CRM/Utils/API/HTMLInputCoder.php

   1 <?php
   2 /*
   3  +--------------------------------------------------------------------+
   4  | CiviCRM version 4.6                                                |
   5  +--------------------------------------------------------------------+
   6  | Copyright CiviCRM LLC (c) 2004-2014                                |
   7  +--------------------------------------------------------------------+
   8  | This file is a part of CiviCRM.                                    |
   9  |                                                                    |
  10  | CiviCRM is free software; you can copy, modify, and distribute it  |
  11  | under the terms of the GNU Affero General Public License           |
  12  | Version 3, 19 November 2007 and the CiviCRM Licensing Exception.   |
  13  |                                                                    |
  14  | CiviCRM is distributed in the hope that it will be useful, but     |
  15  | WITHOUT ANY WARRANTY; without even the implied warranty of         |
  16  | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.               |
  17  | See the GNU Affero General Public License for more details.        |
  18  |                                                                    |
  19  | You should have received a copy of the GNU Affero General Public   |
  20  | License and the CiviCRM Licensing Exception along                  |
  21  | with this program; if not, contact CiviCRM LLC                     |
  22  | at info[AT]civicrm[DOT]org. If you have questions about the        |
  23  | GNU Affero General Public License or the licensing of CiviCRM,     |
  24  | see the CiviCRM license FAQ at http://civicrm.org/licensing        |
  25  +--------------------------------------------------------------------+
  26 */
  27
  28 /**
  29  * This class captures the encoding practices of CRM-5667 in a reusable
  30  * fashion.  In this design, all submitted values are partially HTML-encoded
  31  * before saving to the database.  If a DB reader needs to output in
  32  * non-HTML medium, then it should undo the partial HTML encoding.
  33  *
  34  * This class should be short-lived -- 4.3 should introduce an alternative
  35  * escaping scheme and consequently remove HTMLInputCoder.
  36  *
  37  * @package CRM
  38  * @copyright CiviCRM LLC (c) 2004-2014
  39  * $Id$
  40  *
  41  */
  42 class CRM_Utils_API_HTMLInputCoder extends CRM_Utils_API_AbstractFieldCoder {
  43   private $skipFields = NULL;
  44
  45   /**
  46    * @var CRM_Utils_API_HTMLInputCoder
  47    */
  48   private static $_singleton = NULL;
  49
  50   /**
  51    * @return CRM_Utils_API_HTMLInputCoder
  52    */
  53   public static function singleton() {
  54     if (self::$_singleton === NULL) {
  55       self::$_singleton = new CRM_Utils_API_HTMLInputCoder();
  56     }
  57     return self::$_singleton;
  58   }
  59
  60   /**
  61    * @return array<string> list of field names
  62    */
  63   public function getSkipFields() {
  64     if ($this->skipFields === NULL) {
  65       $this->skipFields = array(
  66         'widget_code',
  67         'html_message',
  68         'body_html',
  69         'msg_html',
  70         'description',
  71         'intro',
  72         'thankyou_text',
  73         'tf_thankyou_text',
  74         'intro_text',
  75         'page_text',
  76         'body_text',
  77         'footer_text',
  78         'thankyou_footer',
  79         'thankyou_footer_text',
  80         'new_text',
  81         'renewal_text',
  82         'help_pre',
  83         'help_post',
  84         'confirm_title',
  85         'confirm_text',
  86         'confirm_footer_text',
  87         'confirm_email_text',
  88         'event_full_text',
  89         'waitlist_text',
  90         'approval_req_text',
  91         'report_header',
  92         'report_footer',
  93         'cc_id',
  94         'bcc_id',
  95         'premiums_intro_text',
  96         'honor_block_text',
  97         'pay_later_text',
  98         'pay_later_receipt',
  99         'label', // This is needed for FROM Email Address configuration. dgg
 100         'url', // This is needed for navigation items urls
 101         'details',
 102         'msg_text', // message templates’ text versions
 103         'text_message', // (send an) email to contact’s and CiviMail’s text version
 104         'data', // data i/p of persistent table
 105         'sqlQuery', // CRM-6673
 106         'pcp_title',
 107         'pcp_intro_text',
 108         'new', // The 'new' text in word replacements
 109         'replyto_email', // e.g. '"Full Name" <user@example.org>'
 110       );
 111     }
 112     return $this->skipFields;
 113   }
 114
 115   /**
 116    * going to filter the
 117    * submitted values across XSS vulnerability.
 118    *
 119    * @param array|string $values
 120    * @param bool $castToString
 121    *   If TRUE, all scalars will be filtered (and therefore cast to strings).
 122    *    If FALSE, then non-string values will be preserved
 123    */
 124   public function encodeInput(&$values, $castToString = FALSE) {
 125     if (is_array($values)) {
 126       foreach ($values as &$value) {
 127         $this->encodeInput($value, TRUE);
 128       }
 129     }
 130     elseif ($castToString || is_string($values)) {
 131       $values = str_replace(array('<', '>'), array('&lt;', '&gt;'), $values);
 132     }
 133   }
 134
 135   /**
 136    * @param $values
 137    * @param bool $castToString
 138    *
 139    * @return mixed|void
 140    */
 141   public function decodeOutput(&$values, $castToString = FALSE) {
 142     if (is_array($values)) {
 143       foreach ($values as &$value) {
 144         $this->decodeOutput($value, TRUE);
 145       }
 146     }
 147     elseif ($castToString || is_string($values)) {
 148       $values = str_replace(array('&lt;', '&gt;'), array('<', '>'), $values);
 149     }
 150   }
 151 }