Rewrote the mailto function to not use eval when encoding with java…

…script

CHANGELOG.md

@@ -6,6 +6,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+### Security
+- Rewrote the mailto function to not use `eval` when encoding with javascript
+
 ## [4.0.0] - 2021-11-25
 
 ## [4.0.0-rc.0] - 2021-10-13

libs/plugins/function.mailto.php

@@ -94,22 +94,19 @@ function smarty_function_mailto($params)
         );
         return;
     }
-    // FIXME: (rodneyrehm) document.write() excues me what? 1998 has passed!
     if ($encode === 'javascript') {
-        $string = 'document.write(\'<a href="mailto:' . $address . '" ' . $extra . '>' . $text . '</a>\');';
+	    $string = '<a href="mailto:' . $address . '" ' . $extra . '>' . $text . '</a>';
         $js_encode = '';
         for ($x = 0, $_length = strlen($string); $x < $_length; $x++) {
             $js_encode .= '%' . bin2hex($string[ $x ]);
         }
-        return '<script type="text/javascript">eval(unescape(\'' . $js_encode . '\'))</script>';
+        return '<script type="text/javascript">document.write(unescape(\'' . $js_encode . '\'))</script>';
     } elseif ($encode === 'javascript_charcode') {
         $string = '<a href="mailto:' . $address . '" ' . $extra . '>' . $text . '</a>';
-        for ($x = 0, $y = strlen($string); $x < $y; $x++) {
+        for ($x = 0, $_length = strlen($string); $x < $_length; $x++) {
             $ord[] = ord($string[ $x ]);
         }
-        $_ret = "<script type=\"text/javascript\" language=\"javascript\">\n" . "{document.write(String.fromCharCode(" .
-                implode(',', $ord) . "))" . "}\n" . "</script>\n";
-        return $_ret;
+	    return '<script type="text/javascript">document.write(String.fromCharCode(' . implode(',', $ord) . '))</script>';
     } elseif ($encode === 'hex') {
         preg_match('!^(.*)(\?.*)$!', $address, $match);
         if (!empty($match[ 2 ])) {