issue #240 - we were using htmlentities instead of htmlspecialchars in several places, and this was a bit greedy in the set of characters which were converted from utf-8 to HTML entities. Also brought mail attachments up to date so they are rendered identically to item attachments.

3 files changed, 4 insertions, 36 deletions

diff --git a/mod/admin.php b/mod/admin.php
index 9a6aea35a..91dd0b56e 100644
--- a/mod/admin.php
+++ b/mod/admin.php
@@ -425,7 +425,7 @@ function admin_page_site(&$a) {
 		
 		'$baseurl' => $a->get_baseurl(true),
 									// name, label, value, help string, extra data...
-		'$sitename' 		=> array('sitename', t("Site name"), htmlentities(get_config('system','sitename'), ENT_QUOTES), ""),
+		'$sitename' 		=> array('sitename', t("Site name"), htmlspecialchars(get_config('system','sitename'), ENT_QUOTES, 'UTF-8'),''),
 		'$banner'			=> array('banner', t("Banner/Logo"), $banner, ""),
 		'$language' 		=> array('language', t("System language"), get_config('system','language'), "", $lang_choices),
 		'$theme' 			=> array('theme', t("System theme"), get_config('system','theme'), t("Default system theme - may be over-ridden by user profiles - <a href='#' id='cnftheme'>change theme settings</a>"), $theme_choices),
@@ -436,7 +436,7 @@ function admin_page_site(&$a) {
 		'$maximagesize'		=> array('maximagesize', t("Maximum image size"), get_config('system','maximagesize'), t("Maximum size in bytes of uploaded images. Default is 0, which means no limits.")),
 		'$register_policy'	=> array('register_policy', t("Register policy"), get_config('system','register_policy'), "", $register_choices),
 		'$access_policy'	=> array('access_policy', t("Access policy"), get_config('system','access_policy'), "", $access_choices),
-		'$register_text'	=> array('register_text', t("Register text"), htmlentities(get_config('system','register_text'), ENT_QUOTES, 'UTF-8'), t("Will be displayed prominently on the registration page.")),
+		'$register_text'	=> array('register_text', t("Register text"), htmlspecialchars(get_config('system','register_text'), ENT_QUOTES, 'UTF-8'), t("Will be displayed prominently on the registration page.")),
 		'$abandon_days'     => array('abandon_days', t('Accounts abandoned after x days'), get_config('system','account_abandon_days'), t('Will not waste system resources polling external sites for abandonded accounts. Enter 0 for no time limit.')),
 		'$allowed_sites'	=> array('allowed_sites', t("Allowed friend domains"), get_config('system','allowed_sites'), t("Comma separated list of domains which are allowed to establish friendships with this site. Wildcards are accepted. Empty to allow any domains")),
 		'$allowed_email'	=> array('allowed_email', t("Allowed email domains"), get_config('system','allowed_email'), t("Comma separated list of domains which are allowed in email addresses for registrations to this site. Wildcards are accepted. Empty to allow any domains")),
diff --git a/mod/message.php b/mod/message.php
index a0382f63d..bee3b68f3 100644
--- a/mod/message.php
+++ b/mod/message.php
@@ -425,39 +425,7 @@ function message_content(&$a) {
 
 		foreach($messages as $message) {
 
-			$s = $arr = '';
-
-			if($message['attach'])
-				$arr = json_decode_plus($message['attach']);
-			if($arr) {
-				$s .= '<div class="body-attach">';
-				foreach($arr as $r) {
-					$matches = false;
-					$icon = '';
-					$icontype = substr($r['type'],0,strpos($r['type'],'/'));
-
-					switch($icontype) {
-						case 'video':
-						case 'audio':
-						case 'image':
-						case 'text':
-							$icon = '<div class="attachtype icon s22 type-' . $icontype . '"></div>';
-							break;
-						default:
-							$icon = '<div class="attachtype icon s22 type-unkn"></div>';
-							break;
-					}
-
-					$title = htmlentities($r['title'], ENT_COMPAT,'UTF-8');
-					if(! $title)
-						$title = t('unknown.???');
-					$title .= ' ' . $r['length'] . ' ' . t('bytes');
-
-					$url = $a->get_baseurl() . '/magic?f=&hash=' . $message['from_xchan'] . '&dest=' . $r['href'] . '/' . $r['revision'];
-					$s .= '<a href="' . $url . '" title="' . $title . '" class="attachlink"  >' . $icon . '</a>';
-				}
-				$s .= '<div class="clear"></div></div>';
-			}
+			$s = theme_attachments($message);
 
 			$mails[] = array(
 				'id' => $message['id'],
diff --git a/mod/setup.php b/mod/setup.php
index 429be43af..0198f1f09 100755
--- a/mod/setup.php
+++ b/mod/setup.php
@@ -543,7 +543,7 @@ function check_htaccess(&$checks) {
 
 	
 function manual_config(&$a) {
-	$data = htmlentities($a->data['txt']);
+	$data = htmlspecialchars($a->data['txt'],ENT_COMPAT,'UTF-8');
 	$o = t('The database configuration file ".htconfig.php" could not be written. Please use the enclosed text to create a configuration file in your web server root.');
 	$o .= "<textarea rows=\"24\" cols=\"80\" >$data</textarea>";
 	return $o;