CRM/Utils/API/HTMLInputCoder.php

   1 <?php
   2 /*
   3  +--------------------------------------------------------------------+
   4  | CiviCRM version 4.7                                                |
   5  +--------------------------------------------------------------------+
   6  | Copyright CiviCRM LLC (c) 2004-2015                                |
   7  +--------------------------------------------------------------------+
   8  | This file is a part of CiviCRM.                                    |
   9  |                                                                    |
  10  | CiviCRM is free software; you can copy, modify, and distribute it  |
  11  | under the terms of the GNU Affero General Public License           |
  12  | Version 3, 19 November 2007 and the CiviCRM Licensing Exception.   |
  13  |                                                                    |
  14  | CiviCRM is distributed in the hope that it will be useful, but     |
  15  | WITHOUT ANY WARRANTY; without even the implied warranty of         |
  16  | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.               |
  17  | See the GNU Affero General Public License for more details.        |
  18  |                                                                    |
  19  | You should have received a copy of the GNU Affero General Public   |
  20  | License and the CiviCRM Licensing Exception along                  |
  21  | with this program; if not, contact CiviCRM LLC                     |
  22  | at info[AT]civicrm[DOT]org. If you have questions about the        |
  23  | GNU Affero General Public License or the licensing of CiviCRM,     |
  24  | see the CiviCRM license FAQ at http://civicrm.org/licensing        |
  25  +--------------------------------------------------------------------+
  26  */
  27
  28 /**
  29  * This class captures the encoding practices of CRM-5667 in a reusable
  30  * fashion.  In this design, all submitted values are partially HTML-encoded
  31  * before saving to the database.  If a DB reader needs to output in
  32  * non-HTML medium, then it should undo the partial HTML encoding.
  33  *
  34  * This class should be short-lived -- 4.3 should introduce an alternative
  35  * escaping scheme and consequently remove HTMLInputCoder.
  36  *
  37  * @package CRM
  38  * @copyright CiviCRM LLC (c) 2004-2015
  39  */
  40 class CRM_Utils_API_HTMLInputCoder extends CRM_Utils_API_AbstractFieldCoder {
  41   private $skipFields = NULL;
  42
  43   /**
  44    * @var CRM_Utils_API_HTMLInputCoder
  45    */
  46   private static $_singleton = NULL;
  47
  48   /**
  49    * @return CRM_Utils_API_HTMLInputCoder
  50    */
  51   public static function singleton() {
  52     if (self::$_singleton === NULL) {
  53       self::$_singleton = new CRM_Utils_API_HTMLInputCoder();
  54     }
  55     return self::$_singleton;
  56   }
  57
  58   /**
  59    * @return array<string> list of field names
  60    */
  61   public function getSkipFields() {
  62     if ($this->skipFields === NULL) {
  63       $this->skipFields = array(
  64         'widget_code',
  65         'html_message',
  66         'body_html',
  67         'msg_html',
  68         'description',
  69         'intro',
  70         'thankyou_text',
  71         'tf_thankyou_text',
  72         'intro_text',
  73         'page_text',
  74         'body_text',
  75         'footer_text',
  76         'thankyou_footer',
  77         'thankyou_footer_text',
  78         'new_text',
  79         'renewal_text',
  80         'help_pre',
  81         'help_post',
  82         'confirm_title',
  83         'confirm_text',
  84         'confirm_footer_text',
  85         'confirm_email_text',
  86         'event_full_text',
  87         'waitlist_text',
  88         'approval_req_text',
  89         'report_header',
  90         'report_footer',
  91         'cc_id',
  92         'bcc_id',
  93         'premiums_intro_text',
  94         'honor_block_text',
  95         'pay_later_text',
  96         'pay_later_receipt',
  97         'label', // This is needed for FROM Email Address configuration. dgg
  98         'url', // This is needed for navigation items urls
  99         'details',
 100         'msg_text', // message templates’ text versions
 101         'text_message', // (send an) email to contact’s and CiviMail’s text version
 102         'data', // data i/p of persistent table
 103         'sqlQuery', // CRM-6673
 104         'pcp_title',
 105         'pcp_intro_text',
 106         'new', // The 'new' text in word replacements
 107         'replyto_email', // e.g. '"Full Name" <user@example.org>'
 108       );
 109     }
 110     return $this->skipFields;
 111   }
 112
 113   /**
 114    * going to filter the
 115    * submitted values across XSS vulnerability.
 116    *
 117    * @param array|string $values
 118    * @param bool $castToString
 119    *   If TRUE, all scalars will be filtered (and therefore cast to strings).
 120    *    If FALSE, then non-string values will be preserved
 121    */
 122   public function encodeInput(&$values, $castToString = FALSE) {
 123     if (is_array($values)) {
 124       foreach ($values as &$value) {
 125         $this->encodeInput($value, TRUE);
 126       }
 127     }
 128     elseif ($castToString || is_string($values)) {
 129       $values = str_replace(array('<', '>'), array('&lt;', '&gt;'), $values);
 130     }
 131   }
 132
 133   /**
 134    * @param array $values
 135    * @param bool $castToString
 136    */
 137   public function decodeOutput(&$values, $castToString = FALSE) {
 138     if (is_array($values)) {
 139       foreach ($values as &$value) {
 140         $this->decodeOutput($value, TRUE);
 141       }
 142     }
 143     elseif ($castToString || is_string($values)) {
 144       $values = str_replace(array('&lt;', '&gt;'), array('<', '>'), $values);
 145     }
 146   }
 147
 148 }