Don't use eval() to load HTML data

horde · Aug 26, 2014 · 375e019 · 375e019
1 parent 72e5499
commit 375e019
Show file tree

Hide file tree

Showing 9 changed files with 44 additions and 26 deletions.
diff --git a/imp/js/dimpbase.js b/imp/js/dimpbase.js
@@ -1908,6 +1908,8 @@ var DimpBase = {
         $('previewPane').scrollTop = 0;
         pm.show();
 
+        DimpCore.msgMetadata(r.md);
+
         if (r.js) {
             eval(r.js.join(';'));
         }

diff --git a/imp/js/dimpcore.js b/imp/js/dimpcore.js
@@ -177,6 +177,17 @@ var DimpCore = {
         }, this);
     },
 
+    msgMetadata: function(md)
+    {
+        $H(md).each(function(pair) {
+            switch (pair.key) {
+            case 'html':
+                IMP_JS.iframeInject(pair.value[0], pair.value[1]);
+                break;
+            }
+        });
+    },
+
     /* Add message log info to message view. */
     updateMsgLog: function(log)
     {

diff --git a/imp/js/message-dimp.js b/imp/js/message-dimp.js
@@ -8,7 +8,9 @@
 
 var DimpMessage = {
 
-    // Variables defaulting to empty/false: buid, mbox
+    // buid,
+    // mbox,
+    // msg_md
 
     quickreply: function(type)
     {
@@ -295,6 +297,9 @@ var DimpMessage = {
             }
         }
 
+        DimpCore.msgMetadata(this.msg_md);
+        delete this.msg_md;
+
         $('dimpLoading').hide();
         $('msgData').show();
 

diff --git a/imp/js/smartmobile.js b/imp/js/smartmobile.js
@@ -807,6 +807,17 @@ var ImpMobile = {
 
         $.fn[cache.readonly ? 'hide' : 'show'].call($('#imp-message-delete'));
 
+        if (data.md) {
+            $.each(data.md, function(k, md) {
+                switch (k) {
+                case 'html':
+                    IMP_JS.iframeInject(md[0], md[1]);
+                    $("#imp-message-body a[href='#unblock-image']").button();
+                    break;
+                }
+            });
+        }
+
         if (data.js) {
             $.each(data.js, function(k, js) {
                 $.globalEval(js);

diff --git a/imp/lib/Ajax/Application/ShowMessage.php b/imp/lib/Ajax/Application/ShowMessage.php
@@ -113,6 +113,7 @@ public function __construct(IMP_Indices $indices, $peek = false)
      *   - js: Javascript code to run on display
      *   - list_info (FULL): List information.
      *   - localdate (PREVIEW): The date formatted to the user's timezone
+     *   - md: Metadata
      *   - msgtext: The text of the message
      *   - onepart: True if message only contains one part.
      *   - replyTo (FULL): The Reply-to addresses
@@ -130,10 +131,7 @@ public function showMessage($args)
         global $injector, $page_output, $prefs, $registry, $session;
 
         $preview = !empty($args['preview']);
-
-        $result = array(
-            'js' => array()
-        );
+        $result = array();
 
         $mime_headers = $this->_peek
             ? $this->_contents->getHeader()
@@ -301,7 +299,7 @@ public function showMessage($args)
         ));
         $session->start();
 
-        $result['js'] = array_merge($result['js'], $inlineout['js_onload']);
+        $result['md'] = $inlineout['metadata'];
         $result['msgtext'] .= $inlineout['msgtext'];
         if ($inlineout['one_part']) {
             $result['onepart'] = true;
@@ -361,7 +359,7 @@ public function showMessage($args)
             Horde::startBuffer();
             $page_output->outputInlineScript(true);
             if ($js_inline = Horde::endBuffer()) {
-                $result['js'][] = $js_inline;
+                $result['js'] = $js_inline;
             }
 
             $result['save_as'] = strval($result['save_as']->setRaw(true));
@@ -372,10 +370,6 @@ public function showMessage($args)
             }
         }
 
-        if (empty($result['js'])) {
-            unset($result['js']);
-        }
-
         /* Add changed flag information. */
         if (!$this->_peek && $mbox->is_imap) {
             $status = $mbox->imp_imap->status($mbox, Horde_Imap_Client::STATUS_PERMFLAGS);
@@ -384,7 +378,7 @@ public function showMessage($args)
             }
         }
 
-        return $result;
+        return array_filter($result);
     }
 
     /**

diff --git a/imp/lib/Basic/Message.php b/imp/lib/Basic/Message.php
@@ -895,7 +895,6 @@ protected function _init()
 
         /* Output message page now. */
         $page_output->addInlineJsVars($js_vars, array('top' => true));
-        $page_output->addInlineScript($inlineout['js_onload'], true);
         $page_output->addScriptFile('scriptaculous/effects.js', 'horde');
         $page_output->addScriptFile('hordecore.js', 'horde');
         $page_output->addScriptFile('message.js');

diff --git a/imp/lib/Contents.php b/imp/lib/Contents.php
@@ -1406,15 +1406,15 @@ public function getPartName(Horde_Mime_Part $part, $use_descrip = false)
      * @return array  An array with the following keys:
      *   - atc_parts: (array) The list of attachment MIME IDs.
      *   - display_ids: (array) The list of display MIME IDs.
-     *   - js_onload: (array) A list of javascript code to run onload.
+     *   - metadata: (array) A list of metadata.
      *   - msgtext: (string) The rendered HTML code.
      *   - one_part: (boolean) If true, the message only consists of one part.
      */
     public function getInlineOutput(array $options = array())
     {
         global $prefs, $registry;
 
-        $atc_parts = $display_ids = $msgtext = $js_onload = $wrap_ids = array();
+        $atc_parts = $display_ids = $metadata = $msgtext = $wrap_ids = array();
         $parts_list = $this->getContentTypeMap();
         $text_out = '';
         $view = $registry->getView();
@@ -1512,8 +1512,8 @@ public function getInlineOutput(array $options = array())
                     'wrap' => empty($info['wrap']) ? null : $info['wrap']
                 );
 
-                if (isset($info['js'])) {
-                    $js_onload = array_merge($js_onload, $info['js']);
+                if (isset($info['metadata'])) {
+                    $metadata = array_merge($metadata, $info['metadata']);
                 }
 
                 if ($no_inline_all) {
@@ -1555,7 +1555,7 @@ public function getInlineOutput(array $options = array())
         return array(
             'atc_parts' => $atc_parts,
             'display_ids' => array_keys($display_ids),
-            'js_onload' => $js_onload,
+            'metadata' => $metadata,
             'msgtext' => $text_out,
             'one_part' => (count($parts_list) == 1)
         );

diff --git a/imp/lib/Dynamic/Message.php b/imp/lib/Dynamic/Message.php
@@ -95,6 +95,9 @@ protected function _init()
         }
         $js_vars['DimpMessage.buid'] = $buid;
         $js_vars['DimpMessage.mbox'] = $this->indices->mailbox->form_to;
+        if (isset($msg_res['md'])) {
+            $js_vars['DimpMessage.msg_md'] = $msg_res['md'];
+        }
         $js_vars['DimpMessage.tasks'] = $injector->getInstance('Horde_Core_Factory_Ajax')->create('imp', $this->vars)->getTasks();
 
         $page_output->addInlineJsVars($js_vars);

diff --git a/imp/lib/Mime/Viewer/Html.php b/imp/lib/Mime/Viewer/Html.php
@@ -87,14 +87,7 @@ protected function _renderInline()
 
             $page_output->addScriptPackage('IMP_Script_Package_Imp');
 
-            $data['js'] = array(
-                'IMP_JS.iframeInject("' . $uid . '", ' . json_encode($data['data']) . ')'
-            );
-
-            if ($view == $registry::VIEW_SMARTMOBILE) {
-                $data['js'][] = '$("#imp-message-body a[href=\'#unblock-image\']").button()';
-            }
-
+            $data['metadata'] = array('html' => array($uid, $data['data']));
             $data['data'] = '<div>' . _("Loading...") . '</div><iframe class="htmlMsgData" id="' . $uid . '" src="javascript:false" frameborder="0" style="display:none;height:auto;"></iframe>';
             $data['type'] = 'text/html; charset=UTF-8';
             break;