Changeset 10a69975 in github

Timestamp:

Nov 6, 2005 2:26:45 PM (8 years ago)

Author:

thomascube <thomas@…>

Branches:

master, HEAD, courier-fix, dev-browser-capabilities, pdo, release-0.6, release-0.7, release-0.8

Children:

e66f5b4

Parents:

e0ddd4e

Message:

Added localized messages to client and check form input

Files:

• CHANGELOG (modified) (2 diffs)
• INSTALL (modified) (1 diff)
• program/include/main.inc (modified) (3 diffs)
• program/include/rcube_db.inc (modified) (2 diffs)
• program/include/rcube_mdb2.inc (modified) (5 diffs)
• program/js/app.js (modified) (7 diffs)
• program/js/common.js (modified) (2 diffs)
• program/localization/de/labels.inc (modified) (1 diff)
• program/localization/de/messages.inc (modified) (2 diffs)
• program/localization/en/labels.inc (modified) (1 diff)
• program/localization/en/messages.inc (modified) (2 diffs)
• program/steps/addressbook/edit.inc (modified) (2 diffs)
• program/steps/addressbook/save.inc (modified) (7 diffs)
• program/steps/mail/compose.inc (modified) (1 diff)
• program/steps/mail/sendmail.inc (modified) (3 diffs)
• program/steps/settings/edit_identity.inc (modified) (1 diff)
• program/steps/settings/func.inc (modified) (1 diff)
• program/steps/settings/save_identity.inc (modified) (7 diffs)

CHANGELOG

@@ -61 +61 @@
 
 
-2005/11/02
+2005/11/06
 ----------
 - Added Finnish, Romanian and Chinese translation
@@ -72 +72 @@
 - Added more XSS protection (Bug #1308236)
 - Added tab indexes for compose form
-
+- Added 'changed' col to contacts table
+- Support for 160-bit session hashes
+- Added input check for contacts and identities (Patch #1346523)
+- Added messages/warning to compose step (Patch #1323895)

INSTALL

@@ -4 +4 @@
 
 1. Decompress and put this folder somewhere inside your document root
-2. Make sure that the following directories are writable by the webserver
+2. Make sure that the following directories (and the files within)
+   are writable by the webserver
    - /temp
    - /logs
-3. Create a new database and a database user for RoundCube
+3. Create a new database and a database user for RoundCube (see DATABASE SETUP)
 4. Create database tables using the queries in file 'SQL/*.initial.sql'
+   (* stands for your database type)
 5. Rename the files config/*.inc.php.dist to config/*.inc.php
 6. Modify the files in config/* to suit your local environment
 7. Done!
+
+
+DATABASE SETUP
+==============
+
+* MySQL
+-------
+Setting up the mysql database can be done by creating an empty database,
+importing the table layout and granting the proper permissions to the
+roundcube user. Here is an example of that procedure:
+
+# mysql
+> create database 'roundcubemail';
+> GRANT ALL PRIVILEGES ON roundcubemail.* TO roundcube@localhost
+        IDENTIFIED BY 'password';
+> quit
+# mysql roundcubemail < SQL/mysql.initial.sql
+
+* SQLite
+--------
+Sqlite requires specifically php5 (sqlite in php4 currently doesn't
+work with roundcube), and you need sqlite 2 (preferably 2.8) to setup
+the sqlite db (sqlite 3.x also doesn't work at the moment). Here is
+an example how you can setup the sqlite.db for roundcube:
+
+# sqlite -init SQL/sqlite.initial.sql sqlite.db
+
+Make sure your configuration points to the sqlite.db file and that the
+webserver can write to the file.
 
 

program/include/main.inc

@@ -249 +249 @@
   else
     rcmail_set_locale($sess_user_lang);
+  
+  // add some basic label to client
+  rcube_add_label('loading');
   }  
 
@@ -402 +405 @@
 
 
+// overwrite action variable  
+function rcmail_overwrite_action($action)
+  {
+  global $OUTPUT, $JS_OBJECT_NAME;
+  $GLOBALS['_action'] = $action;
+
+  $OUTPUT->add_script(sprintf("\n%s.set_env('action', '%s');", $JS_OBJECT_NAME, $action));  
+  }
+
+
 function show_message($message, $type='notice')
   {
@@ -488 +501 @@
 
   return $sa_languages;
+  }
+
+
+// add a localized label to the client environment
+function rcube_add_label()
+  {
+  global $OUTPUT, $JS_OBJECT_NAME;
+  
+  $arg_list = func_get_args();
+  foreach ($arg_list as $i => $name)
+    $OUTPUT->add_script(sprintf("%s.add_label('%s', '%s');",
+                                $JS_OBJECT_NAME,
+                                $name,
+                                rep_specialchars_output(rcube_label($name), 'js')));  
   }
 

program/include/rcube_db.inc

@@ -221 +221 @@
     }
 
-        function quoteIdentifier ( $str )
+
+    function quote($input, $type=null)
+    {
+                if (!$this->db_handle)
+                        $this->db_connect('r');
+
+                return $this->db_handle->quote($input);
+    }
+    
+
+        function quoteIdentifier($str)
         {
                 if (!$this->db_handle)
@@ -228 +238 @@
                 return $this->db_handle->quoteIdentifier($str);
         }
+        
+        function quote_identifier($str)
+        {
+                return $this->quoteIdentifier($str);
+        }
+
         
         function unixtimestamp($field)

program/include/rcube_mdb2.inc

@@ -103 +103 @@
 
     // Query database
-    
     function query()
-
-    {
-
+    {
                 $params = func_get_args();
-
                 $query = array_shift($params);
 
-                
-
                 return $this->_query($query, 0, 0, $params);
-
-    }
-
-   
+    }
+
 
         function limitquery()
-
     {
 
                 $params = func_get_args();
-
                 $query = array_shift($params);
-
                 $offset = array_shift($params);
-
                 $numrows = array_shift($params);
 
-                
-
                 return $this->_query($query, $offset, $numrows, $params);
-
     }
     
@@ -169 +154 @@
     }
 
+
     function num_rows($res_id=NULL)
     {
@@ -182 +168 @@
     }
 
+
     function affected_rows($res_id=NULL)
     {
@@ -189 +176 @@
         return $this->db_handle->affectedRows();
     }
+
 
     function insert_id($sequence = '')
@@ -213 +201 @@
     }
 
-        function quoteIdentifier ( $str )
-
+
+    function quote($input, $type=null)
+    {
+                if (!$this->db_handle)
+                        $this->db_connect('r');
+
+                return $this->db_handle->quote($input, $type);
+    }
+
+
+        function quoteIdentifier($str)
         {
-
                 if (!$this->db_handle)
-
                         $this->db_connect('r');
 
-                        
-
                 return $this->db_handle->quoteIdentifier($str);
-
         }
-        
+
+        function quote_identifier($str)
+        {
+                return $this->quoteIdentifier($str);
+        }
+
+
         function unixtimestamp($field)
-
         {
-
                 switch($this->db_provider)
-
                         {
-
                         case 'pgsql':
-
                                 return "EXTRACT (EPOCH FROM $field)";
-
                                 break;
 
                         default:
-
                                 return "UNIX_TIMESTAMP($field)";
-
                         }
-
         }
-        
+
+
     function _add_result($res, $query)
     {

program/js/app.js

@@ -7 +7 @@
  | Licensed under the GNU GPL                                            |
  |                                                                       |
- | Modified: 2005/11/01 (roundcube)                                      |
+ | Modified: 2005/11/06 (roundcube)                                      |
  |                                                                       |
  +-----------------------------------------------------------------------+
@@ -20 +20 @@
   {
   this.env = new Object();
+  this.labels = new Object();
   this.buttons = new Object();
   this.gui_objects = new Object();
@@ -49 +50 @@
       this.env[name] = value;    
     };
+
+
+  // add a localized label to the client environment
+  this.add_label = function(key, value)
+    {
+    this.labels[key] = value;
+    };
+
 
   // add a button to the button list
@@ -514 +523 @@
       case 'save':
         if (this.gui_objects.editform)
+          {
+          var input_pagesize = rcube_find_object('_pagesize');
+          var input_name  = rcube_find_object('_name');
+          var input_email = rcube_find_object('_email');
+
+          // user prefs
+          if (input_pagesize && input_pagesize.value == '')
+            {
+            alert(this.get_label('nopagesizewarning'));
+            input_pagesize.focus();
+            break;
+            }
+          // contacts/identities
+          else
+            {
+            if (input_name && input_name.value == '')
+              {
+              alert(this.get_label('nonamewarning'));
+              input_name.focus();
+              break;
+              }
+            else if (input_email && !rcube_check_email(input_email.value))
+              {
+              alert(this.get_label('noemailwarning'));
+              input_email.focus();
+              break;
+              }
+            }
+
           this.gui_objects.editform.submit();
+          }
         break;
 
@@ -640 +679 @@
         var input_subject = rcube_find_object('_subject');
         var input_message = rcube_find_object('_message');
-        
-        if (input_to.value!='' && input_message.value!='')
+
+        // check for empty recipient
+        if (input_to && !rcube_check_email(input_to.value, true))
           {
-          this.set_busy(true, 'sendingmessage');
-          var form = this.gui_objects.messageform;
-          form.submit();
+          alert(this.get_label('norecipientwarning'));
+          input_to.focus();
+          break;
           }
-          
+
+        // display localized warning for missing subject
+        if (input_subject && input_subject.value == '')
+          {
+          var subject = prompt(this.get_label('nosubjectwarning'), this.get_label('nosubject'));
+
+          // user hit cancel, so don't send
+          if (!subject && subject !== '')
+            {
+            input_subject.focus();
+            break;
+            }
+          else
+            {
+            input_subject.value = subject ? subject : this.get_label('nosubject');            
+            }
+          }
+
+        // check for empty body
+        if (input_message.value=='')
+          {
+          if (!confirm(this.get_label('nobodywarning')))
+            {
+            input_message.focus();
+            break;
+            }
+          }
+
+        // all checks passed, send message
+        this.set_busy(true, 'sendingmessage');
+        var form = this.gui_objects.messageform;
+        form.submit();
         break;
 
@@ -761 +832 @@
     {
     if (a && message)
-      this.display_message('Loading...', 'loading', true);
+      {
+      var msg = this.get_label(message);
+      if (msg==message)        
+        msg = 'Loading...';
+
+      this.display_message(msg, 'loading', true);
+      }
     else if (!a && this.busy)
       this.hide_message();
@@ -781 +858 @@
 
 
+  // return a localized string
+  this.get_label = function(name)
+    {
+    if (this.labels[name])
+      return this.labels[name];
+    else
+      return name;
+    };
+
+
+  // switch to another application task
   this.switch_task = function(task)
     {

program/js/common.js

@@ -7 +7 @@
  | Licensed under the GNU GPL                                            |
  |                                                                       |
- | Modified:2005/10/21 (roundcube)                                       |
+ | Modified:2005/11/06 (roundcube)                                       |
  |                                                                       |
  +-----------------------------------------------------------------------+
@@ -265 +265 @@
 
 
+// check if input is a valid email address
+function rcube_check_email(input, inline)
+  {
+  if (input && window.RegExp)
+    {
+    var reg_str = '([a-z0-9][-a-z0-9\.\+_]*)\@([a-z0-9]([-a-z0-9][\.]?)*[a-z0-9]\.[a-z]{2,9})';
+    var reg1 = inline ? new RegExp(reg_str, 'i') : new RegExp('^'+reg_str+'$', 'i');
+    var reg2 = /[\._\-\@]{2}/;
+    return reg1.test(input) && !reg2.test(input) ? true : false;
+    }
+  return false;
+  }
+  
 
 // find a value in a specific array and returns the index

program/localization/de/labels.inc

@@ -120 +120 @@
 $labels['highest'] = 'Höchste';
 
+$labels['nosubject']  = '(kein Betreff)';
+
 $labels['showimages'] = 'Bilder anzeigen';
 

program/localization/de/messages.inc

@@ -33 +33 @@
 $messages['mailboxempty'] = 'Ordner ist leer';
 
-$messages['loadingdata'] = 'Daten werden geladen...';
+$messages['loading'] = $messages['loadingdata'] = 'Daten werden geladen...';
+
+$messages['sendingmessage'] = 'Nachricht wird gesendet...';
 
 $messages['messagesent'] = 'Nachricht erfolgreich gesendet';
@@ -53 +55 @@
 $messages['errorsaving'] = 'Beim Speichern ist ein Fehler aufgetreten';
 
+$messages['formincomplete']    = 'Das Formular wurde nicht vollständig ausgefüllt';
+
+$messages['noemailwarning']    = 'Bitte geben Sie eine gültige E-Mail-Adresse ein';
+
+$messages['nonamewarning']     = 'Bitte geben Sie einen Namen ein';
+
+$messages['nopagesizewarning'] = 'Bitte geben Sie eine Einträge pro Seite ein';
+
+$messages['norecipientwarning'] = 'Bitte geben Sie mindestens einen Empfänger an';
+
+$messages['nosubjectwarning']  = 'Die Betreffzeile ist leer. Möchten Sie jetzt einen Betreff eingeben?';
+
+$messages['nobodywarning'] = 'Diese Nachricht ohne Inhalt senden?';
 
 ?>

program/localization/en/labels.inc

@@ -120 +120 @@
 $labels['highest'] = 'Highest';
 
+$labels['nosubject']  = '(no subject)';
+
 $labels['showimages'] = 'Display images';
 

program/localization/en/messages.inc

@@ -33 +33 @@
 $messages['mailboxempty'] = 'Mailbox is empty';
 
+$messages['loading'] = 'Loading...';
+
 $messages['loadingdata'] = 'Loading data...';
+
+$messages['sendingmessage'] = 'Sending message...';
 
 $messages['messagesent'] = 'Message sent successfully';
@@ -57 +61 @@
 $messages['errordeleting'] = 'Could not delete the message';
 
+$messages['errordeleting'] = 'Could not delete the message';
+
+$messages['formincomplete']    = 'The form was not completely filled out';
+
+$messages['noemailwarning']    = 'Please enter a valid email address';
+
+$messages['nonamewarning']     = 'Please enter a name';
+
+$messages['nopagesizewarning'] = 'Please enter a page size';
+
+$messages['norecipientwarning'] = 'Please enter at least one recipient';
+
+$messages['nosubjectwarning']  = 'The "Subject" field is empty. Would you like to enter one now?';
+
+$messages['nobodywarning'] = 'Send this message without text?';
+
 
 ?>

program/steps/addressbook/edit.inc

@@ -32 +32 @@
   
   $CONTACT_RECORD = $DB->fetch_assoc();
-  
+
   if (is_array($CONTACT_RECORD))
     $OUTPUT->add_script(sprintf("%s.set_env('cid', '%s');", $JS_OBJECT_NAME, $CONTACT_RECORD['contact_id']));
@@ -45 +45 @@
   if (!$CONTACT_RECORD && $GLOBALS['_action']!='add')
     return rcube_label('contactnotfound');
+
+  // add some labels to client
+  rcube_add_label('noemailwarning');
+  rcube_add_label('nonamewarning');
 
   list($form_start, $form_end) = get_form_tags($attrib);

program/steps/addressbook/save.inc

@@ -24 +24 @@
 
 
+// check input
+if (empty($_POST['_name']) || empty($_POST['_email']))
+  {
+  show_message('formincomplete', 'warning');
+  rcmail_overwrite_action($_POST['_cid'] ? 'show' : 'add');
+  return;
+  }
+
+
 // update an existing contact
 if ($_POST['_cid'])
@@ -35 +44 @@
       continue;
     
-    $a_write_sql[] = sprintf("%s='%s'", $col, addslashes(strip_tags($_POST[$fname])));
+    $a_write_sql[] = sprintf("%s=%s", $DB->quoteIdentifier($col), $DB->quote(strip_tags($_POST[$fname])));
     }
 
@@ -88 +97 @@
     // show error message
     show_message('errorsaving', 'error');
-    $_action = 'show';
+    rcmail_overwrite_action('show');
     }
   }
@@ -96 +105 @@
   {
   $a_insert_cols = $a_insert_values = array();
+  
+  // check for existing contacts
+  $sql_result = $DB->query("SELECT 1 FROM ".get_table_name('contacts')."
+                            WHERE  user_id=?
+                            AND    email=?
+                            AND    del<>'1'",
+                           $_SESSION['user_id'],
+                           $_POST['_email']);
+
+  // show warning message
+  if ($DB->num_rows($sql_result))
+    {
+    show_message('contactexists', 'warning');
+    $_action = 'add';
+    return;
+    }
 
   foreach ($a_save_cols as $col)
@@ -104 +129 @@
     
     $a_insert_cols[] = $col;
-    $a_insert_values[] = sprintf("'%s'", addslashes(strip_tags($_POST[$fname])));
+    $a_insert_values[] = $DB->quote(strip_tags($_POST[$fname]));
     }
     
@@ -110 +135 @@
     {
     $DB->query("INSERT INTO ".get_table_name('contacts')."
-                (user_id, changedm ".join(', ', $a_insert_cols).")
+                (user_id, changed, ".join(', ', $a_insert_cols).")
                 VALUES (?, now(), ".join(', ', $a_insert_values).")",
                 $_SESSION['user_id']);
@@ -154 +179 @@
     // show error message
     show_message('errorsaving', 'error');
-    $_action = 'add';
+    rcmail_overwrite_action('add');
     }
   }

program/steps/mail/compose.inc

@@ -31 +31 @@
 if (!is_array($_SESSION['compose']))
   $_SESSION['compose'] = array('id' => uniqid(rand()));
+
+
+// add some labels to client
+rcube_add_label('nosubject', 'norecipientwarning', 'nosubjectwarning', 'nobodywarning', 'sendingmessage');
 
 

program/steps/mail/sendmail.inc

@@ -29 +29 @@
 if (!isset($_SESSION['compose']['id']))
   {
-  $_action = 'list';
+  rcmail_overwrite_action('list');
   return;
   }
@@ -66 +66 @@
 
 
+if (empty($_POST['_to']) && empty($_POST['_subject']) && $_POST['_message'])
+  {
+  show_message("sendingfailed", 'error'); 
+  rcmail_overwrite_action('compose');
+  return;
+  }
+
+
 $mailto_regexp = array('/,\s*[\r\n]+/', '/[\r\n]+/', '/,\s*$/m');
 $mailto_replace = array(' ', ', ', '');
@@ -207 +215 @@
 if (!$sent)
   {
-  $_action = 'compose';
-  $OUTPUT->add_script(sprintf("\n%s.set_env('action', '%s');", $JS_OBJECT_NAME, $_action));
   show_message("sendingfailed", 'error'); 
+  rcmail_overwrite_action('compose');
   return;
   }

program/steps/settings/edit_identity.inc

@@ -48 +48 @@
   if (!$IDENTITY_RECORD && $GLOBALS['_action']!='add-identity')
     return rcube_label('notfound');
+
+  // add some labels to client
+  rcube_add_label('noemailwarning');
+  rcube_add_label('nonamewarning');
+
 
   list($form_start, $form_end) = get_form_tags($attrib, 'save-identity', array('name' => '_iid', 'value' => $IDENTITY_RECORD['identity_id']));

program/steps/settings/func.inc

@@ -35 +35 @@
   global $DB, $CONFIG, $sess_user_lang;
 
+  // add some labels to client
+  rcube_add_label('nopagesizewarning');
+  
   list($form_start, $form_end) = get_form_tags($attrib, 'save-prefs');
   unset($attrib['form']);

program/steps/settings/save_identity.inc

@@ -23 +23 @@
 
 
+// check input
+if (empty($_POST['_name']) || empty($_POST['_email']))
+  {
+  show_message('formincomplete', 'warning');
+  rcmail_overwrite_action('edit-identitiy');
+  return;
+  }
+
+
 // update an existing contact
 if ($_POST['_iid'])
@@ -34 +43 @@
       continue;
 
-    $a_write_sql[] = sprintf("`%s`='%s'", $col, addslashes(strip_tags($_POST[$fname])));
+    $a_write_sql[] = sprintf("%s=%s", $DB->quoteIdentifier($col), $DB->quote(strip_tags($_POST[$fname])));
     }
 
@@ -57 +66 @@
     $DB->query("UPDATE ".get_table_name('identities')."
                 SET ".$DB->quoteIdentifier('default')."='0'
-                WHERE  identity_id!=?
-                AND    user_id=?
+                WHERE  user_id=?
+                AND    identity_id<>?
                 AND    del<>'1'",
-                $_POST['_iid'],
-                $_SESSION['user_id']);
+                $_SESSION['user_id'],
+                $_POST['_iid']);
     
     if ($_POST['_framed'])
@@ -72 +81 @@
     {
     // show error message
-
+    show_message('errorsaving', 'error');
+    rcmail_overwrite_action('edit-identitiy');
     }
   }
@@ -88 +98 @@
     
     $a_insert_cols[] = $DB->quoteIdentifier($col);
-    $a_insert_values[] = sprintf("'%s'", addslashes(strip_tags($_POST[$fname])));
+    $a_insert_values[] = $DB->quote(strip_tags($_POST[$fname]));
     }
     
@@ -114 +124 @@
     {
     // show error message
+    show_message('errorsaving', 'error');
+    rcmail_overwrite_action('edit-identitiy');
     }
   }
@@ -119 +131 @@
 
 // go to next step
-if ($_POST['_framed'])
-  $_action = 'edit-identitiy';
-else
-  $_action = 'identities';
-  
-
-// overwrite action variable  
-$OUTPUT->add_script(sprintf("\n%s.set_env('action', '%s');", $JS_OBJECT_NAME, $_action));  
+rcmail_overwrite_action($_POST['_framed'] ? 'edit-identitiy' : 'identities');
 
 ?>