From 2573c75ec3ad87c887a47f7a3e35b6ab915373da Mon Sep 17 00:00:00 2001
From: thomasb <thomasb@208e9e7b-5314-0410-a742-e7e81cd9613c>
Date: Mon, 3 Nov 2008 08:01:18 +0000
Subject: Don't use addslashes() which could produce unexpected results when
 magic_quotes_sybase is on

git-svn-id: https://svn.roundcube.net/trunk@2032 208e9e7b-5314-0410-a742-e7e81cd9613c
---
 roundcubemail/program/include/main.inc   | 4 +++-
 roundcubemail/program/steps/mail/get.inc | 2 +-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/roundcubemail/program/include/main.inc b/roundcubemail/program/include/main.inc
index 4ed25afaf..43a354919 100644
--- a/roundcubemail/program/include/main.inc
+++ b/roundcubemail/program/include/main.inc
@@ -347,6 +347,8 @@ function rep_specialchars_output($str, $enctype='', $mode='', $newlines=TRUE)
       }
 
     $xml_rep_table['"'] = '&quot;';
+    $js_rep_table['"'] = '\\"';
+    $js_rep_table["'"] = "\\'";
     }
 
   // encode for XML
@@ -359,7 +361,7 @@ function rep_specialchars_output($str, $enctype='', $mode='', $newlines=TRUE)
     if ($charset!='UTF-8')
       $str = rcube_charset_convert($str, RCMAIL_CHARSET,$charset);
       
-    return preg_replace(array("/\r?\n/", "/\r/", '/<\\//'), array('\n', '\n', '<\\/'), addslashes(strtr($str, $js_rep_table)));
+    return preg_replace(array("/\r?\n/", "/\r/", '/<\\//'), array('\n', '\n', '<\\/'), strtr($str, $js_rep_table));
     }
 
   // no encoding given -> return original string
diff --git a/roundcubemail/program/steps/mail/get.inc b/roundcubemail/program/steps/mail/get.inc
index fc3ee83ea..2d51ffc46 100644
--- a/roundcubemail/program/steps/mail/get.inc
+++ b/roundcubemail/program/steps/mail/get.inc
@@ -90,7 +90,7 @@ else if ($pid = get_input_value('_part', RCUBE_INPUT_GET)) {
       
       $filename = $part->filename ? $part->filename : ($MESSAGE->subject ? $MESSAGE->subject : 'roundcube') . '.'.$ctype_secondary;
       $filename = abbreviate_string($part->filename, 55);
-      $filename = $browser->ie ? rawurlencode($filename) : addslashes($filename);
+      $filename = $browser->ie ? rawurlencode($filename) : addcslashes($filename, '"');
       $disposition = !empty($_GET['_download']) ? 'attachment' : 'inline';
       
       header("Content-Disposition: $disposition; filename=\"$filename\"");
-- 
cgit v1.2.3