[civicrm-core.git] / CRM / Core / Smarty.php

<?php
/*
 +--------------------------------------------------------------------+
 | Copyright CiviCRM LLC. All rights reserved.                        |
 |                                                                    |
 | This work is published under the GNU AGPLv3 license with some      |
 | permitted exceptions and without any warranty. For full license    |
 | and copyright information, see https://civicrm.org/licensing       |
 +--------------------------------------------------------------------+
 */

/**
 *
 * @package CRM
 * @copyright CiviCRM LLC https://civicrm.org/licensing
 */

/**
 * Fix for bug CRM-392. Not sure if this is the best fix or it will impact
 * other similar PEAR packages. doubt it
 */
if (!class_exists('Smarty')) {
  require_once 'Smarty/Smarty.class.php';
}

/**
 *
 */
class CRM_Core_Smarty extends Smarty {
  const
    // use print.tpl and bypass the CMS. Civi prints a valid html file
    PRINT_PAGE = 1,
    // this and all the below bypasses the CMS html surrounding it and assumes we will embed this within other pages
    PRINT_SNIPPET = 2,
    // sends the generated html to the chosen pdf engine
    PRINT_PDF = 3,
    // this options also skips the enclosing form html and does not
    // generate any of the hidden fields, most notably qfKey
    // this is typically used in ajax scripts to embed form snippets based on user choices
    PRINT_NOFORM = 4,
    // this prints a complete form and also generates a qfKey, can we replace this with
    // snippet = 2?? Does the constant _NOFFORM do anything?
    PRINT_QFKEY = 5,
    // Note: added in v 4.3 with the value '6'
    // Value changed in 4.5 to 'json' for better readability
    // @see CRM_Core_Page_AJAX::returnJsonResponse
    PRINT_JSON = 'json';

  /**
   * We only need one instance of this object. So we use the singleton
   * pattern and cache the instance in this variable
   *
   * @var object
   */
  static private $_singleton = NULL;

  /**
   * Backup frames.
   *
   * A list of variables ot save temporarily in format (string $name => mixed $value).
   *
   * @var array
   */
  private $backupFrames = [];

  private function initialize() {
    $config = CRM_Core_Config::singleton();

    if (isset($config->customTemplateDir) && $config->customTemplateDir) {
      $this->template_dir = array_merge([$config->customTemplateDir],
        $config->templateDir
      );
    }
    else {
      $this->template_dir = $config->templateDir;
    }
    $this->compile_dir = CRM_Utils_File::addTrailingSlash(CRM_Utils_File::addTrailingSlash($config->templateCompileDir) . $this->getLocale());
    CRM_Utils_File::createDir($this->compile_dir);
    CRM_Utils_File::restrictAccess($this->compile_dir);

    // check and ensure it is writable
    // else we sometime suppress errors quietly and this results
    // in blank emails etc
    if (!is_writable($this->compile_dir)) {
      echo "CiviCRM does not have permission to write temp files in {$this->compile_dir}, Exiting";
      exit();
    }

    $this->use_sub_dirs = TRUE;

    $customPluginsDir = NULL;
    if (!empty($config->customPHPPathDir) || $config->customPHPPathDir === '0') {
      $customPluginsDir
        = $config->customPHPPathDir . DIRECTORY_SEPARATOR .
        'CRM' . DIRECTORY_SEPARATOR .
        'Core' . DIRECTORY_SEPARATOR .
        'Smarty' . DIRECTORY_SEPARATOR .
        'plugins' . DIRECTORY_SEPARATOR;
      if (!file_exists($customPluginsDir)) {
        $customPluginsDir = NULL;
      }
    }

    $pkgsDir = Civi::paths()->getVariable('civicrm.packages', 'path');
    $smartyDir = $pkgsDir . DIRECTORY_SEPARATOR . 'Smarty' . DIRECTORY_SEPARATOR;
    $pluginsDir = __DIR__ . DIRECTORY_SEPARATOR . 'Smarty' . DIRECTORY_SEPARATOR . 'plugins' . DIRECTORY_SEPARATOR;

    if ($customPluginsDir) {
      $this->plugins_dir = [$customPluginsDir, $smartyDir . 'plugins', $pluginsDir];
    }
    else {
      $this->plugins_dir = [$smartyDir . 'plugins', $pluginsDir];
    }

    $this->compile_check = $this->isCheckSmartyIsCompiled();

    // add the session and the config here
    $session = CRM_Core_Session::singleton();

    $this->assign_by_ref('config', $config);
    $this->assign_by_ref('session', $session);

    $tsLocale = CRM_Core_I18n::getLocale();
    $this->assign('tsLocale', $tsLocale);

    // CRM-7163 hack: we don’t display langSwitch on upgrades anyway
    if (!CRM_Core_Config::isUpgradeMode()) {
      $this->assign('langSwitch', CRM_Core_I18n::uiLanguages());
    }

    $this->register_function('crmURL', ['CRM_Utils_System', 'crmURL']);
    if (CRM_Utils_Constant::value('CIVICRM_SMARTY_DEFAULT_ESCAPE')) {
      // When default escape is enabled if the core escape is called before
      // any custom escaping is done the modifier_escape function is not
      // found, so require_once straight away. Note this was hit on the basic
      // contribution dashboard from RecentlyViewed.tpl
      require_once 'Smarty/plugins/modifier.escape.php';
      if (!isset($this->_plugins['modifier']['escape'])) {
        $this->register_modifier('escape', ['CRM_Core_Smarty', 'escape']);
      }
      $this->default_modifiers[] = 'escape:"htmlall"';
    }
    $this->load_filter('pre', 'resetExtScope');

    $this->assign('crmPermissions', new CRM_Core_Smarty_Permissions());

    if ($config->debug) {
      $this->error_reporting = E_ALL;
    }
  }

  /**
   * Static instance provider.
   *
   * Method providing static instance of SmartTemplate, as
   * in Singleton pattern.
   *
   * @return \CRM_Core_Smarty
   */
  public static function &singleton() {
    if (!isset(self::$_singleton)) {
      self::$_singleton = new CRM_Core_Smarty();
      self::$_singleton->initialize();

      self::registerStringResource();
    }
    return self::$_singleton;
  }

  /**
   * Executes & returns or displays the template results
   *
   * @param string $resource_name
   * @param string $cache_id
   * @param string $compile_id
   * @param bool $display
   *
   * @return bool|mixed|string
   */
  public function fetch($resource_name, $cache_id = NULL, $compile_id = NULL, $display = FALSE) {
    if (preg_match('/^(\s+)?string:/', $resource_name)) {
      $old_security = $this->security;
      $this->security = TRUE;
    }
    $output = parent::fetch($resource_name, $cache_id, $compile_id, $display);
    if (isset($old_security)) {
      $this->security = $old_security;
    }
    return $output;
  }

  /**
   * Ensure these variables are set to make it easier to access them without e-notice.
   *
   * @param array $variables
   */
  public function ensureVariablesAreAssigned(array $variables): void {
    foreach ($variables as $variable) {
      if (!isset($this->get_template_vars()[$variable])) {
        $this->assign($variable);
      }
    }
  }

  /**
   * Fetch a template (while using certain variables)
   *
   * @param string $resource_name
   * @param array $vars
   *   (string $name => mixed $value) variables to export to Smarty.
   * @throws Exception
   * @return bool|mixed|string
   */
  public function fetchWith($resource_name, $vars) {
    $this->pushScope($vars);
    try {
      $result = $this->fetch($resource_name);
    }
    catch (Exception $e) {
      // simulate try { ... } finally { ... }
      $this->popScope();
      throw $e;
    }
    $this->popScope();
    return $result;
  }

  /**
   * @param string $name
   * @param $value
   */
  public function appendValue($name, $value) {
    $currentValue = $this->get_template_vars($name);
    if (!$currentValue) {
      $this->assign($name, $value);
    }
    else {
      if (strpos($currentValue, $value) === FALSE) {
        $this->assign($name, $currentValue . $value);
      }
    }
  }

  public function clearTemplateVars() {
    foreach (array_keys($this->_tpl_vars) as $key) {
      if ($key == 'config' || $key == 'session') {
        continue;
      }
      unset($this->_tpl_vars[$key]);
    }
  }

  public static function registerStringResource() {
    require_once 'CRM/Core/Smarty/resources/String.php';
    civicrm_smarty_register_string_resource();
  }

  /**
   * @param $path
   */
  public function addTemplateDir($path) {
    if (is_array($this->template_dir)) {
      array_unshift($this->template_dir, $path);
    }
    else {
      $this->template_dir = [$path, $this->template_dir];
    }

  }

  /**
   * Temporarily assign a list of variables.
   *
   * ```
   * $smarty->pushScope(array(
   *   'first_name' => 'Alice',
   *   'last_name' => 'roberts',
   * ));
   * $html = $smarty->fetch('view-contact.tpl');
   * $smarty->popScope();
   * ```
   *
   * @param array $vars
   *   (string $name => mixed $value).
   * @return CRM_Core_Smarty
   * @see popScope
   */
  public function pushScope($vars) {
    $oldVars = $this->get_template_vars();
    $backupFrame = [];
    foreach ($vars as $key => $value) {
      $backupFrame[$key] = $oldVars[$key] ?? NULL;
    }
    $this->backupFrames[] = $backupFrame;

    $this->assignAll($vars);

    return $this;
  }

  /**
   * Remove any values that were previously pushed.
   *
   * @return CRM_Core_Smarty
   * @see pushScope
   */
  public function popScope() {
    $this->assignAll(array_pop($this->backupFrames));
    return $this;
  }

  /**
   * @param array $vars
   *   (string $name => mixed $value).
   * @return CRM_Core_Smarty
   */
  public function assignAll($vars) {
    foreach ($vars as $key => $value) {
      $this->assign($key, $value);
    }
    return $this;
  }

  /**
   * Get the locale for translation.
   *
   * @return string
   */
  private function getLocale() {
    $tsLocale = CRM_Core_I18n::getLocale();
    if (!empty($tsLocale)) {
      return $tsLocale;
    }

    $config = CRM_Core_Config::singleton();
    if (!empty($config->lcMessages)) {
      return $config->lcMessages;
    }

    return 'en_US';
  }

  /**
   * Get the compile_check value.
   *
   * @return bool
   */
  private function isCheckSmartyIsCompiled() {
    // check for define in civicrm.settings.php as FALSE, otherwise returns TRUE
    return CRM_Utils_Constant::value('CIVICRM_TEMPLATE_COMPILE_CHECK', TRUE);
  }

  /**
   * Smarty escape modifier plugin.
   *
   * This replaces the core smarty modifier and basically does a lot of
   * early-returning before calling the core function.
   *
   * It early returns on patterns that are common 'no-escape' patterns
   * in CiviCRM - this list can be honed over time.
   *
   * It also logs anything that is actually escaped. Since this only kicks
   * in when CIVICRM_SMARTY_DEFAULT_ESCAPE is defined it is ok to be aggressive
   * about logging as we mostly care about developers using it at this stage.
   *
   * Note we don't actually use 'htmlall' anywhere in our tpl layer yet so
   * anything coming in with this be happening because of the default modifier.
   *
   * Also note the right way to opt a field OUT of escaping is
   * ``{$fieldName|smarty:nodefaults}``
   * This should be used for fields with known html AND for fields where
   * we are doing empty or isset checks - as otherwise the value is passed for
   * escaping first so you still get an enotice for 'empty' or a fatal for 'isset'
   *
   * Type:     modifier<br>
   * Name:     escape<br>
   * Purpose:  Escape the string according to escapement type
   *
   * @link http://smarty.php.net/manual/en/language.modifier.escape.php
   *          escape (Smarty online manual)
   * @author   Monte Ohrt <monte at ohrt dot com>
   *
   * @param string $string
   * @param string $esc_type
   * @param string $char_set
   *
   * @return string
   */
  public static function escape($string, $esc_type = 'html', $char_set = 'UTF-8') {
    // CiviCRM variables are often arrays - just handle them.
    // The early return on booleans & numbers is mostly to prevent them being
    // logged as 'changed' when they are cast to a string.
    if (!is_scalar($string) || empty($string) || is_bool($string) || is_numeric($string) || $esc_type === 'none') {
      return $string;
    }
    if ($esc_type === 'htmlall') {
      // 'htmlall' is the nothing-specified default.
      // Don't escape things we think quickform added.
      if (strpos($string, '<input') === 0
        || strpos($string, '<select') === 0
        // Not handling as yet but these ones really should get some love.
        || strpos($string, '<label') === 0
        || strpos($string, '<button') === 0
        || strpos($string, '<span class="crm-frozen-field">') === 0
        || strpos($string, '<textarea') === 0

        // The ones below this point are hopefully here short term.
        || strpos($string, '<a') === 0
        // Message templates screen
        || strpos($string, '<span><a href') === 0
        // Not sure how big a pattern this is - used in Pledge view tab
        // not sure if it needs escaping
        || strpos($string, ' action="/civicrm/') === 0
        // eg. Tag edit page, civicrm/admin/financial/financialType/accounts?action=add&reset=1&aid=1
        || strpos($string, ' action="" method="post"') === 0
        // This seems to be urls...
        || strpos($string, '/civicrm/') === 0
        // Validation error message - eg. <span class="crm-error">Tournament Fees is a required field.</span>
        || strpos($string, '
    <span class="crm-error">') === 0
        // e.g from participant tab class="action-item" href=/civicrm/contact/view/participant?reset=1&amp;action=add&amp;cid=142&amp;context=participant
        || strpos($string, 'class="action-item" href=/civicrm/"') === 0
      ) {
        // Do not escape the above common patterns.
        return $string;
      }
    }

    $value = smarty_modifier_escape($string, $esc_type, $char_set);
    if ($value !== $string) {
      Civi::log()->debug('smarty escaping original {original}, escaped {escaped} type {type} charset {charset}', [
        'original' => $string,
        'escaped' => $value,
        'type' => $esc_type,
        'charset' => $char_set,
      ]);
    }
    return $value;
  }

}
Commit	Line	Data
6a488035 TO	1	<?php
	2	/*
	3	+--------------------------------------------------------------------+
bc77d7c0	4	\| Copyright CiviCRM LLC. All rights reserved. \|
6a488035	5	\| \|
bc77d7c0 TO	6	\| This work is published under the GNU AGPLv3 license with some \|
	7	\| permitted exceptions and without any warranty. For full license \|
	8	\| and copyright information, see https://civicrm.org/licensing \|
6a488035	9	+--------------------------------------------------------------------+
d25dd0ee	10	*/
6a488035 TO	11
	12	/**
	13	*
	14	* @package CRM
ca5cec67	15	* @copyright CiviCRM LLC https://civicrm.org/licensing
6a488035 TO	16	*/
	17
	18	/**
	19	* Fix for bug CRM-392. Not sure if this is the best fix or it will impact
	20	* other similar PEAR packages. doubt it
	21	*/
	22	if (!class_exists('Smarty')) {
	23	require_once 'Smarty/Smarty.class.php';
	24	}
	25
	26	/**
	27	*
	28	*/
	29	class CRM_Core_Smarty extends Smarty {
7da04cde	30	const
6a488035 TO	31	// use print.tpl and bypass the CMS. Civi prints a valid html file
6a488035 TO	32	PRINT_PAGE = 1,
da3c7979	33	// this and all the below bypasses the CMS html surrounding it and assumes we will embed this within other pages
6a488035 TO	34	PRINT_SNIPPET = 2,
	35	// sends the generated html to the chosen pdf engine
	36	PRINT_PDF = 3,
	37	// this options also skips the enclosing form html and does not
	38	// generate any of the hidden fields, most notably qfKey
	39	// this is typically used in ajax scripts to embed form snippets based on user choices
	40	PRINT_NOFORM = 4,
	41	// this prints a complete form and also generates a qfKey, can we replace this with
	42	// snippet = 2?? Does the constant _NOFFORM do anything?
	43	PRINT_QFKEY = 5,
fc05b8da CW	44	// Note: added in v 4.3 with the value '6'
	45	// Value changed in 4.5 to 'json' for better readability
	46	// @see CRM_Core_Page_AJAX::returnJsonResponse
	47	PRINT_JSON = 'json';
6a488035 TO	48
	49	/**
	50	* We only need one instance of this object. So we use the singleton
	51	* pattern and cache the instance in this variable
	52	*
	53	* @var object
6a488035 TO	54	*/
	55	static private $_singleton = NULL;
	56
17f267d6	57	/**
e97c66ff	58	* Backup frames.
	59	*
	60	* A list of variables ot save temporarily in format (string $name => mixed $value).
	61	*
	62	* @var array
17f267d6	63	*/
be2fb01f	64	private $backupFrames = [];
17f267d6	65
2aa397bc	66	private function initialize() {
6a488035 TO	67	$config = CRM_Core_Config::singleton();
	68
	69	if (isset($config->customTemplateDir) && $config->customTemplateDir) {
be2fb01f	70	$this->template_dir = array_merge([$config->customTemplateDir],
6a488035 TO	71	$config->templateDir
	72	);
	73	}
	74	else {
	75	$this->template_dir = $config->templateDir;
	76	}
635f0b86 TO	77	$this->compile_dir = CRM_Utils_File::addTrailingSlash(CRM_Utils_File::addTrailingSlash($config->templateCompileDir) . $this->getLocale());
	78	CRM_Utils_File::createDir($this->compile_dir);
	79	CRM_Utils_File::restrictAccess($this->compile_dir);
6a488035 TO	80
	81	// check and ensure it is writable
	82	// else we sometime suppress errors quietly and this results
	83	// in blank emails etc
	84	if (!is_writable($this->compile_dir)) {
	85	echo "CiviCRM does not have permission to write temp files in {$this->compile_dir}, Exiting";
	86	exit();
	87	}
	88
4d03ddb9	89	$this->use_sub_dirs = TRUE;
6a488035 TO	90
6a488035 TO	91	$customPluginsDir = NULL;
dec3a1c8	92	if (!empty($config->customPHPPathDir) \|\| $config->customPHPPathDir === '0') {
e7483cbe J	93	$customPluginsDir
e7483cbe J	94	= $config->customPHPPathDir . DIRECTORY_SEPARATOR .
353ffa53 TO	95	'CRM' . DIRECTORY_SEPARATOR .
	96	'Core' . DIRECTORY_SEPARATOR .
	97	'Smarty' . DIRECTORY_SEPARATOR .
	98	'plugins' . DIRECTORY_SEPARATOR;
6a488035 TO	99	if (!file_exists($customPluginsDir)) {
	100	$customPluginsDir = NULL;
	101	}
	102	}
	103
39c2241c TO	104	$pkgsDir = Civi::paths()->getVariable('civicrm.packages', 'path');
39c2241c TO	105	$smartyDir = $pkgsDir . DIRECTORY_SEPARATOR . 'Smarty' . DIRECTORY_SEPARATOR;
94dbed1f TO	106	$pluginsDir = __DIR__ . DIRECTORY_SEPARATOR . 'Smarty' . DIRECTORY_SEPARATOR . 'plugins' . DIRECTORY_SEPARATOR;
94dbed1f TO	107
6a488035	108	if ($customPluginsDir) {
be2fb01f	109	$this->plugins_dir = [$customPluginsDir, $smartyDir . 'plugins', $pluginsDir];
6a488035 TO	110	}
6a488035 TO	111	else {
be2fb01f	112	$this->plugins_dir = [$smartyDir . 'plugins', $pluginsDir];
6a488035 TO	113	}
6a488035 TO	114
d938f496 LS	115	$this->compile_check = $this->isCheckSmartyIsCompiled();
d938f496 LS	116
6a488035 TO	117	// add the session and the config here
	118	$session = CRM_Core_Session::singleton();
	119
	120	$this->assign_by_ref('config', $config);
	121	$this->assign_by_ref('session', $session);
	122
98466ff9	123	$tsLocale = CRM_Core_I18n::getLocale();
6a488035 TO	124	$this->assign('tsLocale', $tsLocale);
	125
	126	// CRM-7163 hack: we don’t display langSwitch on upgrades anyway
	127	if (!CRM_Core_Config::isUpgradeMode()) {
921ed8ae	128	$this->assign('langSwitch', CRM_Core_I18n::uiLanguages());
6a488035 TO	129	}
6a488035 TO	130
be2fb01f	131	$this->register_function('crmURL', ['CRM_Utils_System', 'crmURL']);
737a7783	132	if (CRM_Utils_Constant::value('CIVICRM_SMARTY_DEFAULT_ESCAPE')) {
bb29792f EM	133	// When default escape is enabled if the core escape is called before
	134	// any custom escaping is done the modifier_escape function is not
	135	// found, so require_once straight away. Note this was hit on the basic
	136	// contribution dashboard from RecentlyViewed.tpl
	137	require_once 'Smarty/plugins/modifier.escape.php';
737a7783 EM	138	if (!isset($this->_plugins['modifier']['escape'])) {
	139	$this->register_modifier('escape', ['CRM_Core_Smarty', 'escape']);
	140	}
	141	$this->default_modifiers[] = 'escape:"htmlall"';
	142	}
d9aa1c6b	143	$this->load_filter('pre', 'resetExtScope');
abbf7b48 TO	144
abbf7b48 TO	145	$this->assign('crmPermissions', new CRM_Core_Smarty_Permissions());
66b33745 CW	146
	147	if ($config->debug) {
	148	$this->error_reporting = E_ALL;
	149	}
6a488035 TO	150	}
	151
	152	/**
	153	* Static instance provider.
	154	*
	155	* Method providing static instance of SmartTemplate, as
	156	* in Singleton pattern.
01a5461d	157	*
01a5461d	158	* @return \CRM_Core_Smarty
6a488035	159	*/
00be9182	160	public static function &singleton() {
6a488035	161	if (!isset(self::$_singleton)) {
481a74f4 TO	162	self::$_singleton = new CRM_Core_Smarty();
481a74f4 TO	163	self::$_singleton->initialize();
6a488035 TO	164
	165	self::registerStringResource();
	166	}
	167	return self::$_singleton;
	168	}
	169
	170	/**
100fef9d	171	* Executes & returns or displays the template results
6a488035 TO	172	*
	173	* @param string $resource_name
	174	* @param string $cache_id
	175	* @param string $compile_id
6a0b768e	176	* @param bool $display
77b97be7 EM	177	*
77b97be7 EM	178	* @return bool\|mixed\|string
6a488035	179	*/
00be9182	180	public function fetch($resource_name, $cache_id = NULL, $compile_id = NULL, $display = FALSE) {
481a74f4	181	if (preg_match('/^(\s+)?string:/', $resource_name)) {
7155133f ND	182	$old_security = $this->security;
	183	$this->security = TRUE;
	184	}
	185	$output = parent::fetch($resource_name, $cache_id, $compile_id, $display);
	186	if (isset($old_security)) {
	187	$this->security = $old_security;
	188	}
	189	return $output;
6a488035 TO	190	}
6a488035 TO	191
faed105b EM	192	/**
	193	* Ensure these variables are set to make it easier to access them without e-notice.
	194	*
	195	* @param array $variables
	196	*/
	197	public function ensureVariablesAreAssigned(array $variables): void {
	198	foreach ($variables as $variable) {
	199	if (!isset($this->get_template_vars()[$variable])) {
	200	$this->assign($variable);
	201	}
	202	}
	203	}
	204
9b7526a8 TO	205	/**
	206	* Fetch a template (while using certain variables)
	207	*
	208	* @param string $resource_name
6a0b768e TO	209	* @param array $vars
6a0b768e TO	210	* (string $name => mixed $value) variables to export to Smarty.
9b7526a8 TO	211	* @throws Exception
	212	* @return bool\|mixed\|string
	213	*/
00be9182	214	public function fetchWith($resource_name, $vars) {
9b7526a8 TO	215	$this->pushScope($vars);
	216	try {
	217	$result = $this->fetch($resource_name);
0db6c3e1 TO	218	}
0db6c3e1 TO	219	catch (Exception $e) {
9b7526a8 TO	220	// simulate try { ... } finally { ... }
	221	$this->popScope();
	222	throw $e;
	223	}
	224	$this->popScope();
	225	return $result;
	226	}
	227
a0ee3941	228	/**
100fef9d	229	* @param string $name
a0ee3941 EM	230	* @param $value
a0ee3941 EM	231	*/
00be9182	232	public function appendValue($name, $value) {
6a488035 TO	233	$currentValue = $this->get_template_vars($name);
	234	if (!$currentValue) {
	235	$this->assign($name, $value);
	236	}
	237	else {
	238	if (strpos($currentValue, $value) === FALSE) {
	239	$this->assign($name, $currentValue . $value);
	240	}
	241	}
	242	}
	243
00be9182	244	public function clearTemplateVars() {
6a488035 TO	245	foreach (array_keys($this->_tpl_vars) as $key) {
	246	if ($key == 'config' \|\| $key == 'session') {
	247	continue;
	248	}
	249	unset($this->_tpl_vars[$key]);
	250	}
	251	}
	252
00be9182	253	public static function registerStringResource() {
6a488035 TO	254	require_once 'CRM/Core/Smarty/resources/String.php';
	255	civicrm_smarty_register_string_resource();
	256	}
	257
a0ee3941 EM	258	/**
	259	* @param $path
	260	*/
00be9182	261	public function addTemplateDir($path) {
481a74f4 TO	262	if (is_array($this->template_dir)) {
481a74f4 TO	263	array_unshift($this->template_dir, $path);
0db6c3e1 TO	264	}
0db6c3e1 TO	265	else {
be2fb01f	266	$this->template_dir = [$path, $this->template_dir];
6a488035 TO	267	}
	268
	269	}
17f267d6 TO	270
	271	/**
	272	* Temporarily assign a list of variables.
	273	*
0b882a86	274	* ```
17f267d6 TO	275	* $smarty->pushScope(array(
	276	* 'first_name' => 'Alice',
	277	* 'last_name' => 'roberts',
	278	* ));
	279	* $html = $smarty->fetch('view-contact.tpl');
	280	* $smarty->popScope();
0b882a86	281	* ```
17f267d6	282	*
6a0b768e TO	283	* @param array $vars
6a0b768e TO	284	* (string $name => mixed $value).
17f267d6 TO	285	* @return CRM_Core_Smarty
	286	* @see popScope
	287	*/
	288	public function pushScope($vars) {
	289	$oldVars = $this->get_template_vars();
be2fb01f	290	$backupFrame = [];
17f267d6	291	foreach ($vars as $key => $value) {
2e1f50d6	292	$backupFrame[$key] = $oldVars[$key] ?? NULL;
17f267d6 TO	293	}
	294	$this->backupFrames[] = $backupFrame;
	295
	296	$this->assignAll($vars);
	297
	298	return $this;
	299	}
	300
	301	/**
	302	* Remove any values that were previously pushed.
	303	*
	304	* @return CRM_Core_Smarty
	305	* @see pushScope
	306	*/
	307	public function popScope() {
	308	$this->assignAll(array_pop($this->backupFrames));
	309	return $this;
	310	}
	311
	312	/**
6a0b768e TO	313	* @param array $vars
6a0b768e TO	314	* (string $name => mixed $value).
17f267d6 TO	315	* @return CRM_Core_Smarty
	316	*/
	317	public function assignAll($vars) {
	318	foreach ($vars as $key => $value) {
	319	$this->assign($key, $value);
	320	}
	321	return $this;
	322	}
96025800	323
f2ac86d1	324	/**
	325	* Get the locale for translation.
	326	*
	327	* @return string
	328	*/
635f0b86	329	private function getLocale() {
98466ff9	330	$tsLocale = CRM_Core_I18n::getLocale();
635f0b86 TO	331	if (!empty($tsLocale)) {
	332	return $tsLocale;
	333	}
	334
	335	$config = CRM_Core_Config::singleton();
	336	if (!empty($config->lcMessages)) {
	337	return $config->lcMessages;
	338	}
	339
	340	return 'en_US';
	341	}
	342
d938f496 LS	343	/**
	344	* Get the compile_check value.
	345	*
	346	* @return bool
	347	*/
	348	private function isCheckSmartyIsCompiled() {
	349	// check for define in civicrm.settings.php as FALSE, otherwise returns TRUE
	350	return CRM_Utils_Constant::value('CIVICRM_TEMPLATE_COMPILE_CHECK', TRUE);
	351	}
	352
737a7783 EM	353	/**
	354	* Smarty escape modifier plugin.
	355	*
	356	* This replaces the core smarty modifier and basically does a lot of
	357	* early-returning before calling the core function.
	358	*
	359	* It early returns on patterns that are common 'no-escape' patterns
	360	* in CiviCRM - this list can be honed over time.
	361	*
	362	* It also logs anything that is actually escaped. Since this only kicks
	363	* in when CIVICRM_SMARTY_DEFAULT_ESCAPE is defined it is ok to be aggressive
	364	* about logging as we mostly care about developers using it at this stage.
	365	*
	366	* Note we don't actually use 'htmlall' anywhere in our tpl layer yet so
	367	* anything coming in with this be happening because of the default modifier.
	368	*
	369	* Also note the right way to opt a field OUT of escaping is
	370	* ``{$fieldName\|smarty:nodefaults}``
	371	* This should be used for fields with known html AND for fields where
	372	* we are doing empty or isset checks - as otherwise the value is passed for
	373	* escaping first so you still get an enotice for 'empty' or a fatal for 'isset'
	374	*
	375	* Type: modifier<br>
	376	* Name: escape<br>
	377	* Purpose: Escape the string according to escapement type
	378	*
	379	* @link http://smarty.php.net/manual/en/language.modifier.escape.php
	380	* escape (Smarty online manual)
	381	* @author Monte Ohrt <monte at ohrt dot com>
	382	*
	383	* @param string $string
	384	* @param string $esc_type
	385	* @param string $char_set
	386	*
	387	* @return string
	388	*/
5076f986	389	public static function escape($string, $esc_type = 'html', $char_set = 'UTF-8') {
737a7783 EM	390	// CiviCRM variables are often arrays - just handle them.
	391	// The early return on booleans & numbers is mostly to prevent them being
	392	// logged as 'changed' when they are cast to a string.
	393	if (!is_scalar($string) \|\| empty($string) \|\| is_bool($string) \|\| is_numeric($string) \|\| $esc_type === 'none') {
	394	return $string;
	395	}
	396	if ($esc_type === 'htmlall') {
	397	// 'htmlall' is the nothing-specified default.
	398	// Don't escape things we think quickform added.
	399	if (strpos($string, '<input') === 0
	400	\|\| strpos($string, '<select') === 0
	401	// Not handling as yet but these ones really should get some love.
	402	\|\| strpos($string, '<label') === 0
	403	\|\| strpos($string, '<button') === 0
	404	\|\| strpos($string, '<span class="crm-frozen-field">') === 0
	405	\|\| strpos($string, '<textarea') === 0
	406
	407	// The ones below this point are hopefully here short term.
	408	\|\| strpos($string, '<a') === 0
8706c53a EM	409	// Message templates screen
8706c53a EM	410	\|\| strpos($string, '<span><a href') === 0
737a7783 EM	411	// Not sure how big a pattern this is - used in Pledge view tab
	412	// not sure if it needs escaping
	413	\|\| strpos($string, ' action="/civicrm/') === 0
8706c53a EM	414	// eg. Tag edit page, civicrm/admin/financial/financialType/accounts?action=add&reset=1&aid=1
8706c53a EM	415	\|\| strpos($string, ' action="" method="post"') === 0
737a7783 EM	416	// This seems to be urls...
	417	\|\| strpos($string, '/civicrm/') === 0
	418	// Validation error message - eg. <span class="crm-error">Tournament Fees is a required field.</span>
	419	\|\| strpos($string, '
	420	<span class="crm-error">') === 0
	421	// e.g from participant tab class="action-item" href=/civicrm/contact/view/participant?reset=1&action=add&cid=142&context=participant
	422	\|\| strpos($string, 'class="action-item" href=/civicrm/"') === 0
	423	) {
	424	// Do not escape the above common patterns.
	425	return $string;
	426	}
	427	}
bb29792f	428
737a7783 EM	429	$value = smarty_modifier_escape($string, $esc_type, $char_set);
	430	if ($value !== $string) {
	431	Civi::log()->debug('smarty escaping original {original}, escaped {escaped} type {type} charset {charset}', [
	432	'original' => $string,
	433	'escaped' => $value,
	434	'type' => $esc_type,
	435	'charset' => $char_set,
	436	]);
	437	}
	438	return $value;
	439	}
	440
6a488035	441	}