CRM/Utils/API/HTMLInputCoder.php

   1 <?php
   2 /*
   3  +--------------------------------------------------------------------+
   4  | CiviCRM version 4.5                                                |
   5  +--------------------------------------------------------------------+
   6  | Copyright CiviCRM LLC (c) 2004-2014                                |
   7  +--------------------------------------------------------------------+
   8  | This file is a part of CiviCRM.                                    |
   9  |                                                                    |
  10  | CiviCRM is free software; you can copy, modify, and distribute it  |
  11  | under the terms of the GNU Affero General Public License           |
  12  | Version 3, 19 November 2007 and the CiviCRM Licensing Exception.   |
  13  |                                                                    |
  14  | CiviCRM is distributed in the hope that it will be useful, but     |
  15  | WITHOUT ANY WARRANTY; without even the implied warranty of         |
  16  | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.               |
  17  | See the GNU Affero General Public License for more details.        |
  18  |                                                                    |
  19  | You should have received a copy of the GNU Affero General Public   |
  20  | License and the CiviCRM Licensing Exception along                  |
  21  | with this program; if not, contact CiviCRM LLC                     |
  22  | at info[AT]civicrm[DOT]org. If you have questions about the        |
  23  | GNU Affero General Public License or the licensing of CiviCRM,     |
  24  | see the CiviCRM license FAQ at http://civicrm.org/licensing        |
  25  +--------------------------------------------------------------------+
  26 */
  27
  28 /**
  29  * This class captures the encoding practices of CRM-5667 in a reusable
  30  * fashion.  In this design, all submitted values are partially HTML-encoded
  31  * before saving to the database.  If a DB reader needs to output in
  32  * non-HTML medium, then it should undo the partial HTML encoding.
  33  *
  34  * This class should be short-lived -- 4.3 should introduce an alternative
  35  * escaping scheme and consequently remove HTMLInputCoder.
  36  *
  37  * @package CRM
  38  * @copyright CiviCRM LLC (c) 2004-2014
  39  * $Id$
  40  *
  41  */
  42
  43 class CRM_Utils_API_HTMLInputCoder extends CRM_Utils_API_AbstractFieldCoder {
  44   private $skipFields = NULL;
  45
  46   /**
  47    * @var CRM_Utils_API_HTMLInputCoder
  48    */
  49   private static $_singleton = NULL;
  50
  51   /**
  52    * @return CRM_Utils_API_HTMLInputCoder
  53    */
  54   public static function singleton() {
  55     if (self::$_singleton === NULL) {
  56       self::$_singleton = new CRM_Utils_API_HTMLInputCoder();
  57     }
  58     return self::$_singleton;
  59   }
  60
  61   /**
  62    * @return array<string> list of field names
  63    */
  64   public function getSkipFields() {
  65     if ($this->skipFields === NULL) {
  66       $this->skipFields = array(
  67         'widget_code',
  68         'html_message',
  69         'body_html',
  70         'msg_html',
  71         'description',
  72         'intro',
  73         'thankyou_text',
  74         'tf_thankyou_text',
  75         'intro_text',
  76         'page_text',
  77         'body_text',
  78         'footer_text',
  79         'thankyou_footer',
  80         'thankyou_footer_text',
  81         'new_text',
  82         'renewal_text',
  83         'help_pre',
  84         'help_post',
  85         'confirm_title',
  86         'confirm_text',
  87         'confirm_footer_text',
  88         'confirm_email_text',
  89         'event_full_text',
  90         'waitlist_text',
  91         'approval_req_text',
  92         'report_header',
  93         'report_footer',
  94         'cc_id',
  95         'bcc_id',
  96         'premiums_intro_text',
  97         'honor_block_text',
  98         'pay_later_text',
  99         'pay_later_receipt',
 100         'label', // This is needed for FROM Email Address configuration. dgg
 101         'url',  // This is needed for navigation items urls
 102         'details',
 103         'msg_text', // message templates’ text versions
 104         'text_message', // (send an) email to contact’s and CiviMail’s text version
 105         'data', // data i/p of persistent table
 106         'sqlQuery', // CRM-6673
 107         'pcp_title',
 108         'pcp_intro_text',
 109         'new', // The 'new' text in word replacements
 110       );
 111     }
 112     return $this->skipFields;
 113   }
 114
 115   /**
 116    * This function is going to filter the
 117    * submitted values across XSS vulnerability.
 118    *
 119    * @param array|string $values
 120    * @param bool $castToString If TRUE, all scalars will be filtered (and therefore cast to strings)
 121    *    If FALSE, then non-string values will be preserved
 122    */
 123   public function encodeInput(&$values, $castToString = FALSE) {
 124     if (is_array($values)) {
 125       foreach ($values as &$value) {
 126         $this->encodeInput($value, TRUE);
 127       }
 128     } elseif ($castToString || is_string($values)) {
 129       $values = str_replace(array('<', '>'), array('&lt;', '&gt;'), $values);
 130     }
 131   }
 132
 133   /**
 134    * @param $values
 135    * @param bool $castToString
 136    *
 137    * @return mixed|void
 138    */
 139   public function decodeOutput(&$values, $castToString = FALSE) {
 140     if (is_array($values)) {
 141       foreach ($values as &$value) {
 142         $this->decodeOutput($value, TRUE);
 143       }
 144     } elseif ($castToString || is_string($values)) {
 145       $values = str_replace(array('&lt;', '&gt;'), array('<', '>'), $values);
 146     }
 147   }
 148 }