CRM/Utils/API/HTMLInputCoder.php

   1 <?php
   2 /*
   3  +--------------------------------------------------------------------+
   4  | CiviCRM version 5                                                  |
   5  +--------------------------------------------------------------------+
   6  | Copyright CiviCRM LLC (c) 2004-2018                                |
   7  +--------------------------------------------------------------------+
   8  | This file is a part of CiviCRM.                                    |
   9  |                                                                    |
  10  | CiviCRM is free software; you can copy, modify, and distribute it  |
  11  | under the terms of the GNU Affero General Public License           |
  12  | Version 3, 19 November 2007 and the CiviCRM Licensing Exception.   |
  13  |                                                                    |
  14  | CiviCRM is distributed in the hope that it will be useful, but     |
  15  | WITHOUT ANY WARRANTY; without even the implied warranty of         |
  16  | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.               |
  17  | See the GNU Affero General Public License for more details.        |
  18  |                                                                    |
  19  | You should have received a copy of the GNU Affero General Public   |
  20  | License and the CiviCRM Licensing Exception along                  |
  21  | with this program; if not, contact CiviCRM LLC                     |
  22  | at info[AT]civicrm[DOT]org. If you have questions about the        |
  23  | GNU Affero General Public License or the licensing of CiviCRM,     |
  24  | see the CiviCRM license FAQ at http://civicrm.org/licensing        |
  25  +--------------------------------------------------------------------+
  26  */
  27
  28 /**
  29  * This class captures the encoding practices of CRM-5667 in a reusable
  30  * fashion.  In this design, all submitted values are partially HTML-encoded
  31  * before saving to the database.  If a DB reader needs to output in
  32  * non-HTML medium, then it should undo the partial HTML encoding.
  33  *
  34  * This class should be short-lived -- 4.3 should introduce an alternative
  35  * escaping scheme and consequently remove HTMLInputCoder.
  36  *
  37  * @package CRM
  38  * @copyright CiviCRM LLC (c) 2004-2018
  39  */
  40 class CRM_Utils_API_HTMLInputCoder extends CRM_Utils_API_AbstractFieldCoder {
  41   private $skipFields = NULL;
  42
  43   /**
  44    * @var CRM_Utils_API_HTMLInputCoder
  45    */
  46   private static $_singleton = NULL;
  47
  48   /**
  49    * @return CRM_Utils_API_HTMLInputCoder
  50    */
  51   public static function singleton() {
  52     if (self::$_singleton === NULL) {
  53       self::$_singleton = new CRM_Utils_API_HTMLInputCoder();
  54     }
  55     return self::$_singleton;
  56   }
  57
  58   /**
  59    * Get skipped fields.
  60    *
  61    * @return array<string>
  62    *   list of field names
  63    */
  64   public function getSkipFields() {
  65     if ($this->skipFields === NULL) {
  66       $this->skipFields = array(
  67         'widget_code',
  68         'html_message',
  69         'body_html',
  70         'msg_html',
  71         'description',
  72         'intro',
  73         'thankyou_text',
  74         'tf_thankyou_text',
  75         'intro_text',
  76         'page_text',
  77         'body_text',
  78         'footer_text',
  79         'thankyou_footer',
  80         'thankyou_footer_text',
  81         'new_text',
  82         'renewal_text',
  83         'help_pre',
  84         'help_post',
  85         'confirm_title',
  86         'confirm_text',
  87         'confirm_footer_text',
  88         'confirm_email_text',
  89         'event_full_text',
  90         'waitlist_text',
  91         'approval_req_text',
  92         'report_header',
  93         'report_footer',
  94         'cc_id',
  95         'bcc_id',
  96         'premiums_intro_text',
  97         'honor_block_text',
  98         'pay_later_text',
  99         'pay_later_receipt',
 100         'label', // This is needed for FROM Email Address configuration. dgg
 101         'url', // This is needed for navigation items urls
 102         'details',
 103         'msg_text', // message templates’ text versions
 104         'text_message', // (send an) email to contact’s and CiviMail’s text version
 105         'data', // data i/p of persistent table
 106         'sqlQuery', // CRM-6673
 107         'pcp_title',
 108         'pcp_intro_text',
 109         'new', // The 'new' text in word replacements
 110         'replyto_email', // e.g. '"Full Name" <user@example.org>'
 111         'operator',
 112         'content', // CRM-20468
 113       );
 114     }
 115     return $this->skipFields;
 116   }
 117
 118   /**
 119    * going to filter the
 120    * submitted values across XSS vulnerability.
 121    *
 122    * @param array|string $values
 123    * @param bool $castToString
 124    *   If TRUE, all scalars will be filtered (and therefore cast to strings).
 125    *    If FALSE, then non-string values will be preserved
 126    */
 127   public function encodeInput(&$values, $castToString = FALSE) {
 128     if (is_array($values)) {
 129       foreach ($values as &$value) {
 130         $this->encodeInput($value, TRUE);
 131       }
 132     }
 133     elseif ($castToString || is_string($values)) {
 134       $values = str_replace(array('<', '>'), array('&lt;', '&gt;'), $values);
 135     }
 136   }
 137
 138   /**
 139    * @param array $values
 140    * @param bool $castToString
 141    */
 142   public function decodeOutput(&$values, $castToString = FALSE) {
 143     if (is_array($values)) {
 144       foreach ($values as &$value) {
 145         $this->decodeOutput($value, TRUE);
 146       }
 147     }
 148     elseif ($castToString || is_string($values)) {
 149       $values = str_replace(array('&lt;', '&gt;'), array('<', '>'), $values);
 150     }
 151   }
 152
 153 }