CRM/Utils/API/HTMLInputCoder.php

   1 <?php
   2 /*
   3  +--------------------------------------------------------------------+
   4  | Copyright CiviCRM LLC. All rights reserved.                        |
   5  |                                                                    |
   6  | This work is published under the GNU AGPLv3 license with some      |
   7  | permitted exceptions and without any warranty. For full license    |
   8  | and copyright information, see https://civicrm.org/licensing       |
   9  +--------------------------------------------------------------------+
  10  */
  11
  12 /**
  13  * This class captures the encoding practices of CRM-5667 in a reusable
  14  * fashion.  In this design, all submitted values are partially HTML-encoded
  15  * before saving to the database.  If a DB reader needs to output in
  16  * non-HTML medium, then it should undo the partial HTML encoding.
  17  *
  18  * This class should be short-lived -- 4.3 should introduce an alternative
  19  * escaping scheme and consequently remove HTMLInputCoder.
  20  *
  21  * @package CRM
  22  * @copyright CiviCRM LLC https://civicrm.org/licensing
  23  */
  24 class CRM_Utils_API_HTMLInputCoder extends CRM_Utils_API_AbstractFieldCoder {
  25   private $skipFields = NULL;
  26
  27   /**
  28    * @var CRM_Utils_API_HTMLInputCoder
  29    */
  30   private static $_singleton = NULL;
  31
  32   /**
  33    * @return CRM_Utils_API_HTMLInputCoder
  34    */
  35   public static function singleton() {
  36     if (self::$_singleton === NULL) {
  37       self::$_singleton = new CRM_Utils_API_HTMLInputCoder();
  38     }
  39     return self::$_singleton;
  40   }
  41
  42   /**
  43    * Get skipped fields.
  44    *
  45    * @return array<string>
  46    *   list of field names
  47    */
  48   public function getSkipFields() {
  49     if ($this->skipFields === NULL) {
  50       $this->skipFields = [
  51         'widget_code',
  52         'html_message',
  53         'body_html',
  54         'msg_html',
  55         'description',
  56         'intro',
  57         'thankyou_text',
  58         'tf_thankyou_text',
  59         'intro_text',
  60         'page_text',
  61         'body_text',
  62         'footer_text',
  63         'thankyou_footer',
  64         'thankyou_footer_text',
  65         'new_text',
  66         'renewal_text',
  67         'help_pre',
  68         'help_post',
  69         'confirm_title',
  70         'confirm_text',
  71         'confirm_footer_text',
  72         'confirm_email_text',
  73         'event_full_text',
  74         'waitlist_text',
  75         'approval_req_text',
  76         'report_header',
  77         'report_footer',
  78         'cc_id',
  79         'bcc_id',
  80         'premiums_intro_text',
  81         'honor_block_text',
  82         'pay_later_text',
  83         'pay_later_receipt',
  84         // This is needed for FROM Email Address configuration. dgg
  85         'label',
  86         // This is needed for navigation items urls
  87         'url',
  88         'details',
  89         // message templates’ text versions
  90         'msg_text',
  91         // (send an) email to contact’s and CiviMail’s text version
  92         'text_message',
  93         // data i/p of persistent table
  94         'data',
  95         // CRM-6673
  96         'sqlQuery',
  97         'pcp_title',
  98         'pcp_intro_text',
  99         // The 'new' text in word replacements
 100         'new',
 101         // e.g. '"Full Name" <user@example.org>'
 102         'replyto_email',
 103         'operator',
 104         // CRM-20468
 105         'content',
 106         // CiviCampaign Goal Details
 107         'goal_general',
 108       ];
 109       $custom = CRM_Core_DAO::executeQuery('SELECT id FROM civicrm_custom_field WHERE html_type = "RichTextEditor"');
 110       while ($custom->fetch()) {
 111         $this->skipFields[] = 'custom_' . $custom->id;
 112       }
 113     }
 114     return $this->skipFields;
 115   }
 116
 117   /**
 118    * going to filter the
 119    * submitted values across XSS vulnerability.
 120    *
 121    * @param array|string $values
 122    * @param bool $castToString
 123    *   If TRUE, all scalars will be filtered (and therefore cast to strings).
 124    *    If FALSE, then non-string values will be preserved
 125    */
 126   public function encodeInput(&$values, $castToString = FALSE) {
 127     if (is_array($values)) {
 128       foreach ($values as &$value) {
 129         $this->encodeInput($value, TRUE);
 130       }
 131     }
 132     elseif ($castToString || is_string($values)) {
 133       $values = str_replace(['<', '>'], ['&lt;', '&gt;'], $values);
 134     }
 135   }
 136
 137   /**
 138    * @param array $values
 139    * @param bool $castToString
 140    */
 141   public function decodeOutput(&$values, $castToString = FALSE) {
 142     if (is_array($values)) {
 143       foreach ($values as &$value) {
 144         $this->decodeOutput($value, TRUE);
 145       }
 146     }
 147     elseif ($castToString || is_string($values)) {
 148       $values = str_replace(['&lt;', '&gt;'], ['<', '>'], $values);
 149     }
 150   }
 151
 152 }