Commit | Line | Data |
---|---|---|
a9396478 TO |
1 | <?php |
2 | /* | |
3 | +--------------------------------------------------------------------+ | |
232624b1 | 4 | | CiviCRM version 4.4 | |
a9396478 TO |
5 | +--------------------------------------------------------------------+ |
6 | | Copyright CiviCRM LLC (c) 2004-2013 | | |
7 | +--------------------------------------------------------------------+ | |
8 | | This file is a part of CiviCRM. | | |
9 | | | | |
10 | | CiviCRM is free software; you can copy, modify, and distribute it | | |
11 | | under the terms of the GNU Affero General Public License | | |
12 | | Version 3, 19 November 2007 and the CiviCRM Licensing Exception. | | |
13 | | | | |
14 | | CiviCRM is distributed in the hope that it will be useful, but | | |
15 | | WITHOUT ANY WARRANTY; without even the implied warranty of | | |
16 | | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. | | |
17 | | See the GNU Affero General Public License for more details. | | |
18 | | | | |
19 | | You should have received a copy of the GNU Affero General Public | | |
20 | | License and the CiviCRM Licensing Exception along | | |
21 | | with this program; if not, contact CiviCRM LLC | | |
22 | | at info[AT]civicrm[DOT]org. If you have questions about the | | |
23 | | GNU Affero General Public License or the licensing of CiviCRM, | | |
24 | | see the CiviCRM license FAQ at http://civicrm.org/licensing | | |
25 | +--------------------------------------------------------------------+ | |
26 | */ | |
27 | ||
28 | /** | |
29 | * This class captures the encoding practices of CRM-5667 in a reusable | |
30 | * fashion. In this design, all submitted values are partially HTML-encoded | |
31 | * before saving to the database. If a DB reader needs to output in | |
32 | * non-HTML medium, then it should undo the partial HTML encoding. | |
33 | * | |
34 | * This class should be short-lived -- 4.3 should introduce an alternative | |
35 | * escaping scheme and consequently remove HTMLInputCoder. | |
36 | * | |
37 | * @package CRM | |
38 | * @copyright CiviCRM LLC (c) 2004-2013 | |
39 | * $Id$ | |
40 | * | |
41 | */ | |
42 | ||
43 | class CRM_Utils_API_HTMLInputCoder extends CRM_Utils_API_AbstractFieldCoder { | |
44 | private $skipFields = NULL; | |
45 | ||
46 | /** | |
47 | * @var CRM_Utils_API_HTMLInputCoder | |
48 | */ | |
49 | private static $_singleton = NULL; | |
50 | ||
51 | /** | |
52 | * @return CRM_Utils_API_HTMLInputCoder | |
53 | */ | |
54 | public static function singleton() { | |
55 | if (self::$_singleton === NULL) { | |
56 | self::$_singleton = new CRM_Utils_API_HTMLInputCoder(); | |
57 | } | |
58 | return self::$_singleton; | |
59 | } | |
60 | ||
61 | /** | |
62 | * @return array<string> list of field names | |
63 | */ | |
64 | public function getSkipFields() { | |
65 | if ($this->skipFields === NULL) { | |
66 | $this->skipFields = array( | |
67 | 'widget_code', | |
68 | 'html_message', | |
69 | 'body_html', | |
70 | 'msg_html', | |
71 | 'description', | |
72 | 'intro', | |
73 | 'thankyou_text', | |
74 | 'tf_thankyou_text', | |
75 | 'intro_text', | |
76 | 'page_text', | |
77 | 'body_text', | |
78 | 'footer_text', | |
79 | 'thankyou_footer', | |
80 | 'thankyou_footer_text', | |
81 | 'new_text', | |
82 | 'renewal_text', | |
83 | 'help_pre', | |
84 | 'help_post', | |
85 | 'confirm_title', | |
86 | 'confirm_text', | |
87 | 'confirm_footer_text', | |
88 | 'confirm_email_text', | |
89 | 'event_full_text', | |
90 | 'waitlist_text', | |
91 | 'approval_req_text', | |
92 | 'report_header', | |
93 | 'report_footer', | |
94 | 'cc_id', | |
95 | 'bcc_id', | |
96 | 'premiums_intro_text', | |
97 | 'honor_block_text', | |
98 | 'pay_later_text', | |
99 | 'pay_later_receipt', | |
100 | 'label', // This is needed for FROM Email Address configuration. dgg | |
101 | 'url', // This is needed for navigation items urls | |
102 | 'details', | |
103 | 'msg_text', // message templates’ text versions | |
104 | 'text_message', // (send an) email to contact’s and CiviMail’s text version | |
105 | 'data', // data i/p of persistent table | |
106 | 'sqlQuery', // CRM-6673 | |
107 | 'pcp_title', | |
108 | 'pcp_intro_text', | |
109 | 'new', // The 'new' text in word replacements | |
110 | ); | |
111 | } | |
112 | return $this->skipFields; | |
113 | } | |
114 | ||
115 | /** | |
116 | * This function is going to filter the | |
117 | * submitted values across XSS vulnerability. | |
118 | * | |
119 | * @param array|string $values | |
120 | * @param bool $castToString If TRUE, all scalars will be filtered (and therefore cast to strings) | |
121 | * If FALSE, then non-string values will be preserved | |
122 | */ | |
123 | public function encodeInput(&$values, $castToString = FALSE) { | |
124 | if (is_array($values)) { | |
125 | foreach ($values as &$value) { | |
126 | $this->encodeInput($value, TRUE); | |
127 | } | |
128 | } elseif ($castToString || is_string($values)) { | |
129 | $values = str_replace(array('<', '>'), array('<', '>'), $values); | |
130 | } | |
131 | } | |
132 | ||
133 | public function decodeOutput(&$values, $castToString = FALSE) { | |
134 | if (is_array($values)) { | |
135 | foreach ($values as &$value) { | |
136 | $this->decodeOutput($value, TRUE); | |
137 | } | |
138 | } elseif ($castToString || is_string($values)) { | |
139 | $values = str_replace(array('<', '>'), array('<', '>'), $values); | |
140 | } | |
141 | } | |
142 | } |