3 +--------------------------------------------------------------------+
4 | Copyright CiviCRM LLC. All rights reserved. |
6 | This work is published under the GNU AGPLv3 license with some |
7 | permitted exceptions and without any warranty. For full license |
8 | and copyright information, see https://civicrm.org/licensing |
9 +--------------------------------------------------------------------+
13 * This class captures the encoding practices of CRM-5667 in a reusable
14 * fashion. In this design, all submitted values are partially HTML-encoded
15 * before saving to the database. If a DB reader needs to output in
16 * non-HTML medium, then it should undo the partial HTML encoding.
18 * This class should be short-lived -- 4.3 should introduce an alternative
19 * escaping scheme and consequently remove HTMLInputCoder.
22 * @copyright CiviCRM LLC https://civicrm.org/licensing
24 class CRM_Utils_API_HTMLInputCoder
extends CRM_Utils_API_AbstractFieldCoder
{
25 private $skipFields = NULL;
28 * @var CRM_Utils_API_HTMLInputCoder
30 private static $_singleton = NULL;
33 * @return CRM_Utils_API_HTMLInputCoder
35 public static function singleton() {
36 if (self
::$_singleton === NULL) {
37 self
::$_singleton = new CRM_Utils_API_HTMLInputCoder();
39 return self
::$_singleton;
45 * @return array<string>
48 public function getSkipFields() {
49 if ($this->skipFields
=== NULL) {
64 'thankyou_footer_text',
71 'confirm_footer_text',
80 'premiums_intro_text',
84 // This is needed for FROM Email Address configuration. dgg
86 // This is needed for navigation items urls
89 // message templates’ text versions
91 // (send an) email to contact’s and CiviMail’s text version
93 // data i/p of persistent table
99 // The 'new' text in word replacements
101 // e.g. '"Full Name" <user@example.org>'
106 // CiviCampaign Goal Details
108 // https://lab.civicrm.org/dev/core/issues/1286
110 // https://lab.civicrm.org/dev/core/issues/1286
113 $custom = CRM_Core_DAO
::executeQuery('SELECT id FROM civicrm_custom_field WHERE html_type = "RichTextEditor"');
114 while ($custom->fetch()) {
115 $this->skipFields
[] = 'custom_' . $custom->id
;
118 return $this->skipFields
;
122 * going to filter the
123 * submitted values across XSS vulnerability.
125 * @param array|string $values
126 * @param bool $castToString
127 * If TRUE, all scalars will be filtered (and therefore cast to strings).
128 * If FALSE, then non-string values will be preserved
130 public function encodeInput(&$values, $castToString = FALSE) {
131 if (is_array($values)) {
132 foreach ($values as &$value) {
133 $this->encodeInput($value, TRUE);
136 elseif ($castToString ||
is_string($values)) {
137 $values = $this->encodeValue($values);
141 public function encodeValue($value) {
142 return str_replace(['<', '>'], ['<', '>'], $value);
146 * Perform in-place decode on strings (in a list of records).
149 * Ex in: $rows[0] = ['first_name' => 'A&W'].
150 * Ex out: $rows[0] = ['first_name' => 'A&W'].
152 public function encodeRows(&$rows) {
153 foreach ($rows as $rid => $row) {
154 $this->encodeRow($rows[$rid]);
159 * Perform in-place encode on strings (in a single record).
162 * Ex in: ['first_name' => 'A&W'].
163 * Ex out: ['first_name' => 'A&W'].
165 public function encodeRow(&$row) {
166 foreach ($row as $k => $v) {
167 if (is_string($v) && !$this->isSkippedField($k)) {
168 $row[$k] = $this->encodeValue($v);
174 * @param array $values
175 * @param bool $castToString
177 public function decodeOutput(&$values, $castToString = FALSE) {
178 if (is_array($values)) {
179 foreach ($values as &$value) {
180 $this->decodeOutput($value, TRUE);
183 elseif ($castToString ||
is_string($values)) {
184 $values = $this->decodeValue($values);
188 public function decodeValue($value) {
189 return str_replace(['<', '>'], ['<', '>'], $value);
193 * Perform in-place decode on strings (in a list of records).
196 * Ex in: $rows[0] = ['first_name' => 'A&W'].
197 * Ex out: $rows[0] = ['first_name' => 'A&W'].
199 public function decodeRows(&$rows) {
200 foreach ($rows as $rid => $row) {
201 $this->decodeRow($rows[$rid]);
206 * Perform in-place decode on strings (in a single record).
209 * Ex in: ['first_name' => 'A&W'].
210 * Ex out: ['first_name' => 'A&W'].
212 public function decodeRow(&$row) {
213 foreach ($row as $k => $v) {
214 if (is_string($v) && !$this->isSkippedField($k)) {
215 $row[$k] = $this->decodeValue($v);