ) .
                     '<input type="text" size="32" name="filter_what" value="';
         if (isset($filters[$theid]['what'])) {
-            echo htmlspecialchars($filters[$theid]['what']);
+            echo sm_encode_html_special_chars($filters[$theid]['what']);
         }
         echo '" />'.
                 '</td>'.
@@ -243,7 +243,7 @@ if (count($filters)) {
         printf( _("If %s contains %s then move to %s"),
             '<b>'.$filters[$i]['where'].'</b>',
             '<b>'.$filters[$i]['what'].'</b>',
-            '<b>'.htmlspecialchars(imap_utf7_decode_local($fdr)).'</b>');
+            '<b>'.sm_encode_html_special_chars(imap_utf7_decode_local($fdr)).'</b>');
         echo '</td></tr>';
 
     }

plugins/filters/spamoptions.php

@@ -175,7 +175,7 @@ if (isset($action) && $action == 'spam') {
     echo html_tag( 'p', '', 'center' ) .
          '[<a href="spamoptions.php?action=spam">' . _("Edit") . '</a>]' .
          ' - [<a href="../../src/options.php">' . _("Done") . '</a>]</div><br /><br />';
-    printf( _("Spam is sent to %s."), ($filters_spam_folder?'<b>'.htmlspecialchars(imap_utf7_decode_local($filters_spam_folder)).'</b>':'[<i>'._("not set yet").'</i>]' ) );
+    printf( _("Spam is sent to %s."), ($filters_spam_folder?'<b>'.sm_encode_html_special_chars(imap_utf7_decode_local($filters_spam_folder)).'</b>':'[<i>'._("not set yet").'</i>]' ) );
     echo '<br />';
     printf( _("Spam scan is limited to %s."), '<b>' . ( ($filters_spam_scan == 'new')?_("Unread messages only"):_("All messages") ) . '</b>' );
     echo '</p>'.

plugins/fortune/functions.php

@@ -50,7 +50,7 @@ function fortune_function() {
     }
 
     $oTemplate->assign('color', $color);
-    $oTemplate->assign('fortune', htmlspecialchars($fortune));
+    $oTemplate->assign('fortune', sm_encode_html_special_chars($fortune));
     $output = $oTemplate->fetch('plugins/fortune/mailbox_index_before.tpl');
     return array('mailbox_index_before' => $output);
 

plugins/info/functions.php

@@ -37,7 +37,7 @@ function get_caps($imap_stream) {
  * @access private
  */
 function imap_test($imap_stream, $string) {
-    print "<tr><td>".htmlspecialchars($string)."</td></tr>";
+    print "<tr><td>".sm_encode_html_special_chars($string)."</td></tr>";
     $response = sqimap_run_command_list($imap_stream, trim($string),false, $responses, $message,false);
     array_push($response, $responses . ' ' .$message);
     return $response;
@@ -55,7 +55,7 @@ function print_response($response) {
             print_response($value);
         }
         else {
-            print htmlspecialchars($value)."<br />\n";
+            print sm_encode_html_special_chars($value)."<br />\n";
         }
     }
 }

plugins/info/options.php

@@ -75,7 +75,7 @@ echo '<br /><div style="text-align: center;"><b>'._("IMAP server information")."
      "</b><br />\n";
 
 foreach($caps_array[0] as $value) {
-    echo htmlspecialchars($value);
+    echo sm_encode_html_special_chars($value);
 }
 
 echo "</td></tr><tr><td>\n";
@@ -92,8 +92,8 @@ if (!isset($submit) || $submit == 'default') {
     }
 }
 else {
-    echo 'folder_prefix = ' . htmlspecialchars($folder_prefix)."<br />\n" .
-         'default_charset = '.htmlspecialchars($default_charset)."\n";
+    echo 'folder_prefix = ' . sm_encode_html_special_chars($folder_prefix)."<br />\n" .
+         'default_charset = '.sm_encode_html_special_chars($default_charset)."\n";
 }
 
 echo "<br /></td></tr></table><br />\n";

plugins/listcommands/mailout.php

@@ -40,13 +40,13 @@ switch ( $action ) {
         $out_string = _("This will send a message to %s requesting that you will be unsubscribed from this list. It will try to unsubscribe the adress below.");
         break;
     default:
-        error_box(sprintf(_("Unknown action: %s"),htmlspecialchars($action)));
+        error_box(sprintf(_("Unknown action: %s"),sm_encode_html_special_chars($action)));
         // display footer (closes html tags) and stop script execution
         $oTemplate->display('footer.tpl');
         exit;
 }
 
-$out_string = sprintf($out_string, '"' . htmlspecialchars($send_to) . '"');
+$out_string = sprintf($out_string, '"' . sm_encode_html_special_chars($send_to) . '"');
 $idents = get_identities();
 $fieldsdescr = listcommands_fieldsdescr();
 $fielddescr = $fieldsdescr[$action];

plugins/listcommands/templates/default/mailout.tpl

@@ -42,7 +42,7 @@ extract($t);
     
     foreach($idents as $nr=>$data) {
         echo '<option value="' . $nr . '">' .
-            htmlspecialchars(
+            sm_encode_html_special_chars(
                     $data['full_name'].' <'.
                     $data['email_address'] . '>') .
             "</option>\n";		    
@@ -53,14 +53,14 @@ extract($t);
 } else {
 
     echo _("From:");
-    echo htmlspecialchars($idents[0]['full_name'].' <'.$idents[0]['email_address'].'>');
+    echo sm_encode_html_special_chars($idents[0]['full_name'].' <'.$idents[0]['email_address'].'>');
 }
 ?>
 <br /><br />
-<input type="hidden" name="send_to" value="<?php echo htmlspecialchars($send_to); ?>" />
-<input type="hidden" name="subject" value="<?php echo htmlspecialchars($subject); ?>" />
-<input type="hidden" name="body" value="<?php echo htmlspecialchars($body); ?>" />
-<input type="hidden" name="mailbox" value="<?php echo htmlspecialchars($mailbox); ?>" />
+<input type="hidden" name="send_to" value="<?php echo sm_encode_html_special_chars($send_to); ?>" />
+<input type="hidden" name="subject" value="<?php echo sm_encode_html_special_chars($subject); ?>" />
+<input type="hidden" name="body" value="<?php echo sm_encode_html_special_chars($body); ?>" />
+<input type="hidden" name="mailbox" value="<?php echo sm_encode_html_special_chars($mailbox); ?>" />
 <input type="submit" name="send1" value="<?php echo _("Send Mail"); ?>" />
 <br />
 </form>

plugins/mail_fetch/fetch.php

@@ -35,7 +35,7 @@ sqgetGlobalVar('delimiter',  $delimiter,  SQ_SESSION);
 function Mail_Fetch_Status($msg) {
     echo html_tag( 'table',
              html_tag( 'tr',
-                 html_tag( 'td', htmlspecialchars( $msg ) , 'left' )
+                 html_tag( 'td', sm_encode_html_special_chars( $msg ) , 'left' )
                  ),
              '', '', 'width="90%"' );
     flush();
@@ -97,7 +97,7 @@ function Mail_Fetch_Select_Server($mailfetch) {
         '<option value="all" selected="selected">..' . _("All") . "...\n";
     for ($i = 0;$i < $mailfetch['server_number'];$i++) {
         echo "<option value=\"$i\">" .
-            htmlspecialchars($mailfetch[$i]['alias']) .
+            sm_encode_html_special_chars($mailfetch[$i]['alias']) .
             '</option>' . "\n";
     }
     echo            '</select>' .
@@ -109,7 +109,7 @@ function Mail_Fetch_Select_Server($mailfetch) {
         if ($mailfetch[$i]['pass'] == '') {
             echo html_tag( 'tr',
                      html_tag( 'td', _("Password for") . ' <b>' .
-                         htmlspecialchars($mailfetch[$i]['alias']) .
+                         sm_encode_html_special_chars($mailfetch[$i]['alias']) .
                          '</b>: &nbsp; &nbsp; ',
                          'right' ) .
                      html_tag( 'td', '<input type="password" name="pass_' . $i . '" />', 'left' )
@@ -177,7 +177,7 @@ for ($i_loop=$i_start;$i_loop<$i_stop;$i_loop++) {
             html_tag( 'tr',
                 html_tag( 'td', '<b>' .
                     sprintf(_("Fetching from %s"),
-                        htmlspecialchars($mailfetch[$i_loop]['alias'])) .
+                        sm_encode_html_special_chars($mailfetch[$i_loop]['alias'])) .
                     '</b>',
                 'center' ) ,
             '', $color[9] ) ,
@@ -209,13 +209,13 @@ for ($i_loop=$i_start;$i_loop<$i_stop;$i_loop++) {
 
     /* log into pop server*/
     if (! $pop3->login($mailfetch_user, $mailfetch_pass)) {
-        Mail_Fetch_Status(_("Login Failed:") . ' ' . htmlspecialchars($pop3->error));
+        Mail_Fetch_Status(_("Login Failed:") . ' ' . sm_encode_html_special_chars($pop3->error));
         continue;
     }
 
     $aMsgStat = $pop3->command_stat();
     if (is_bool($aMsgStat)) {
-        Mail_Fetch_Status(_("Can't get mailbox status:") . ' ' . htmlspecialchars($pop3->error) );
+        Mail_Fetch_Status(_("Can't get mailbox status:") . ' ' . sm_encode_html_special_chars($pop3->error) );
         continue;
     }
 
@@ -229,7 +229,7 @@ for ($i_loop=$i_start;$i_loop<$i_stop;$i_loop++) {
             Mail_Fetch_Status(_("Fetching UIDL..."));
             $msglist = $pop3->command_uidl();
             if (is_bool($msglist)) {
-                Mail_Fetch_Status(_("Server does not support UIDL.") . ' '.htmlspecialchars($pop3->error));
+                Mail_Fetch_Status(_("Server does not support UIDL.") . ' '.sm_encode_html_special_chars($pop3->error));
                 // User asked to leave messages on server, but we can't do that.
                 $pop3->command_quit();
                 continue;
@@ -284,7 +284,7 @@ for ($i_loop=$i_start;$i_loop<$i_stop;$i_loop++) {
         $Message = $pop3->command_retr($i);
 
         if (is_bool($Message)) {
-            Mail_Fetch_Status(htmlspecialchars($pop3->error));
+            Mail_Fetch_Status(sm_encode_html_special_chars($pop3->error));
             continue;
         }
 
@@ -297,7 +297,7 @@ for ($i_loop=$i_start;$i_loop<$i_stop;$i_loop++) {
             $response=(implode('',$response));
             $message=(implode('',$message));
             if ($response != 'OK') {
-                Mail_Fetch_Status(_("Error Appending Message!")." ".htmlspecialchars($message) );
+                Mail_Fetch_Status(_("Error Appending Message!")." ".sm_encode_html_special_chars($message) );
                 Mail_Fetch_Status(_("Closing POP"));
                 $pop3->command_quit();
                 Mail_Fetch_Status(_("Logging out from IMAP"));
@@ -316,7 +316,7 @@ for ($i_loop=$i_start;$i_loop<$i_stop;$i_loop++) {
                 if( $pop3->command_dele($i) ) {
                     Mail_Fetch_Status(sprintf(_("Message %d deleted from remote server!"), $i));
                 } else {
-                    Mail_Fetch_Status(_("Delete failed:") . htmlspecialchars($pop3->error) );
+                    Mail_Fetch_Status(_("Delete failed:") . sm_encode_html_special_chars($pop3->error) );
                 }
             }
         } else {

plugins/mail_fetch/functions.php

@@ -139,7 +139,7 @@ function mail_fetch_login_function() {
 
             $aMsgStat = $pop3->command_stat();
             if (is_bool($aMsgStat)) {
-                $outMsg .= _("Can't get mailbox status:") . ' ' . htmlspecialchars($pop3->error);
+                $outMsg .= _("Can't get mailbox status:") . ' ' . sm_encode_html_special_chars($pop3->error);
                 continue;
             }
 
@@ -152,7 +152,7 @@ function mail_fetch_login_function() {
                 if ($mailfetch_lmos == 'on') {
                     $msglist = $pop3->command_uidl();
                     if (is_bool($msglist)) {
-                        $outMsg .= _("Server does not support UIDL.") . ' '.htmlspecialchars($pop3->error);
+                        $outMsg .= _("Server does not support UIDL.") . ' '.sm_encode_html_special_chars($pop3->error);
                         // User asked to leave messages on server, but we can't do that.
                         $pop3->command_quit();
                         continue;
@@ -191,7 +191,7 @@ function mail_fetch_login_function() {
                 $Message = $pop3->command_retr($i);
 
                 if (is_bool($Message)) {
-                    $outMsg .= _("Warning:") . ' ' . htmlspecialchars($pop3->error);
+                    $outMsg .= _("Warning:") . ' ' . sm_encode_html_special_chars($pop3->error);
                     continue;
                 }
 
@@ -212,7 +212,7 @@ function mail_fetch_login_function() {
                     $response=(implode('',$response));
                     $message=(implode('',$message));
                     if ($response != 'OK') {
-                        $outMsg .= _("Error Appending Message!")." ".htmlspecialchars($message);
+                        $outMsg .= _("Error Appending Message!")." ".sm_encode_html_special_chars($message);
 
                         if ($mailfetch_lmos == 'on') {
                             setPref($data_dir,$username,"mailfetch_uidl_$i_loop", $msglist[$i-1]);

plugins/mail_fetch/options.php

@@ -342,7 +342,7 @@ switch( $mf_action ) {
          echo '<b>' . _("Server Name:") . '</b> <select name="mf_sn">';
          for ($i=0;$i<$mailfetch_server_number;$i++) {
              echo "<option value=\"$i\">" .
-                 htmlspecialchars( (($mailfetch_alias_[$i]=='')?$mailfetch_server_[$i]:$mailfetch_alias_[$i])) . "</option>";
+                 sm_encode_html_special_chars( (($mailfetch_alias_[$i]=='')?$mailfetch_server_[$i]:$mailfetch_alias_[$i])) . "</option>";
          }
          echo '</select>'.
              '&nbsp;&nbsp;<input type="submit" name="mf_action_mod" value="' . _("Modify") . '" />'.
@@ -368,7 +368,7 @@ switch( $mf_action ) {
                  html_tag( 'td',
                      "<input type=\"hidden\" name=\"mf_sn\" value=\"$mf_sn\" />" .
                      '<input type="hidden" name="mf_action" value="confirm_delete" />' .
-                     '<br />' . _("Selected Server:") . " <b>" . htmlspecialchars($mailfetch_server_[$mf_sn]) . "</b><br />" .
+                     '<br />' . _("Selected Server:") . " <b>" . sm_encode_html_special_chars($mailfetch_server_[$mf_sn]) . "</b><br />" .
                      _("Confirm delete of selected server?") . '<br /><br />' .
                      '<input type="submit" name="submit_mailfetch" value="' . _("Confirm Delete") . '" />' .
                      '<br /></form>' ,
@@ -396,27 +396,27 @@ switch( $mf_action ) {
              html_tag( 'tr',
                  html_tag( 'th', _("Server:"), 'right' ) .
                  html_tag( 'td', '<input type="text" name="mf_server" value="' .
-                           htmlspecialchars($mailfetch_server_[$mf_sn]) . '" size="40" />', 'left' )
+                           sm_encode_html_special_chars($mailfetch_server_[$mf_sn]) . '" size="40" />', 'left' )
                        ) .
              html_tag( 'tr',
                  html_tag( 'th', _("Port:"), 'right' ) .
                  html_tag( 'td', '<input type="text" name="mf_port" value="' .
-                           htmlspecialchars($mailfetch_port_[$mf_sn]) . '" size="40" />', 'left' )
+                           sm_encode_html_special_chars($mailfetch_port_[$mf_sn]) . '" size="40" />', 'left' )
                        ) .
              html_tag( 'tr',
                  html_tag( 'th', _("Alias:"), 'right' ) .
                  html_tag( 'td', '<input type="text" name="mf_alias" value="' .
-                           htmlspecialchars($mailfetch_alias_[$mf_sn]) . '" size="40" />', 'left' )
+                           sm_encode_html_special_chars($mailfetch_alias_[$mf_sn]) . '" size="40" />', 'left' )
                        ) .
              html_tag( 'tr',
                  html_tag( 'th', _("Username:"), 'right' ) .
                  html_tag( 'td', '<input type="text" name="mf_user" value="' .
-                           htmlspecialchars($mailfetch_user_[$mf_sn]) . '" size="20" />', 'left' )
+                           sm_encode_html_special_chars($mailfetch_user_[$mf_sn]) . '" size="20" />', 'left' )
                        ) .
              html_tag( 'tr',
                  html_tag( 'th', _("Password:"), 'right' ) .
                  html_tag( 'td', '<input type="password" name="mf_pass" value="' .
-                           htmlspecialchars($mailfetch_pass_[$mf_sn]) . '" size="20" />', 'left' )
+                           sm_encode_html_special_chars($mailfetch_pass_[$mf_sn]) . '" size="20" />', 'left' )
                        ) .
              html_tag( 'tr',
                  html_tag( 'th', _("Authentication type:"), 'right' ) .

plugins/message_details/message_details_bottom.php

@@ -260,7 +260,7 @@ function get_message_details($mailbox, $passed_id, $passed_ent_id=0, $stripHTML=
                             $entities["$entStr"]['contenttype']=$reg[2].'/'.$reg[3];
                         }
                     } else if (!$nameset && preg_match("/^.*(name=\s*)\"(.*)\".*/i",$line,$reg)) {
-                        $name = htmlspecialchars($reg[2]);
+                        $name = sm_encode_html_special_chars($reg[2]);
                         $content[$content_indx]['name'] = decodeHeader($name);
                         $nameset = true;
                         if (isset($entities["$entStr"])) {
@@ -285,7 +285,7 @@ function get_message_details($mailbox, $passed_id, $passed_ent_id=0, $stripHTML=
         if ($stripHTML) {
             $message_body .= $line . "\r\n";
         } else {
-            $line = htmlspecialchars($line);
+            $line = sm_encode_html_special_chars($line);
             if ($msgd_8bit_in_hex) $line = msgd_convert_to_hex($line);
             $message_body .= "$pre"."$line"."$end"."\r\n";
         }

plugins/newmail/functions.php

@@ -691,7 +691,7 @@ function newmail_media_embed_close($type) {
 /**
  * Converts media attributes to string
  * Warning:
- * * attribute values are automatically sanitized by htmlspecialchars()
+ * * attribute values are automatically sanitized by sm_encode_html_special_chars()
  * * This is internal function, use newmail_media_objects() instead
  * @param array $args array with object attributes
  * @return string string with object attributes
@@ -699,7 +699,7 @@ function newmail_media_embed_close($type) {
 function newmail_media_prepare_args($args) {
     $ret_args='';
     foreach ($args as $arg => $value) {
-        $ret_args.= $arg . '="' . htmlspecialchars($value) . '" ';
+        $ret_args.= $arg . '="' . sm_encode_html_special_chars($value) . '" ';
     }
     return $ret_args;
 }

plugins/newmail/newmail_opt.php

@@ -153,8 +153,8 @@ if ($newmail_allowsound) {
             if ($entry == $newmail_media) {
                 echo 'selected="selected" ';
             }
-            echo 'value="' . htmlspecialchars($entry) . '">' .
-                htmlspecialchars($entry) . "</option>\n";
+            echo 'value="' . sm_encode_html_special_chars($entry) . '">' .
+                sm_encode_html_special_chars($entry) . "</option>\n";
         }
     }
     $d->close();
@@ -165,7 +165,7 @@ if ($newmail_allowsound) {
             echo 'selected="selected" ';
         }
         echo 'value="mmedia_' . $newmail_mm_name . '">'
-            .htmlspecialchars($newmail_mm_name) . "</option>\n";
+            .sm_encode_html_special_chars($newmail_mm_name) . "</option>\n";
     }
 
     if($newmail_uploadsounds) {
@@ -205,7 +205,7 @@ if ($newmail_allowsound) {
         // display currently uploaded file information
         echo  html_tag('tr')
             . html_tag('td',_("Uploaded Media File:"),'right','','style="white-space: nowrap;"')
-            . html_tag('td',($newmail_userfile_name!='' ? htmlspecialchars($newmail_userfile_name) : _("unavailable")))
+            . html_tag('td',($newmail_userfile_name!='' ? sm_encode_html_special_chars($newmail_userfile_name) : _("unavailable")))
             ."</tr>\n";
 
         if ($newmail_userfile_name!='') {
@@ -218,8 +218,8 @@ if ($newmail_allowsound) {
     echo html_tag( 'tr', "\n" .
                 html_tag( 'td', _("Current File:"), 'right', '', 'style="white-space: nowrap;"' ) .
                     html_tag( 'td', '<input type="hidden" value="' .
-                        htmlspecialchars($newmail_media) . '" name="media_default" />' .
-                        htmlspecialchars($media_output) . '', 'left' )
+                        sm_encode_html_special_chars($newmail_media) . '" name="media_default" />' .
+                        sm_encode_html_special_chars($media_output) . '', 'left' )
              ) . "\n";
 }
 echo html_tag( 'tr', "\n" .

plugins/spamcop/options.php

@@ -143,7 +143,7 @@ spamcop_load_function();
             '<small>(' . _("see below") . ')</small>','right','','valign="top"');
           ?>
           <td valign="top"><form method="post" action="options.php">
-            <input type="text" size="30" name="ID" value="<?php echo htmlspecialchars($spamcop_id) ?>" />
+            <input type="text" size="30" name="ID" value="<?php echo sm_encode_html_special_chars($spamcop_id) ?>" />
             <input type="hidden" name="action" value="save_id" />
             <?php
               echo '<input type="submit" value="' . _("Save ID") . "\" />\n";

plugins/spamcop/spamcop.php

@@ -120,8 +120,8 @@ echo "</p>";
   echo '<input type="button" value="' . _("Close Window") . "\" onclick=\"window.close(); return true;\" />\n";
 } else {
    ?><form method="post" action="<?php echo sqm_baseuri(); ?>src/right_main.php">
-  <input type="hidden" name="mailbox" value="<?php echo htmlspecialchars($mailbox) ?>" />
-  <input type="hidden" name="startMessage" value="<?php echo htmlspecialchars($startMessage) ?>" />
+  <input type="hidden" name="mailbox" value="<?php echo sm_encode_html_special_chars($mailbox) ?>" />
+  <input type="hidden" name="startMessage" value="<?php echo sm_encode_html_special_chars($startMessage) ?>" />
 <?php
   echo '<input type="submit" value="' . _("Cancel / Done") . "\" />";
 }
@@ -137,9 +137,9 @@ echo "</p>";
    $form_action = sqm_baseuri() . 'src/compose.php';
 ?>  <form method="post" action="<?php echo $form_action?>">
   <input type="hidden" name="smtoken" value="<?php echo sm_generate_security_token() ?>" />
-  <input type="hidden" name="mailbox" value="<?php echo htmlspecialchars($mailbox) ?>" />
-  <input type="hidden" name="spamcop_is_composing" value="<?php echo htmlspecialchars($passed_id) ?>" />
-  <input type="hidden" name="send_to" value="<?php echo htmlspecialchars($report_email)?>" />
+  <input type="hidden" name="mailbox" value="<?php echo sm_encode_html_special_chars($mailbox) ?>" />
+  <input type="hidden" name="spamcop_is_composing" value="<?php echo sm_encode_html_special_chars($passed_id) ?>" />
+  <input type="hidden" name="send_to" value="<?php echo sm_encode_html_special_chars($report_email)?>" />
   <input type="hidden" name="subject" value="reply anyway" />
   <input type="hidden" name="identity" value="0" />
   <input type="hidden" name="session" value="<?php echo $session?>" />
@@ -163,7 +163,7 @@ echo "</p>";
    } ?>
   <input type="hidden" name="action" value="submit" />
   <input type="hidden" name="oldverbose" value="1" />
-  <input type="hidden" name="spam" value="<?php echo htmlspecialchars($spam_message); ?>" />
+  <input type="hidden" name="spam" value="<?php echo sm_encode_html_special_chars($spam_message); ?>" />
     <?php
         echo '<input type="submit" name="x1" value="' . _("Send Spam Report") . "\" />\n";
     }

plugins/squirrelspell/modules/check_me.mod

@@ -106,7 +106,7 @@ if ($SQSPELL_SPELLCHECKER===1) {
  */
 if (!empty($check->error)) {
   $msg= '<div style="text-align: center;">'
-      . nl2br(htmlspecialchars($check->error))
+      . nl2br(sm_encode_html_special_chars($check->error))
      . '<form onsubmit="return false">'
      . '<input type="submit" value="  ' . _("Close")
      . '  " onclick="self.close()" /></form></div>';
@@ -125,7 +125,7 @@ $results = $check->check_text($sqspell_new_text);
  */
 if (!empty($check->error)) {
   $msg= '<div style="text-align: center;">'
-      . nl2br(htmlspecialchars($check->error))
+      . nl2br(sm_encode_html_special_chars($check->error))
      . '<form onsubmit="return false">'
      . '<input type="submit" value="  ' . _("Close")
      . '  " onclick="self.close()" /></form></div>';
@@ -153,7 +153,7 @@ if (is_array($results)) {
     }
 } else {
     if (!empty($check->error)) {
-        $error_msg = nl2br(htmlspecialchars($check->error));
+        $error_msg = nl2br(sm_encode_html_special_chars($check->error));
     } else {
         $error_msg = _("Unknown error");
     }

plugins/squirrelspell/modules/edit_dic.mod

@@ -61,9 +61,9 @@ foreach ($langs as $lang) {
         $msg .= "</td><td valign=\"top\">\n";
       }
       $msg .= "<input type=\"checkbox\" name=\"words_ary[]\" "
-        . 'value="'.htmlspecialchars($lang_words[$j]). '" id="words_ary_'
+        . 'value="'.sm_encode_html_special_chars($lang_words[$j]). '" id="words_ary_'
         . $j . '" /> <label for="words_ary_' . $j .'">'
-        . htmlspecialchars($lang_words[$j]) . "</label><br />\n";
+        . sm_encode_html_special_chars($lang_words[$j]) . "</label><br />\n";
     }
     $msg .= '</td></tr></table></td></tr>'
       . "<tr bgcolor=\"$color[0]\" align=\"center\"><td>"

plugins/squirrelspell/modules/forget_me.mod

@@ -40,7 +40,7 @@ if (! empty($words_ary)){
 
   // print list of deleted words
   foreach ($words_ary as $deleted_word) {
-    $msg.= '<li>'.htmlspecialchars($deleted_word)."</li>\n";
+    $msg.= '<li>'.sm_encode_html_special_chars($deleted_word)."</li>\n";
   }
 
   // rebuild dictionary

plugins/squirrelspell/modules/lang_change.mod

@@ -42,7 +42,7 @@ foreach ($use_langs as $lang) {
 if (sizeof($new_langs)>1) {
   $dsp_string = '';
   foreach( $new_langs as $a) {
-    $dsp_string .= _(htmlspecialchars(trim($a))) . _(", ");
+    $dsp_string .= _(sm_encode_html_special_chars(trim($a))) . _(", ");
   }
   // remove last comma and space
   $dsp_string = substr( $dsp_string, 0, -2 );
@@ -52,15 +52,15 @@ if (sizeof($new_langs)>1) {
   // make sure that you don't use html codes in language name translations
   $msg = '<p>'
     . sprintf(_("Settings adjusted to: %s with %s as default dictionary."),
-             '<strong>'.htmlspecialchars($dsp_string).'</strong>',
-             '<strong>'.htmlspecialchars(_($lang_default)).'</strong>')
+             '<strong>'.sm_encode_html_special_chars($dsp_string).'</strong>',
+             '<strong>'.sm_encode_html_special_chars(_($lang_default)).'</strong>')
     . '</p>';
 } else {
   /**
    * Only one dictionary is selected.
    */
   $msg = '<p>'
-    . sprintf(_("Using %s dictionary for spellcheck." ), '<strong>'.htmlspecialchars(_($new_langs[0])).'</strong>')
+    . sprintf(_("Using %s dictionary for spellcheck." ), '<strong>'.sm_encode_html_special_chars(_($new_langs[0])).'</strong>')
     . '</p>';
 }
 

plugins/squirrelspell/sqspell_functions.php

@@ -849,12 +849,12 @@ function sqspell_handle_crypt_panic($lang=false) {
     .  _("SquirrelSpell was unable to decrypt your personal dictionary. This is most likely due to the fact that you have changed your mailbox password. In order to proceed, you will have to supply your old password so that SquirrelSpell can decrypt your personal dictionary. It will be re-encrypted with your new password after this. If you haven't encrypted your dictionary, then it got mangled and is no longer valid. You will have to delete it and start anew. This is also true if you don't remember your old password -- without it, the encrypted data is no longer accessible.") ,
     'left' ) .  "\n"
     . (($lang) ? html_tag('p',sprintf(_("Your %s dictionary is encrypted with password that differs from your current password."),
-                                      htmlspecialchars($lang)),'left') : '')
+                                      sm_encode_html_special_chars($lang)),'left') : '')
     . '<blockquote>' . "\n"
     . '<form method="post" onsubmit="return AYS()">' . "\n"
     . '<input type="hidden" name="MOD" value="crypto_badkey" />' . "\n"
     . (($lang) ?
-       '<input type="hidden" name="dict_lang" value="'.htmlspecialchars($lang).'" />' :
+       '<input type="hidden" name="dict_lang" value="'.sm_encode_html_special_chars($lang).'" />' :
        '<input type="hidden" name="old_setup" value="yes" />')
     . html_tag( 'p',  "\n" .
         '<input type="checkbox" name="delete_words" value="ON" id="delete_words" />'

plugins/translate/functions.php

@@ -456,7 +456,7 @@ function translate_new_form($action,$charset=null) {
     }
 
     if (! is_null($charset))
-        echo ' accept-charset="'.htmlspecialchars($charset).'"';
+        echo ' accept-charset="'.sm_encode_html_special_chars($charset).'"';
 
     echo ">\n";
 

src/addrbook_search.php

@@ -70,7 +70,7 @@ set_my_charset();
 
 /* Empty search */
 if (empty($query) && empty($show) && !isset($listall)) {
-    $oTemplate->assign('note', htmlspecialchars(_("No persons matching your search were found")));
+    $oTemplate->assign('note', sm_encode_html_special_chars(_("No persons matching your search were found")));
     $oTemplate->display('note.tpl');
 #    exit;
 }
@@ -125,7 +125,7 @@ if ($show == 'form' && ! isset($listall)) {
         }
 
         if (!is_array($res)) {
-            plain_error_message( _("Your search failed with the following error(s)") .':<br />'. nl2br(htmlspecialchars($abook->error)) );
+            plain_error_message( _("Your search failed with the following error(s)") .':<br />'. nl2br(sm_encode_html_special_chars($abook->error)) );
         } elseif (sizeof($res) == 0) {
             $oTemplate->assign('note', _("No persons matching your search were found"));
             $oTemplate->display('note.tpl');

src/addrbook_search_html.php

@@ -157,7 +157,7 @@ if ($addrquery == '' || ! empty($listall)) {
     }
 
     if (!is_array($res)) {
-        plain_error_message(_("Your search failed with the following error(s)") .':<br />'. nl2br(htmlspecialchars($abook->error)));
+        plain_error_message(_("Your search failed with the following error(s)") .':<br />'. nl2br(sm_encode_html_special_chars($abook->error)));
     } elseif (sizeof($res) == 0) {
         $oTemplate->assign('note', _("No persons matching your search were found"));
         $oTemplate->display('note.tpl');

src/addressbook.php

@@ -233,7 +233,7 @@ if(sqgetGlobalVar('REQUEST_METHOD', $req_method, SQ_SERVER) && $req_method == 'P
                         $olddata = $abook->lookup($enick, $ebackend);
                         // Test if $olddata really contains anything and return an error message if it doesn't
                         if (!$olddata) {
-                            error_box(nl2br(htmlspecialchars($abook->error)));
+                            error_box(nl2br(sm_encode_html_special_chars($abook->error)));
                         } else {
                             /* Display the "new address" form */
                             echo abook_create_form($form_url, 'editaddr',
@@ -255,7 +255,7 @@ if(sqgetGlobalVar('REQUEST_METHOD', $req_method, SQ_SERVER) && $req_method == 'P
                     /* Handle error messages */
                     if (!$r) {
                         /* Display error */
-                        plain_error_message( nl2br(htmlspecialchars($abook->error)));
+                        plain_error_message( nl2br(sm_encode_html_special_chars($abook->error)));
 
                         /* Display the "new address" form again */
                         echo abook_create_form($form_url, 'editaddr',
@@ -299,7 +299,7 @@ if(sqgetGlobalVar('REQUEST_METHOD', $req_method, SQ_SERVER) && $req_method == 'P
 
 /* Display error messages */
 if (!empty($formerror)) {
-    plain_error_message(nl2br(htmlspecialchars($formerror)));
+    plain_error_message(nl2br(sm_encode_html_special_chars($formerror)));
 }
 
 
@@ -326,7 +326,7 @@ while (list($k, $backend) = each ($abook->backends)) {
             $addresses[$backend->bnum] = $a;
         } else {
             // list_addr() returns boolean
-            plain_error_message(nl2br(htmlspecialchars($abook->error)));
+            plain_error_message(nl2br(sm_encode_html_special_chars($abook->error)));
         }
     } else {
         $addresses[$backend->bnum] = $a;

src/compose.php

@@ -1346,10 +1346,10 @@ function showInputForm ($session, $values=false) {
     $oTemplate->assign('identity_def', $identity);
     $oTemplate->assign('input_onfocus', 'onfocus="'.join(' ', $onfocus_array).'"');
 
-    $oTemplate->assign('to', htmlspecialchars($send_to));
-    $oTemplate->assign('cc', htmlspecialchars($send_to_cc));
-    $oTemplate->assign('bcc', htmlspecialchars($send_to_bcc));
-    $oTemplate->assign('subject', htmlspecialchars($subject));
+    $oTemplate->assign('to', sm_encode_html_special_chars($send_to));
+    $oTemplate->assign('cc', sm_encode_html_special_chars($send_to_cc));
+    $oTemplate->assign('bcc', sm_encode_html_special_chars($send_to_bcc));
+    $oTemplate->assign('subject', sm_encode_html_special_chars($subject));
 
     // access keys...
     //
@@ -1385,9 +1385,9 @@ function showInputForm ($session, $values=false) {
             } else {
                 $body_str = "\n\n".($prefix_sig==true? "-- \n":'').decodeHeader($signature,false,false);
             }
-            $body_str .= "\n\n".htmlspecialchars(decodeHeader($body,false,false));
+            $body_str .= "\n\n".sm_encode_html_special_chars(decodeHeader($body,false,false));
         } else {
-            $body_str = "\n\n".htmlspecialchars(decodeHeader($body,false,false));
+            $body_str = "\n\n".sm_encode_html_special_chars(decodeHeader($body,false,false));
             // FIXME: test is specific to ja_JP translation implementation. See above comments.
             if ($default_charset == 'iso-2022-jp') {
                 $body_str .= "\n\n".($prefix_sig==true? "-- \n":'').mb_convert_encoding($signature, 'EUC-JP');
@@ -1396,7 +1396,7 @@ function showInputForm ($session, $values=false) {
             }
         }
     } else {
-        $body_str = htmlspecialchars(decodeHeader($body,false,false));
+        $body_str = sm_encode_html_special_chars(decodeHeader($body,false,false));
     }
 
     $oTemplate->assign('editor_width', (int)$editor_size);
@@ -1811,7 +1811,7 @@ function deliverMessage(&$composeMessage, $draft=false) {
             $composeMessage->purgeAttachments();
             return $success;
         } else {
-            $msg  = '<br />'.sprintf(_("Error: Draft folder %s does not exist."), htmlspecialchars($draft_folder));
+            $msg  = '<br />'.sprintf(_("Error: Draft folder %s does not exist."), sm_encode_html_special_chars($draft_folder));
             plain_error_message($msg);
             return false;
         }
@@ -1832,7 +1832,7 @@ function deliverMessage(&$composeMessage, $draft=false) {
             $msg .= '<br />'
                   . _("Server replied:") . ' '
                   . (isset($deliver->dlv_ret_nr) ? $deliver->dlv_ret_nr . ' ' : '')
-                  . nl2br(htmlspecialchars($deliver->dlv_server_msg));
+                  . nl2br(sm_encode_html_special_chars($deliver->dlv_server_msg));
         }
         plain_error_message($msg);
     } else {

src/configtest.php

@@ -267,7 +267,7 @@ else if (strpos($variables_order, 'G') === FALSE
  || strpos($variables_order, 'P') === FALSE
  || strpos($variables_order, 'C') === FALSE
  || strpos($variables_order, 'S') === FALSE) {
-    do_err('Your variables_order setting is insufficient for SquirrelMail to function. It needs at least "GPCS", but you have it set to "' . htmlspecialchars($variables_order) . '"', true);
+    do_err('Your variables_order setting is insufficient for SquirrelMail to function. It needs at least "GPCS", but you have it set to "' . sm_encode_html_special_chars($variables_order) . '"', true);
 } else {
     echo $IND . "variables_order OK: $variables_order.<br />\n";
 }
@@ -283,7 +283,7 @@ if (!check_php_version(5)) {
     else if (strpos($gpc_order, 'G') === FALSE
      || strpos($gpc_order, 'P') === FALSE
      || strpos($gpc_order, 'C') === FALSE) {
-        do_err('Your gpc_order setting is insufficient for SquirrelMail to function. It needs to be set to "GPC", but you have it set to "' . htmlspecialchars($gpc_order) . '"', true);
+        do_err('Your gpc_order setting is insufficient for SquirrelMail to function. It needs to be set to "GPC", but you have it set to "' . sm_encode_html_special_chars($gpc_order) . '"', true);
     } else {
         echo $IND . "gpc_order OK: $gpc_order.<br />\n";
     }
@@ -479,7 +479,7 @@ if (isset($plugins[0])) {
 
         // if plugin outputs more than newlines and spacing, stop script execution.
         if (!empty($output)) {
-            $plugin_load_error = 'Some output was produced when plugin <i>' . $name . '</i> was loaded.  Usually this means there is an error in the plugin\'s setup or configuration file.  The output was: '.htmlspecialchars($output);
+            $plugin_load_error = 'Some output was produced when plugin <i>' . $name . '</i> was loaded.  Usually this means there is an error in the plugin\'s setup or configuration file.  The output was: '.sm_encode_html_special_chars($output);
             do_err($plugin_load_error);
         }
     }
@@ -588,9 +588,9 @@ if ( $squirrelmail_default_language != 'en_US' ) {
     echo $IND . "Default language OK.<br />\n";
 }
 
-echo $IND . "Base URL detected as: <tt>" . htmlspecialchars($test_location) .
+echo $IND . "Base URL detected as: <tt>" . sm_encode_html_special_chars($test_location) .
     "</tt> (location base " . (empty($config_location_base) ? 'autodetected' : 'set to <tt>' .
-    htmlspecialchars($config_location_base)."</tt>") . ")<br />\n";
+    sm_encode_html_special_chars($config_location_base)."</tt>") . ")<br />\n";
 
 /* check minimal requirements for other security options */
 
@@ -635,14 +635,14 @@ if($useSendmail) {
             $errorNumber, $errorString);
     if(!$stream) {
         do_err("Error connecting to SMTP server \"$smtpServerAddress:$smtpPort\".".
-                "Server error: ($errorNumber) ".htmlspecialchars($errorString));
+                "Server error: ($errorNumber) ".sm_encode_html_special_chars($errorString));
     }
 
     // check for SMTP code; should be 2xx to allow us access
     $smtpline = fgets($stream, 1024);
     if(((int) $smtpline{0}) > 3) {
         do_err("Error connecting to SMTP server. Server error: ".
-                htmlspecialchars($smtpline));
+                sm_encode_html_special_chars($smtpline));
     }
 
     /* smtp starttls checks */
@@ -694,7 +694,7 @@ if($useSendmail) {
         $starttls_response=fgets($stream, 1024);
         if ($starttls_response[0]!=2) {
             $starttls_cmd_err = 'SMTP STARTTLS failed. Server replied: '
-                .htmlspecialchars($starttls_response);
+                .sm_encode_html_special_chars($starttls_response);
             do_err($starttls_cmd_err);
         } elseif(! stream_socket_enable_crypto($stream,true,STREAM_CRYPTO_METHOD_TLS_CLIENT)) {
             do_err('Failed to enable encryption on SMTP STARTTLS connection.');
@@ -707,7 +707,7 @@ if($useSendmail) {
     fputs($stream, 'QUIT');
     fclose($stream);
     echo $IND . 'SMTP server OK (<tt><small>'.
-            trim(htmlspecialchars($smtpline))."</small></tt>)<br />\n";
+            trim(sm_encode_html_special_chars($smtpline))."</small></tt>)<br />\n";
 
     /* POP before SMTP */
     if($pop_before_smtp) {
@@ -715,13 +715,13 @@ if($useSendmail) {
         $stream = fsockopen($pop_before_smtp_host, 110, $err_no, $err_str);
         if (!$stream) {
             do_err("Error connecting to POP Server ($pop_before_smtp_host:110) "
-                . $err_no . ' : ' . htmlspecialchars($err_str));
+                . $err_no . ' : ' . sm_encode_html_special_chars($err_str));
         }
 
         $tmp = fgets($stream, 1024);
         if (substr($tmp, 0, 3) != '+OK') {
             do_err("Error connecting to POP Server ($pop_before_smtp_host:110)"
-                . ' '.htmlspecialchars($tmp));
+                . ' '.sm_encode_html_special_chars($tmp));
         }
         fputs($stream, 'QUIT');
         fclose($stream);
@@ -740,18 +740,18 @@ $stream = fsockopen( ($use_imap_tls==1?'tls://':'').$imapServerAddress, $imapPor
 if(!$stream) {
     do_err("Error connecting to IMAP server \"$imapServerAddress:$imapPort\".".
             "Server error: ($errorNumber) ".
-            htmlspecialchars($errorString));
+            sm_encode_html_special_chars($errorString));
 }
 
 /** Is the first response 'OK'? */
 $imapline = fgets($stream, 1024);
 if(substr($imapline, 0,4) != '* OK') {
     do_err('Error connecting to IMAP server. Server error: '.
-            htmlspecialchars($imapline));
+            sm_encode_html_special_chars($imapline));
 }
 
 echo $IND . 'IMAP server ready (<tt><small>'.
-    htmlspecialchars(trim($imapline))."</small></tt>)<br />\n";
+    sm_encode_html_special_chars(trim($imapline))."</small></tt>)<br />\n";
 
 /** Check capabilities */
 fputs($stream, "A001 CAPABILITY\r\n");
@@ -773,7 +773,7 @@ if ($use_imap_tls===2 && stristr($capline, 'STARTTLS') === false) {
     $starttls_line=fgets($stream, 1024);
     if (! preg_match("/^A002 OK.*/i",$starttls_line)) {
         $imap_starttls_err = 'IMAP STARTTLS failed. Server replied: '
-            .htmlspecialchars($starttls_line);
+            .sm_encode_html_special_chars($starttls_line);
         do_err($imap_starttls_err);
     } elseif (! stream_socket_enable_crypto($stream,true,STREAM_CRYPTO_METHOD_TLS_CLIENT)) {
         do_err('Failed to enable encryption on IMAP connection.');
@@ -793,7 +793,7 @@ if ($use_imap_tls===2 && stristr($capline, 'STARTTLS') === false) {
     }
 }
 
-echo $IND . 'Capabilities: <tt>'.htmlspecialchars($capline)."</tt><br />\n";
+echo $IND . 'Capabilities: <tt>'.sm_encode_html_special_chars($capline)."</tt><br />\n";
 
 if($imap_auth_mech == 'login' && stristr($capline, 'LOGINDISABLED') !== FALSE) {
     do_err('Your server doesn\'t allow plaintext logins. '.
@@ -854,7 +854,7 @@ if (function_exists('gettext')) {
                     $display_locale = $setlocale;
                     $locale_count = 1;
                 }
-                $tested_locales_msg = 'Tested '.htmlspecialchars($display_locale).' '
+                $tested_locales_msg = 'Tested '.sm_encode_html_special_chars($display_locale).' '
                     .($locale_count>1 ? 'locales':'locale'). '.';
 
                 echo $IND . $IND .$IND . $lang_data['NAME'].' (' .$lang_code. ') - ';
@@ -865,7 +865,7 @@ if (function_exists('gettext')) {
                 } else {
                     echo 'supported. '
                         .$tested_locales_msg
-                        .' setlocale() returned "'.htmlspecialchars($retlocale).'"';
+                        .' setlocale() returned "'.sm_encode_html_special_chars($retlocale).'"';
                 }
                 echo "<br />\n";
             }
@@ -918,7 +918,7 @@ if ( (!ini_get('safe_mode')) || function_exists('date_default_timezone_set') ||
     echo "Webmail users can't change their time zone settings. \n";
 }
 if (isset($_ENV['TZ'])) {
-    echo 'Default time zone is '.htmlspecialchars($_ENV['TZ']);
+    echo 'Default time zone is '.sm_encode_html_special_chars($_ENV['TZ']);
 } else {
     echo 'Current time zone is '.date('T');
 }
@@ -977,7 +977,7 @@ if($addrbook_dsn || $prefs_dsn || $addrbook_global_dsn) {
 
             $dbh = DB::connect($dsn, true);
             if (DB::isError($dbh)) {
-                do_err('Database error: '. htmlspecialchars(DB::errorMessage($dbh)) .
+                do_err('Database error: '. sm_encode_html_special_chars(DB::errorMessage($dbh)) .
                         ' in ' .$type .' DSN.');
             }
             $dbh->disconnect();

src/folders.php

@@ -112,7 +112,7 @@ if ( sqgetGlobalVar('smaction', $action, SQ_POST) ) {
 }
 
 if (isset($td_str)) {
-    $oTemplate->assign('note', htmlspecialchars($td_str));
+    $oTemplate->assign('note', sm_encode_html_special_chars($td_str));
     $oTemplate->display('note.tpl');
 }
 
@@ -197,8 +197,8 @@ if ($show_only_subscribed_folders && !$no_list_for_subscribe) {
     	}
     
     	if ($use_folder) {
-    	    $box_enc  = htmlspecialchars($box_a['unformatted-dm']);
-    	    $box_disp = htmlspecialchars(imap_utf7_decode_local($box_a['unformatted-disp']));
+    	    $box_enc  = sm_encode_html_special_chars($box_a['unformatted-dm']);
+    	    $box_disp = sm_encode_html_special_chars(imap_utf7_decode_local($box_a['unformatted-disp']));
             $subbox_option_list[] = array( 'Value' => $box_enc, 'Display' => $box_disp);
     	}
     }

src/login.php

@@ -63,7 +63,7 @@ $username_form_name = 'login_username';
 $password_form_name = 'secretkey';
 do_hook('login_cookie', $null);
 
-$loginname_value = (sqGetGlobalVar('loginname', $loginname) ? htmlspecialchars($loginname) : '');
+$loginname_value = (sqGetGlobalVar('loginname', $loginname) ? sm_encode_html_special_chars($loginname) : '');
 
 //FIXME: should be part of the template, not the core!
 /* Output the javascript onload function. */

src/options_highlight.php

@@ -124,10 +124,10 @@ $rules = array();
 foreach($message_highlight_list as $index=>$rule) {
     $a = array();
     
-    $a['Name'] = htmlspecialchars($rule['name']);
+    $a['Name'] = sm_encode_html_special_chars($rule['name']);
     $a['Color'] = $rule['color'];
     $a['MatchField'] = '';
-    $a['MatchValue'] = htmlspecialchars($rule['value']);
+    $a['MatchValue'] = sm_encode_html_special_chars($rule['value']);
     switch ($rule['match_type']) {
             case 'from' :
                 $a['MatchField'] = _("From");

src/options_identities.php

@@ -80,10 +80,10 @@ foreach ($identities as $key=>$ident) {
     $a['Title'] = $key==0 ? _("Default Identity") : sprintf(_("Alternate Identity %d"), $key);
     $a['New'] = false;
     $a['Default'] = $key==0;
-    $a['FullName'] = htmlspecialchars($ident['full_name']);
-    $a['Email'] = htmlspecialchars($ident['email_address']);
-    $a['ReplyTo'] = htmlspecialchars($ident['reply_to']);
-    $a['Signature'] = htmlspecialchars($ident['signature']);
+    $a['FullName'] = sm_encode_html_special_chars($ident['full_name']);
+    $a['Email'] = sm_encode_html_special_chars($ident['email_address']);
+    $a['ReplyTo'] = sm_encode_html_special_chars($ident['reply_to']);
+    $a['Signature'] = sm_encode_html_special_chars($ident['signature']);
     $i[$key] = $a;
 }
 
@@ -195,7 +195,7 @@ function ShowIdentityInfo($title, $identity, $id ) {
  * Creates html formated table row with input field
  * @param string $title Name displayed next to input field
  * @param string $name Name of input field
- * @param string $data Default value of input field (data is sanitized with htmlspecialchars)
+ * @param string $data Default value of input field (data is sanitized with sm_encode_html_special_chars)
  * @param string $bgcolor html attributes added to row element (tr)
  * @return string html formated table row with text input field
  * @since 1.2.0 (arguments differ since 1.4.5/1.5.1)
@@ -207,7 +207,7 @@ function sti_input( $title, $name, $data, $bgcolor ) {
     $str = '';
     $str .= '<tr' . $bgcolor . ">\n";
     $str .= '  <td style="white-space: nowrap;text-align:right;">' . $title . ' </td>' . "\n";
-    $str .= '  <td> <input type="text" name="' . $name . '" size="50" value="'. htmlspecialchars($data) . '" /> </td>' . "\n";
+    $str .= '  <td> <input type="text" name="' . $name . '" size="50" value="'. sm_encode_html_special_chars($data) . '" /> </td>' . "\n";
     $str .= '</tr>';
 
     return $str;
@@ -218,7 +218,7 @@ function sti_input( $title, $name, $data, $bgcolor ) {
  * Creates html formated table row with textarea field
  * @param string $title Name displayed next to textarea field
  * @param string $name Name of textarea field
- * @param string $data Default value of textarea field  (data is sanitized with htmlspecialchars)
+ * @param string $data Default value of textarea field  (data is sanitized with sm_encode_html_special_chars)
  * @param string $bgcolor html attributes added to row element (tr)
  * @return string html formated table row with textarea
  * @since 1.2.5 (arguments differ since 1.4.5/1.5.1)
@@ -230,7 +230,7 @@ function sti_textarea( $title, $name, $data, $bgcolor ) {
     $str = '';
     $str .= '<tr' . $bgcolor . ">\n";
     $str .= '  <td style="white-space: nowrap;text-align:right;">' . $title . ' </td>' . "\n";
-    $str .= '  <td> <textarea name="' . $name . '" cols="50" rows="5">'. htmlspecialchars($data) . '</textarea> </td>' . "\n";
+    $str .= '  <td> <textarea name="' . $name . '" cols="50" rows="5">'. sm_encode_html_special_chars($data) . '</textarea> </td>' . "\n";
     $str .= '</tr>';
 
     return $str;

src/options_order.php

@@ -31,7 +31,7 @@ if (sqgetGlobalVar('num',       $num,       SQ_GET)) {
 if (!sqgetGlobalVar('method', $method)) {
     $method = '';
 } else {
-    $method = htmlspecialchars($method);
+    $method = sm_encode_html_special_chars($method);
 }
 if (!sqgetGlobalVar('positions', $pos, SQ_GET)) {
     $pos = 0;

src/read_body.php

@@ -273,7 +273,7 @@ function SendMDN ( $mailbox, $passed_id, $message, $imapConnection) {
         if (! empty($deliver->dlv_server_msg)) {
             $msg.= "\n" .
                 _("Server replied:") . ' ' . $deliver->dlv_ret_nr . ' ' .
-                nl2br(htmlspecialchars($deliver->dlv_server_msg));
+                nl2br(sm_encode_html_special_chars($deliver->dlv_server_msg));
         }
         plain_error_message($msg);
     } else {
@@ -358,7 +358,7 @@ function formatRecipientString($recipients, $item ) {
             $a[] = array(
                             // note: decodeHeader is htmlsafe by default
                             'Name'  => decodeHeader($r->getAddress(false)),
-                            'Email' => htmlspecialchars($r->getEmail()),
+                            'Email' => sm_encode_html_special_chars($r->getEmail()),
                             'Full'  => decodeHeader($r->getAddress(true))
                         );
         }

src/right_main.php

@@ -319,7 +319,7 @@ if (isset($mail_sent) && $mail_sent == 'yes') {
     $note = _("Your mail has been sent.");
 }
 if (isset($note)) {
-    $oTemplate->assign('note', htmlspecialchars($note));
+    $oTemplate->assign('note', sm_encode_html_special_chars($note));
     $oTemplate->display('note.tpl');
 }
 

src/search.php

@@ -580,7 +580,7 @@ function asearch_get_query_display(&$color, &$mailbox_array, &$biop_array, &$uno
                 $cur_mailbox = 'INBOX';
             $biop = asearch_nz($biop_array[$crit_num]);
             if (($query_display == '') || ($cur_mailbox != $last_mailbox)) {
-                $mailbox_display = ' <span class="mailbox">' . htmlspecialchars(asearch_get_mailbox_display($cur_mailbox)) . '</span>';
+                $mailbox_display = ' <span class="mailbox">' . sm_encode_html_special_chars(asearch_get_mailbox_display($cur_mailbox)) . '</span>';
                 if ($query_display == '')
                     $biop_display = _("In");
                 else
@@ -606,7 +606,7 @@ function asearch_get_query_display(&$color, &$mailbox_array, &$biop_array, &$uno
                     if ($what_type == 'adate')
                         $what_display = asearch_get_date_display($what);
                     else
-                        $what_display = htmlspecialchars($what);
+                        $what_display = sm_encode_html_special_chars($what);
                     $what_display = ' <span class="value">' . $what_display . '</span>';
                 }
             }
@@ -782,7 +782,7 @@ function asearch_print_form($imapConnection, &$boxes, $mailbox_array, $biop_arra
     # Build the mailbox array
     $a = array();
     if (($mailbox != 'All Folders') && (!asearch_mailbox_exists($mailbox, $boxes))) {
-        $a[$mailbox] = '[' . _("Missing") . '] ' . htmlspecialchars(asearch_get_mailbox_display($mailbox));
+        $a[$mailbox] = '[' . _("Missing") . '] ' . sm_encode_html_special_chars(asearch_get_mailbox_display($mailbox));
     }
     $a['All Folders'] = '[' . asearch_get_mailbox_display('All Folders') . ']';
     $a = array_merge($a, sqimap_mailbox_option_array($imapConnection, 0, $boxes, NULL));
@@ -841,7 +841,7 @@ function asearch_print_form_basic($imapConnection, &$boxes, $mailbox_array, $bio
     # Build the mailbox array
     $a = array();
     if (($mailbox != 'All Folders') && (!asearch_mailbox_exists($mailbox, $boxes))) {
-        $a[$mailbox] = '[' . _("Missing") . '] ' . htmlspecialchars(asearch_get_mailbox_display($mailbox));
+        $a[$mailbox] = '[' . _("Missing") . '] ' . sm_encode_html_special_chars(asearch_get_mailbox_display($mailbox));
     }
     $a['All Folders'] = '[' . asearch_get_mailbox_display('All Folders') . ']';
     $a = array_merge($a, sqimap_mailbox_option_array($imapConnection, 0, $boxes, NULL));
@@ -862,7 +862,7 @@ function asearch_print_form_basic($imapConnection, &$boxes, $mailbox_array, $bio
     $oTemplate->assign('unary_options', $imap_asearch_unops);
     $oTemplate->assign('where_options', $imap_asearch_options);
     
-    $oTemplate->assign('mailbox_sel', strtolower(htmlspecialchars($mailbox)));
+    $oTemplate->assign('mailbox_sel', strtolower(sm_encode_html_special_chars($mailbox)));
     $oTemplate->assign('unary_sel', $unop);
     $oTemplate->assign('where_sel', $where);
     $oTemplate->assign('what_val', $what);
@@ -1618,7 +1618,7 @@ if ($submit == $search_button_text) {
                             $mailbox_display = imap_utf7_decode_local($mbx);
                         }
 
-                        $oTemplate->assign('mailbox_name', htmlspecialchars($mailbox_display));
+                        $oTemplate->assign('mailbox_name', sm_encode_html_special_chars($mailbox_display));
                         $oTemplate->display('search_result_mailbox.tpl');
 
                         $oTemplate->assign('page_selector',  $page_selector);

src/vcard.php

@@ -86,7 +86,7 @@ if ($vcard_nice['version'] == '2.1') {
        $vcard_nice['email;internet'] = $vcard_nice['email;pref;internet'];
     }
 } else {
-    $oTemplate->assign('note', sprintf(_("vCard Version %s is not supported. Some information might not be converted correctly."), htmlspecialchars($vcard_nice['version'])));
+    $oTemplate->assign('note', sprintf(_("vCard Version %s is not supported. Some information might not be converted correctly."), sm_encode_html_special_chars($vcard_nice['version'])));
     $oTemplate->display('note.tpl');
 
     $vcard_nice['firstname'] = '';
@@ -94,7 +94,7 @@ if ($vcard_nice['version'] == '2.1') {
 }
 
 foreach ($vcard_nice as $k => $v) {
-    $v = htmlspecialchars($v);
+    $v = sm_encode_html_special_chars($v);
     $v = trim($v);
     $vcard_safe[$k] = trim(nl2br($v));
 }

src/view_header.php

@@ -39,7 +39,7 @@ function parse_viewheader($imapConnection,$id, $passed_ent_id) {
     }
     $cnum = 0;
     for ($i=1; $i < count($read); $i++) {
-        $line = htmlspecialchars($read[$i]);
+        $line = sm_encode_html_special_chars($read[$i]);
         switch (true) {
             case (preg_match('/^&gt;/i', $line)):
                 $second[$i] = $line;

templates/default/addrbook_addedit.tpl

@@ -61,8 +61,8 @@ $formname = $edit ? 'editaddr' : 'addaddr';
     if (is_array($values['Email'])) {
         echo '<select name="'.$formname.'[email]" id="email">'."\n";
         foreach ($values['Email'] as $email) {
-//FIXME: htmlspecialchars should not be needed inside any template files - I think values are already sanitized by the time they get here
-            echo '<option value="'.htmlspecialchars($email).'">'.htmlspecialchars($email).'</option>'."\n";
+//FIXME: sm_encode_html_special_chars should not be needed inside any template files - I think values are already sanitized by the time they get here
+            echo '<option value="'.sm_encode_html_special_chars($email).'">'.sm_encode_html_special_chars($email).'</option>'."\n";
         }
         echo '</select>'."\n";
     } else {
@@ -107,10 +107,10 @@ $formname = $edit ? 'editaddr' : 'addaddr';
    <select name="backend" id="backend">
     <?php
         foreach ($writable_backends as $id=>$name) {
-//FIXME: htmlspecialchars should not be needed inside any template files - I think values are already sanitized by the time they get here
+//FIXME: sm_encode_html_special_chars should not be needed inside any template files - I think values are already sanitized by the time they get here
             echo '<option value="' . $id
                . ($current_backend == $id ? '" selected="selected"' : '"')
-               . '>' . htmlspecialchars($name) . '</option>' . "\n";
+               . '>' . sm_encode_html_special_chars($name) . '</option>' . "\n";
         }
     ?>
    </select>

templates/default/addressbook_search_form.tpl

@@ -47,7 +47,7 @@ extract($t);
    <select name="backend" id="backend">
         <?php
         foreach ($backends as $id=>$name) {
-            echo '<option value="'.$id.'">'.htmlspecialchars($name).'</option>'."\n";
+            echo '<option value="'.$id.'">'.sm_encode_html_special_chars($name).'</option>'."\n";
         }
         ?>
    </select>

templates/default/input.tpl

@@ -28,8 +28,8 @@ extract($t);
 
 echo '<input type="' . $type . '"';
 foreach ($aAttribs as $key => $value) {
-//TODO: see the FIXME tag on line 68 of functions/forms.php - the htmlspecialchars() below should be migrated to the template class
-    echo ' ' . $key . (is_null($value) ? '' : '="' . htmlspecialchars($value) . '"');
+//TODO: see the FIXME tag on line 68 of functions/forms.php - the sm_encode_html_special_chars() below should be migrated to the template class
+    echo ' ' . $key . (is_null($value) ? '' : '="' . sm_encode_html_special_chars($value) . '"');
 }
 echo ' />';
 

templates/default/options_order.tpl

@@ -71,7 +71,7 @@ extract($t);
    <select name="num">
     <?php
         foreach ($not_used as $field_id=>$name) {
-            echo '<option value="'.$field_id.'">'.htmlspecialchars($name).'</option>'."\n";
+            echo '<option value="'.$field_id.'">'.sm_encode_html_special_chars($name).'</option>'."\n";
         }
     ?>
    </select>

templates/default_advanced/options_order.tpl

@@ -74,7 +74,7 @@ extract($t);
         foreach ($not_used as $field_id=>$name) {
             echo "<tr>\n" .
                  "<td colspan=\"3\" class=\"moveLink\"><a href=\"". $add.$field_id."\">".getIcon($icon_theme_path, 'plus.png', _("Add"), _("Add"))."</a></td>\n" .
-                 "<td class=\"fieldName\">".htmlspecialchars($name)."</td>\n" .
+                 "<td class=\"fieldName\">".sm_encode_html_special_chars($name)."</td>\n" .
                  "</tr>\n";
     }
    ?>

templates/util_addressbook.php

@@ -22,7 +22,7 @@
 function composeLink ($row) {
     return makeComposeLink('src/compose.php?send_to=' .
                            rawurlencode($row['RawFullAddress']),
-                           htmlspecialchars($row['Email']));
+                           sm_encode_html_special_chars($row['Email']));
 }
 
 /**
@@ -41,17 +41,17 @@ function formatAddressList ($addresses) {
     $contacts = array();
     while(list($undef,$row) = each($addresses)) {
         $contact = array (
-                            'FirstName'      => htmlspecialchars($row['firstname']),
-                            'LastName'       => htmlspecialchars($row['lastname']),
-                            'FullName'       => htmlspecialchars($row['name']),
-                            'NickName'       => htmlspecialchars($row['nickname']),
-                            'Email'          => htmlspecialchars($row['email']),
-                            'FullAddress'    => htmlspecialchars(AddressBook::full_address($row)),
+                            'FirstName'      => sm_encode_html_special_chars($row['firstname']),
+                            'LastName'       => sm_encode_html_special_chars($row['lastname']),
+                            'FullName'       => sm_encode_html_special_chars($row['name']),
+                            'NickName'       => sm_encode_html_special_chars($row['nickname']),
+                            'Email'          => sm_encode_html_special_chars($row['email']),
+                            'FullAddress'    => sm_encode_html_special_chars(AddressBook::full_address($row)),
                             'RawFullAddress' => AddressBook::full_address($row),
-                            'Info'           => htmlspecialchars($row['label']),
+                            'Info'           => sm_encode_html_special_chars($row['label']),
                             'Extra'          => (isset($row['extra']) ? $row['extra'] : NULL),
-                            'Source'         => htmlspecialchars($row['source']),
-                            'JSEmail'        => htmlspecialchars(addcslashes(AddressBook::full_address($row), "'"), ENT_QUOTES),
+                            'Source'         => sm_encode_html_special_chars($row['source']),
+                            'JSEmail'        => sm_encode_html_special_chars(addcslashes(AddressBook::full_address($row), "'"), ENT_QUOTES),
                          );
         $contacts[] = $contact;
     }

templates/util_read.php

@@ -15,7 +15,7 @@
  * Return a string representing the priority of a message
  */
 function priorityStr($p) {
-    return htmlspecialchars(getPriorityStr($p));
+    return sm_encode_html_special_chars(getPriorityStr($p));
 }
 
 ?>