3 +--------------------------------------------------------------------+
4 | CiviCRM version 4.7 |
5 +--------------------------------------------------------------------+
6 | Copyright CiviCRM LLC (c) 2004-2015 |
7 +--------------------------------------------------------------------+
8 | This file is a part of CiviCRM. |
10 | CiviCRM is free software; you can copy, modify, and distribute it |
11 | under the terms of the GNU Affero General Public License |
12 | Version 3, 19 November 2007 and the CiviCRM Licensing Exception. |
14 | CiviCRM is distributed in the hope that it will be useful, but |
15 | WITHOUT ANY WARRANTY; without even the implied warranty of |
16 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. |
17 | See the GNU Affero General Public License for more details. |
19 | You should have received a copy of the GNU Affero General Public |
20 | License and the CiviCRM Licensing Exception along |
21 | with this program; if not, contact CiviCRM LLC |
22 | at info[AT]civicrm[DOT]org. If you have questions about the |
23 | GNU Affero General Public License or the licensing of CiviCRM, |
24 | see the CiviCRM license FAQ at http://civicrm.org/licensing |
25 +--------------------------------------------------------------------+
29 * This class captures the encoding practices of CRM-5667 in a reusable
30 * fashion. In this design, all submitted values are partially HTML-encoded
31 * before saving to the database. If a DB reader needs to output in
32 * non-HTML medium, then it should undo the partial HTML encoding.
34 * This class should be short-lived -- 4.3 should introduce an alternative
35 * escaping scheme and consequently remove HTMLInputCoder.
38 * @copyright CiviCRM LLC (c) 2004-2015
40 class CRM_Utils_API_HTMLInputCoder
extends CRM_Utils_API_AbstractFieldCoder
{
41 private $skipFields = NULL;
44 * @var CRM_Utils_API_HTMLInputCoder
46 private static $_singleton = NULL;
49 * @return CRM_Utils_API_HTMLInputCoder
51 public static function singleton() {
52 if (self
::$_singleton === NULL) {
53 self
::$_singleton = new CRM_Utils_API_HTMLInputCoder();
55 return self
::$_singleton;
59 * @return array<string> list of field names
61 public function getSkipFields() {
62 if ($this->skipFields
=== NULL) {
63 $this->skipFields
= array(
77 'thankyou_footer_text',
84 'confirm_footer_text',
93 'premiums_intro_text',
97 'label', // This is needed for FROM Email Address configuration. dgg
98 'url', // This is needed for navigation items urls
100 'msg_text', // message templates’ text versions
101 'text_message', // (send an) email to contact’s and CiviMail’s text version
102 'data', // data i/p of persistent table
103 'sqlQuery', // CRM-6673
106 'new', // The 'new' text in word replacements
107 'replyto_email', // e.g. '"Full Name" <user@example.org>'
110 return $this->skipFields
;
114 * going to filter the
115 * submitted values across XSS vulnerability.
117 * @param array|string $values
118 * @param bool $castToString
119 * If TRUE, all scalars will be filtered (and therefore cast to strings).
120 * If FALSE, then non-string values will be preserved
122 public function encodeInput(&$values, $castToString = FALSE) {
123 if (is_array($values)) {
124 foreach ($values as &$value) {
125 $this->encodeInput($value, TRUE);
128 elseif ($castToString ||
is_string($values)) {
129 $values = str_replace(array('<', '>'), array('<', '>'), $values);
134 * @param array $values
135 * @param bool $castToString
137 public function decodeOutput(&$values, $castToString = FALSE) {
138 if (is_array($values)) {
139 foreach ($values as &$value) {
140 $this->decodeOutput($value, TRUE);
143 elseif ($castToString ||
is_string($values)) {
144 $values = str_replace(array('<', '>'), array('<', '>'), $values);