From 9eb8c3603330c2b10736613e15b81da0ba8d7354 Mon Sep 17 00:00:00 2001 From: Andrey Kutejko Date: Fri, 28 Jun 2013 13:06:45 +0300 Subject: [PATCH] localize template safety --- ipf/template.php | 21 --------------- ipf/template/compiler.php | 51 +++++++++++++++++++------------------ ipf/template/safestring.php | 18 ++++++++----- 3 files changed, 38 insertions(+), 52 deletions(-) diff --git a/ipf/template.php b/ipf/template.php index 850dd4d..18c03ef 100644 --- a/ipf/template.php +++ b/ipf/template.php @@ -36,16 +36,6 @@ abstract class IPF_Template } } -function IPF_Template_unsafe($string) -{ - return new IPF_Template_SafeString($string, true); -} - -function IPF_Template_htmlspecialchars($string) -{ - return htmlspecialchars((string)$string, ENT_COMPAT, 'UTF-8'); -} - function IPF_Template_dateFormat($date, $format='%b %e, %Y') { if (substr(PHP_OS,0,3) == 'WIN') { @@ -67,14 +57,3 @@ function IPF_Template_floatFormat($number, $decimals=2, $dec_point='.', $thousan return number_format($number, $decimals, $dec_point, $thousands_sep); } -function IPF_Template_safeEcho($mixed, $echo=true) -{ - $result = (is_object($mixed) and 'IPF_Template_SafeString' === get_class($mixed)) - ? $mixed->value - : htmlspecialchars((string) $mixed, ENT_COMPAT, 'UTF-8'); - if ($echo) - echo $result; - else - return $result; -} - diff --git a/ipf/template/compiler.php b/ipf/template/compiler.php index f5d9a26..e55df54 100644 --- a/ipf/template/compiler.php +++ b/ipf/template/compiler.php @@ -28,34 +28,35 @@ class IPF_Template_Compiler self::$allowedForeach = array(T_AS, T_DOUBLE_ARROW, T_STRING, T_OBJECT_OPERATOR); } - protected $_modifier = array('upper' => 'strtoupper', - 'lower' => 'strtolower', - 'escxml' => 'htmlspecialchars', - 'escape' => 'IPF_Template_htmlspecialchars', - 'strip_tags' => 'strip_tags', - 'escurl' => 'rawurlencode', - 'capitalize' => 'ucwords', - // Not var_export because of recursive issues. - 'debug' => 'print_r', - 'fulldebug' => 'var_export', - 'count' => 'count', - 'nl2br' => 'nl2br', - 'trim' => 'trim', - 'unsafe' => 'IPF_Template_unsafe', - 'safe' => 'IPF_Template_unsafe', - 'date' => 'IPF_Template_dateFormat', - 'time' => 'IPF_Template_timeFormat', - 'floatformat' => 'IPF_Template_floatFormat', - 'limit_words' => 'IPF_Utils::limitWords', - ); + protected $_modifier = array( + 'upper' => 'strtoupper', + 'lower' => 'strtolower', + 'escxml' => 'htmlspecialchars', + 'escape' => 'IPF_Utils::escape', + 'strip_tags' => 'strip_tags', + 'escurl' => 'rawurlencode', + 'capitalize' => 'ucwords', + 'debug' => 'print_r', // Not var_export because of recursive issues. + 'fulldebug' => 'var_export', + 'count' => 'count', + 'nl2br' => 'nl2br', + 'trim' => 'trim', + 'unsafe' => 'IPF_Template_SafeString::markSafe', + 'safe' => 'IPF_Template_SafeString::markSafe', + 'date' => 'IPF_Template_dateFormat', + 'time' => 'IPF_Template_timeFormat', + 'floatformat' => 'IPF_Template_floatFormat', + 'limit_words' => 'IPF_Utils::limitWords', + ); protected $_literals; public $_usedModifiers = array(); protected $_allowedTags = array( - 'url' => 'IPF_Template_Tag_Url', - ); + 'url' => 'IPF_Template_Tag_Url', + ); + protected $_extraTags = array(); protected $_blockStack = array(); @@ -197,7 +198,7 @@ class IPF_Template_Compiler } if (in_array($firstcar, array('$', '\'', '"'))) { if ('blocktrans' !== end($this->_blockStack)) { - return '_parseVariable($tag).'); ?>'; + return '_parseVariable($tag).'); ?>'; } else { $tok = explode('|', $tag); $this->_transStack[substr($tok[0], 1)] = $this->_parseVariable($tag); @@ -346,7 +347,7 @@ class IPF_Template_Compiler $res .= 'IPF_Translation::sprintf(_n($_b_t_s, $_b_t_p, $_b_t_c), array('; $_tmp = array(); foreach ($this->_transStack as $key=>$_trans) { - $_tmp[] = '\''.addslashes($key).'\' => IPF_Template_safeEcho('.$_trans.', false)'; + $_tmp[] = '\''.addslashes($key).'\' => IPF_Template_SafeString::value('.$_trans.')'; } $res .= implode(', ', $_tmp); unset($_trans, $_tmp); @@ -360,7 +361,7 @@ class IPF_Template_Compiler $res .= 'echo(IPF_Translation::sprintf(__($_b_t_s), array('; $_tmp = array(); foreach ($this->_transStack as $key=>$_trans) { - $_tmp[] = '\''.addslashes($key).'\' => IPF_Template_safeEcho('.$_trans.', false)'; + $_tmp[] = '\''.addslashes($key).'\' => IPF_Template_SafeString::value('.$_trans.')'; } $res .= implode(', ', $_tmp); unset($_trans, $_tmp); diff --git a/ipf/template/safestring.php b/ipf/template/safestring.php index b8f76a7..0bd145b 100644 --- a/ipf/template/safestring.php +++ b/ipf/template/safestring.php @@ -4,13 +4,18 @@ class IPF_Template_SafeString { public $value = ''; + public static function value($mixed, $safe=false) + { + if (is_object($mixed) and 'IPF_Template_SafeString' == get_class($mixed)) + return $mixed->value; + if ($safe) + return $mixed; + return htmlspecialchars($mixed, ENT_COMPAT, 'UTF-8'); + } + function __construct($mixed, $safe=false) { - if (is_object($mixed) and 'IPF_Template_SafeString' == get_class($mixed)) { - $this->value = $mixed->value; - } else { - $this->value = ($safe) ? $mixed : htmlspecialchars($mixed, ENT_COMPAT, 'UTF-8'); - } + $this->value = self::value($mixed, $safe); } function __toString() @@ -22,4 +27,5 @@ class IPF_Template_SafeString { return new IPF_Template_SafeString($string, true); } -} \ No newline at end of file +} + -- 2.49.0