projects / civicrm-core.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Merge pull request #17332 from colemanw/api4Joins
[civicrm-core.git] / CRM / Utils / API / HTMLInputCoder.php
1 <?php
2 /*
3 +--------------------------------------------------------------------+
4 | Copyright CiviCRM LLC. All rights reserved. |
5 | |
6 | This work is published under the GNU AGPLv3 license with some |
7 | permitted exceptions and without any warranty. For full license |
8 | and copyright information, see https://civicrm.org/licensing |
9 +--------------------------------------------------------------------+
10 */
11
12 /**
13 * This class captures the encoding practices of CRM-5667 in a reusable
14 * fashion. In this design, all submitted values are partially HTML-encoded
15 * before saving to the database. If a DB reader needs to output in
16 * non-HTML medium, then it should undo the partial HTML encoding.
17 *
18 * This class should be short-lived -- 4.3 should introduce an alternative
19 * escaping scheme and consequently remove HTMLInputCoder.
20 *
21 * @package CRM
22 * @copyright CiviCRM LLC https://civicrm.org/licensing
23 */
24 class CRM_Utils_API_HTMLInputCoder extends CRM_Utils_API_AbstractFieldCoder {
25 private $skipFields = NULL;
26
27 /**
28 * @var CRM_Utils_API_HTMLInputCoder
29 */
30 private static $_singleton = NULL;
31
32 /**
33 * @return CRM_Utils_API_HTMLInputCoder
34 */
35 public static function singleton() {
36 if (self::$_singleton === NULL) {
37 self::$_singleton = new CRM_Utils_API_HTMLInputCoder();
38 }
39 return self::$_singleton;
40 }
41
42 /**
43 * Get skipped fields.
44 *
45 * @return array<string>
46 * list of field names
47 */
48 public function getSkipFields() {
49 if ($this->skipFields === NULL) {
50 $this->skipFields = [
51 'widget_code',
52 'html_message',
53 'body_html',
54 'msg_html',
55 'description',
56 'intro',
57 'thankyou_text',
58 'tf_thankyou_text',
59 'intro_text',
60 'page_text',
61 'body_text',
62 'footer_text',
63 'thankyou_footer',
64 'thankyou_footer_text',
65 'new_text',
66 'renewal_text',
67 'help_pre',
68 'help_post',
69 'confirm_title',
70 'confirm_text',
71 'confirm_footer_text',
72 'confirm_email_text',
73 'event_full_text',
74 'waitlist_text',
75 'approval_req_text',
76 'report_header',
77 'report_footer',
78 'cc_id',
79 'bcc_id',
80 'premiums_intro_text',
81 'honor_block_text',
82 'pay_later_text',
83 'pay_later_receipt',
84 // This is needed for FROM Email Address configuration. dgg
85 'label',
86 // This is needed for navigation items urls
87 'url',
88 'details',
89 // message templates’ text versions
90 'msg_text',
91 // (send an) email to contact’s and CiviMail’s text version
92 'text_message',
93 // data i/p of persistent table
94 'data',
95 // CRM-6673
96 'sqlQuery',
97 'pcp_title',
98 'pcp_intro_text',
99 // The 'new' text in word replacements
100 'new',
101 // e.g. '"Full Name" <user@example.org>'
102 'replyto_email',
103 'operator',
104 // CRM-20468
105 'content',
106 // CiviCampaign Goal Details
107 'goal_general',
108 // https://lab.civicrm.org/dev/core/issues/1286
109 'header',
110 // https://lab.civicrm.org/dev/core/issues/1286
111 'footer',
112 ];
113 $custom = CRM_Core_DAO::executeQuery('SELECT id FROM civicrm_custom_field WHERE html_type = "RichTextEditor"');
114 while ($custom->fetch()) {
115 $this->skipFields[] = 'custom_' . $custom->id;
116 }
117 }
118 return $this->skipFields;
119 }
120
121 /**
122 * going to filter the
123 * submitted values across XSS vulnerability.
124 *
125 * @param array|string $values
126 * @param bool $castToString
127 * If TRUE, all scalars will be filtered (and therefore cast to strings).
128 * If FALSE, then non-string values will be preserved
129 */
130 public function encodeInput(&$values, $castToString = FALSE) {
131 if (is_array($values)) {
132 foreach ($values as &$value) {
133 $this->encodeInput($value, TRUE);
134 }
135 }
136 elseif ($castToString || is_string($values)) {
137 $values = $this->encodeValue($values);
138 }
139 }
140
141 public function encodeValue($value) {
142 return str_replace(['<', '>'], ['&lt;', '&gt;'], $value);
143 }
144
145 /**
146 * Perform in-place decode on strings (in a list of records).
147 *
148 * @param array $rows
149 * Ex in: $rows[0] = ['first_name' => 'A&W'].
150 * Ex out: $rows[0] = ['first_name' => 'A&amp;W'].
151 */
152 public function encodeRows(&$rows) {
153 foreach ($rows as $rid => $row) {
154 $this->encodeRow($rows[$rid]);
155 }
156 }
157
158 /**
159 * Perform in-place encode on strings (in a single record).
160 *
161 * @param array $row
162 * Ex in: ['first_name' => 'A&W'].
163 * Ex out: ['first_name' => 'A&amp;W'].
164 */
165 public function encodeRow(&$row) {
166 foreach ($row as $k => $v) {
167 if (is_string($v) && !$this->isSkippedField($k)) {
168 $row[$k] = $this->encodeValue($v);
169 }
170 }
171 }
172
173 /**
174 * @param array $values
175 * @param bool $castToString
176 */
177 public function decodeOutput(&$values, $castToString = FALSE) {
178 if (is_array($values)) {
179 foreach ($values as &$value) {
180 $this->decodeOutput($value, TRUE);
181 }
182 }
183 elseif ($castToString || is_string($values)) {
184 $values = $this->decodeValue($values);
185 }
186 }
187
188 public function decodeValue($value) {
189 return str_replace(['&lt;', '&gt;'], ['<', '>'], $value);
190 }
191
192 /**
193 * Perform in-place decode on strings (in a list of records).
194 *
195 * @param array $rows
196 * Ex in: $rows[0] = ['first_name' => 'A&amp;W'].
197 * Ex out: $rows[0] = ['first_name' => 'A&W'].
198 */
199 public function decodeRows(&$rows) {
200 foreach ($rows as $rid => $row) {
201 $this->decodeRow($rows[$rid]);
202 }
203 }
204
205 /**
206 * Perform in-place decode on strings (in a single record).
207 *
208 * @param array $row
209 * Ex in: ['first_name' => 'A&amp;W'].
210 * Ex out: ['first_name' => 'A&W'].
211 */
212 public function decodeRow(&$row) {
213 foreach ($row as $k => $v) {
214 if (is_string($v) && !$this->isSkippedField($k)) {
215 $row[$k] = $this->decodeValue($v);
216 }
217 }
218 }
219
220 }