3 +--------------------------------------------------------------------+
4 | Copyright CiviCRM LLC. All rights reserved. |
6 | This work is published under the GNU AGPLv3 license with some |
7 | permitted exceptions and without any warranty. For full license |
8 | and copyright information, see https://civicrm.org/licensing |
9 +--------------------------------------------------------------------+
13 * This class captures the encoding practices of CRM-5667 in a reusable
14 * fashion. In this design, all submitted values are partially HTML-encoded
15 * before saving to the database. If a DB reader needs to output in
16 * non-HTML medium, then it should undo the partial HTML encoding.
18 * This class should be short-lived -- 4.3 should introduce an alternative
19 * escaping scheme and consequently remove HTMLInputCoder.
22 * @copyright CiviCRM LLC https://civicrm.org/licensing
24 class CRM_Utils_API_HTMLInputCoder
extends CRM_Utils_API_AbstractFieldCoder
{
25 private $skipFields = NULL;
28 * @var CRM_Utils_API_HTMLInputCoder
30 private static $_singleton = NULL;
33 * @return CRM_Utils_API_HTMLInputCoder
35 public static function singleton() {
36 if (self
::$_singleton === NULL) {
37 self
::$_singleton = new CRM_Utils_API_HTMLInputCoder();
39 return self
::$_singleton;
45 * @return array<string>
48 public function getSkipFields() {
49 if ($this->skipFields
=== NULL) {
64 'thankyou_footer_text',
71 'confirm_footer_text',
80 'premiums_intro_text',
84 // This is needed for FROM Email Address configuration. dgg
86 // This is needed for navigation items urls
89 // message templates’ text versions
91 // (send an) email to contact’s and CiviMail’s text version
93 // data i/p of persistent table
99 // The 'new' text in word replacements
101 // e.g. '"Full Name" <user@example.org>'
106 // CiviCampaign Goal Details
109 $custom = CRM_Core_DAO
::executeQuery('SELECT id FROM civicrm_custom_field WHERE html_type = "RichTextEditor"');
110 while ($custom->fetch()) {
111 $this->skipFields
[] = 'custom_' . $custom->id
;
114 return $this->skipFields
;
118 * going to filter the
119 * submitted values across XSS vulnerability.
121 * @param array|string $values
122 * @param bool $castToString
123 * If TRUE, all scalars will be filtered (and therefore cast to strings).
124 * If FALSE, then non-string values will be preserved
126 public function encodeInput(&$values, $castToString = FALSE) {
127 if (is_array($values)) {
128 foreach ($values as &$value) {
129 $this->encodeInput($value, TRUE);
132 elseif ($castToString ||
is_string($values)) {
133 $values = $this->encodeValue($values);
137 public function encodeValue($value) {
138 return str_replace(['<', '>'], ['<', '>'], $value);
142 * Perform in-place decode on strings (in a list of records).
145 * Ex in: $rows[0] = ['first_name' => 'A&W'].
146 * Ex out: $rows[0] = ['first_name' => 'A&W'].
148 public function encodeRows(&$rows) {
149 foreach ($rows as $rid => $row) {
150 $this->encodeRow($rows[$rid]);
155 * Perform in-place encode on strings (in a single record).
158 * Ex in: ['first_name' => 'A&W'].
159 * Ex out: ['first_name' => 'A&W'].
161 public function encodeRow(&$row) {
162 foreach ($row as $k => $v) {
163 if (is_string($v) && !$this->isSkippedField($k)) {
164 $row[$k] = $this->encodeValue($v);
170 * @param array $values
171 * @param bool $castToString
173 public function decodeOutput(&$values, $castToString = FALSE) {
174 if (is_array($values)) {
175 foreach ($values as &$value) {
176 $this->decodeOutput($value, TRUE);
179 elseif ($castToString ||
is_string($values)) {
180 $values = $this->decodeValue($values);
184 public function decodeValue($value) {
185 return str_replace(['<', '>'], ['<', '>'], $value);
189 * Perform in-place decode on strings (in a list of records).
192 * Ex in: $rows[0] = ['first_name' => 'A&W'].
193 * Ex out: $rows[0] = ['first_name' => 'A&W'].
195 public function decodeRows(&$rows) {
196 foreach ($rows as $rid => $row) {
197 $this->decodeRow($rows[$rid]);
202 * Perform in-place decode on strings (in a single record).
205 * Ex in: ['first_name' => 'A&W'].
206 * Ex out: ['first_name' => 'A&W'].
208 public function decodeRow(&$row) {
209 foreach ($row as $k => $v) {
210 if (is_string($v) && !$this->isSkippedField($k)) {
211 $row[$k] = $this->decodeValue($v);