3 +--------------------------------------------------------------------+
4 | CiviCRM version 4.6 |
5 +--------------------------------------------------------------------+
6 | Copyright CiviCRM LLC (c) 2004-2014 |
7 +--------------------------------------------------------------------+
8 | This file is a part of CiviCRM. |
10 | CiviCRM is free software; you can copy, modify, and distribute it |
11 | under the terms of the GNU Affero General Public License |
12 | Version 3, 19 November 2007 and the CiviCRM Licensing Exception. |
14 | CiviCRM is distributed in the hope that it will be useful, but |
15 | WITHOUT ANY WARRANTY; without even the implied warranty of |
16 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. |
17 | See the GNU Affero General Public License for more details. |
19 | You should have received a copy of the GNU Affero General Public |
20 | License and the CiviCRM Licensing Exception along |
21 | with this program; if not, contact CiviCRM LLC |
22 | at info[AT]civicrm[DOT]org. If you have questions about the |
23 | GNU Affero General Public License or the licensing of CiviCRM, |
24 | see the CiviCRM license FAQ at http://civicrm.org/licensing |
25 +--------------------------------------------------------------------+
29 * This class captures the encoding practices of CRM-5667 in a reusable
30 * fashion. In this design, all submitted values are partially HTML-encoded
31 * before saving to the database. If a DB reader needs to output in
32 * non-HTML medium, then it should undo the partial HTML encoding.
34 * This class should be short-lived -- 4.3 should introduce an alternative
35 * escaping scheme and consequently remove HTMLInputCoder.
38 * @copyright CiviCRM LLC (c) 2004-2014
42 class CRM_Utils_API_HTMLInputCoder
extends CRM_Utils_API_AbstractFieldCoder
{
43 private $skipFields = NULL;
46 * @var CRM_Utils_API_HTMLInputCoder
48 private static $_singleton = NULL;
51 * @return CRM_Utils_API_HTMLInputCoder
53 public static function singleton() {
54 if (self
::$_singleton === NULL) {
55 self
::$_singleton = new CRM_Utils_API_HTMLInputCoder();
57 return self
::$_singleton;
61 * @return array<string> list of field names
63 public function getSkipFields() {
64 if ($this->skipFields
=== NULL) {
65 $this->skipFields
= array(
79 'thankyou_footer_text',
86 'confirm_footer_text',
95 'premiums_intro_text',
99 'label', // This is needed for FROM Email Address configuration. dgg
100 'url', // This is needed for navigation items urls
102 'msg_text', // message templates’ text versions
103 'text_message', // (send an) email to contact’s and CiviMail’s text version
104 'data', // data i/p of persistent table
105 'sqlQuery', // CRM-6673
108 'new', // The 'new' text in word replacements
109 'replyto_email', // e.g. '"Full Name" <user@example.org>'
112 return $this->skipFields
;
116 * going to filter the
117 * submitted values across XSS vulnerability.
119 * @param array|string $values
120 * @param bool $castToString
121 * If TRUE, all scalars will be filtered (and therefore cast to strings).
122 * If FALSE, then non-string values will be preserved
124 public function encodeInput(&$values, $castToString = FALSE) {
125 if (is_array($values)) {
126 foreach ($values as &$value) {
127 $this->encodeInput($value, TRUE);
130 elseif ($castToString ||
is_string($values)) {
131 $values = str_replace(array('<', '>'), array('<', '>'), $values);
136 * @param array $values
137 * @param bool $castToString
139 public function decodeOutput(&$values, $castToString = FALSE) {
140 if (is_array($values)) {
141 foreach ($values as &$value) {
142 $this->decodeOutput($value, TRUE);
145 elseif ($castToString ||
is_string($values)) {
146 $values = str_replace(array('<', '>'), array('<', '>'), $values);