3 +--------------------------------------------------------------------+
4 | Copyright CiviCRM LLC. All rights reserved. |
6 | This work is published under the GNU AGPLv3 license with some |
7 | permitted exceptions and without any warranty. For full license |
8 | and copyright information, see https://civicrm.org/licensing |
9 +--------------------------------------------------------------------+
13 * This class captures the encoding practices of CRM-5667 in a reusable
14 * fashion. In this design, all submitted values are partially HTML-encoded
15 * before saving to the database. If a DB reader needs to output in
16 * non-HTML medium, then it should undo the partial HTML encoding.
18 * This class should be short-lived -- 4.3 should introduce an alternative
19 * escaping scheme and consequently remove HTMLInputCoder.
22 * @copyright CiviCRM LLC https://civicrm.org/licensing
24 class CRM_Utils_API_HTMLInputCoder
extends CRM_Utils_API_AbstractFieldCoder
{
25 private $skipFields = NULL;
28 * @var CRM_Utils_API_HTMLInputCoder
30 private static $_singleton = NULL;
33 * @return CRM_Utils_API_HTMLInputCoder
35 public static function singleton() {
36 if (self
::$_singleton === NULL) {
37 self
::$_singleton = new CRM_Utils_API_HTMLInputCoder();
39 return self
::$_singleton;
45 * @return array<string>
48 public function getSkipFields() {
49 if ($this->skipFields
=== NULL) {
64 'thankyou_footer_text',
71 'confirm_footer_text',
80 'premiums_intro_text',
84 // This is needed for FROM Email Address configuration. dgg
86 // This is needed for navigation items urls
89 // message templates’ text versions
91 // (send an) email to contact’s and CiviMail’s text version
93 // data i/p of persistent table
99 // The 'new' text in word replacements
101 // e.g. '"Full Name" <user@example.org>'
106 // CiviCampaign Goal Details
109 $custom = CRM_Core_DAO
::executeQuery('SELECT id FROM civicrm_custom_field WHERE html_type = "RichTextEditor"');
110 while ($custom->fetch()) {
111 $this->skipFields
[] = 'custom_' . $custom->id
;
114 return $this->skipFields
;
118 * going to filter the
119 * submitted values across XSS vulnerability.
121 * @param array|string $values
122 * @param bool $castToString
123 * If TRUE, all scalars will be filtered (and therefore cast to strings).
124 * If FALSE, then non-string values will be preserved
126 public function encodeInput(&$values, $castToString = FALSE) {
127 if (is_array($values)) {
128 foreach ($values as &$value) {
129 $this->encodeInput($value, TRUE);
132 elseif ($castToString ||
is_string($values)) {
133 $values = str_replace(['<', '>'], ['<', '>'], $values);
138 * @param array $values
139 * @param bool $castToString
141 public function decodeOutput(&$values, $castToString = FALSE) {
142 if (is_array($values)) {
143 foreach ($values as &$value) {
144 $this->decodeOutput($value, TRUE);
147 elseif ($castToString ||
is_string($values)) {
148 $values = str_replace(['<', '>'], ['<', '>'], $values);