Commit | Line | Data |
---|---|---|
a9396478 TO |
1 | <?php |
2 | /* | |
3 | +--------------------------------------------------------------------+ | |
39de6fd5 | 4 | | CiviCRM version 4.6 | |
a9396478 | 5 | +--------------------------------------------------------------------+ |
06b69b18 | 6 | | Copyright CiviCRM LLC (c) 2004-2014 | |
a9396478 TO |
7 | +--------------------------------------------------------------------+ |
8 | | This file is a part of CiviCRM. | | |
9 | | | | |
10 | | CiviCRM is free software; you can copy, modify, and distribute it | | |
11 | | under the terms of the GNU Affero General Public License | | |
12 | | Version 3, 19 November 2007 and the CiviCRM Licensing Exception. | | |
13 | | | | |
14 | | CiviCRM is distributed in the hope that it will be useful, but | | |
15 | | WITHOUT ANY WARRANTY; without even the implied warranty of | | |
16 | | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. | | |
17 | | See the GNU Affero General Public License for more details. | | |
18 | | | | |
19 | | You should have received a copy of the GNU Affero General Public | | |
20 | | License and the CiviCRM Licensing Exception along | | |
21 | | with this program; if not, contact CiviCRM LLC | | |
22 | | at info[AT]civicrm[DOT]org. If you have questions about the | | |
23 | | GNU Affero General Public License or the licensing of CiviCRM, | | |
24 | | see the CiviCRM license FAQ at http://civicrm.org/licensing | | |
25 | +--------------------------------------------------------------------+ | |
26 | */ | |
27 | ||
28 | /** | |
29 | * This class captures the encoding practices of CRM-5667 in a reusable | |
30 | * fashion. In this design, all submitted values are partially HTML-encoded | |
31 | * before saving to the database. If a DB reader needs to output in | |
32 | * non-HTML medium, then it should undo the partial HTML encoding. | |
33 | * | |
34 | * This class should be short-lived -- 4.3 should introduce an alternative | |
35 | * escaping scheme and consequently remove HTMLInputCoder. | |
36 | * | |
37 | * @package CRM | |
06b69b18 | 38 | * @copyright CiviCRM LLC (c) 2004-2014 |
a9396478 TO |
39 | * $Id$ |
40 | * | |
41 | */ | |
a9396478 TO |
42 | class CRM_Utils_API_HTMLInputCoder extends CRM_Utils_API_AbstractFieldCoder { |
43 | private $skipFields = NULL; | |
44 | ||
45 | /** | |
46 | * @var CRM_Utils_API_HTMLInputCoder | |
47 | */ | |
48 | private static $_singleton = NULL; | |
49 | ||
50 | /** | |
51 | * @return CRM_Utils_API_HTMLInputCoder | |
52 | */ | |
53 | public static function singleton() { | |
54 | if (self::$_singleton === NULL) { | |
55 | self::$_singleton = new CRM_Utils_API_HTMLInputCoder(); | |
56 | } | |
57 | return self::$_singleton; | |
58 | } | |
59 | ||
60 | /** | |
61 | * @return array<string> list of field names | |
62 | */ | |
63 | public function getSkipFields() { | |
64 | if ($this->skipFields === NULL) { | |
65 | $this->skipFields = array( | |
66 | 'widget_code', | |
67 | 'html_message', | |
68 | 'body_html', | |
69 | 'msg_html', | |
70 | 'description', | |
71 | 'intro', | |
72 | 'thankyou_text', | |
73 | 'tf_thankyou_text', | |
74 | 'intro_text', | |
75 | 'page_text', | |
76 | 'body_text', | |
77 | 'footer_text', | |
78 | 'thankyou_footer', | |
79 | 'thankyou_footer_text', | |
80 | 'new_text', | |
81 | 'renewal_text', | |
82 | 'help_pre', | |
83 | 'help_post', | |
84 | 'confirm_title', | |
85 | 'confirm_text', | |
86 | 'confirm_footer_text', | |
87 | 'confirm_email_text', | |
88 | 'event_full_text', | |
89 | 'waitlist_text', | |
90 | 'approval_req_text', | |
91 | 'report_header', | |
92 | 'report_footer', | |
93 | 'cc_id', | |
94 | 'bcc_id', | |
95 | 'premiums_intro_text', | |
96 | 'honor_block_text', | |
97 | 'pay_later_text', | |
98 | 'pay_later_receipt', | |
99 | 'label', // This is needed for FROM Email Address configuration. dgg | |
e7292422 | 100 | 'url', // This is needed for navigation items urls |
a9396478 TO |
101 | 'details', |
102 | 'msg_text', // message templates’ text versions | |
103 | 'text_message', // (send an) email to contact’s and CiviMail’s text version | |
104 | 'data', // data i/p of persistent table | |
105 | 'sqlQuery', // CRM-6673 | |
106 | 'pcp_title', | |
107 | 'pcp_intro_text', | |
108 | 'new', // The 'new' text in word replacements | |
a0214785 | 109 | 'replyto_email', // e.g. '"Full Name" <user@example.org>' |
a9396478 TO |
110 | ); |
111 | } | |
112 | return $this->skipFields; | |
113 | } | |
114 | ||
115 | /** | |
dc195289 | 116 | * going to filter the |
a9396478 TO |
117 | * submitted values across XSS vulnerability. |
118 | * | |
119 | * @param array|string $values | |
77855840 TO |
120 | * @param bool $castToString |
121 | * If TRUE, all scalars will be filtered (and therefore cast to strings). | |
a9396478 TO |
122 | * If FALSE, then non-string values will be preserved |
123 | */ | |
124 | public function encodeInput(&$values, $castToString = FALSE) { | |
125 | if (is_array($values)) { | |
126 | foreach ($values as &$value) { | |
127 | $this->encodeInput($value, TRUE); | |
128 | } | |
0db6c3e1 TO |
129 | } |
130 | elseif ($castToString || is_string($values)) { | |
a9396478 TO |
131 | $values = str_replace(array('<', '>'), array('<', '>'), $values); |
132 | } | |
133 | } | |
134 | ||
5bc392e6 EM |
135 | /** |
136 | * @param $values | |
137 | * @param bool $castToString | |
a75c13cc EM |
138 | * |
139 | * @return mixed|void | |
5bc392e6 | 140 | */ |
a9396478 TO |
141 | public function decodeOutput(&$values, $castToString = FALSE) { |
142 | if (is_array($values)) { | |
143 | foreach ($values as &$value) { | |
144 | $this->decodeOutput($value, TRUE); | |
145 | } | |
0db6c3e1 TO |
146 | } |
147 | elseif ($castToString || is_string($values)) { | |
a9396478 TO |
148 | $values = str_replace(array('<', '>'), array('<', '>'), $values); |
149 | } | |
150 | } | |
151 | } |