[Tickets #7926] Re: Message option "Show All Headers" causes error

[bugs at horde.org]

DO NOT REPLY TO THIS MESSAGE. THIS EMAIL ADDRESS IS NOT MONITORED.

Ticket URL: http://bugs.horde.org/ticket/7926
------------------------------------------------------------------------------
  Ticket             | 7926
  Updated By         | horde at immerda.ch
  Summary            | Message option "Show All Headers" causes error
  Queue              | IMP
  Version            | 4.3.3
  Type               | Bug
  State              | Assigned
  Priority           | 1. Low
  Milestone          |
  Patch              |
  Owners             | Horde Developers, Michael Slusarz, Chuck Hagenbuch
------------------------------------------------------------------------------


Michael Slusarz <slusarz at horde.org> (2009-02-02 22:47) wrote:

> Right, it's not relevant for template evaluation, but
> Horde::selfUrl() can contain raw query parameters, so those need to
> be escaped somewhere along the way. I didn't see that happening
> already, but if it is, then yes, the commits are irrelevant (and
> incorrect).

AFAICT, selfUrl() (as called by message.php) has the $full param set  
to false; in selfUrl, Horde::url() is called with $full = false; and  
the URL will necessarily have '&' param separators, instead of '&amp'  
separators so htmlentities() will be called on the generated URL at  
the bottom of url().  Thus, anything appearing in the URL will/should  
be escaped.

As for smime.php, we should probably use  
htmlspecialchars(html_entity_decode(Util::getFormData('reload')))  
instead of htmlspecialchars(Util::getFormData('reload')) (we use the  
former elsewhere in that file).  Looks like we aren't doing the  
html_entity_decode() call in pgp.php in either place we are processing  
'reload' form data, so we should probably be doing that.

Does any of this sound sane/rational/correct?