From: colemanw <coleman@civicrm.org>
Date: Fri, 22 Sep 2023 23:13:20 +0000 (-0400)
Subject: dev/core#4618 - Update APIv3 explorer to not encourage php-eval in smarty
X-Git-Url: https://vcs.fsf.org/?a=commitdiff_plain;h=9856c28a482cc9d122f0a3c0e9dc9341e0b64526;p=civicrm-core.git

dev/core#4618 - Update APIv3 explorer to not encourage php-eval in smarty
---

diff --git a/templates/CRM/Admin/Page/APIExplorer.js b/templates/CRM/Admin/Page/APIExplorer.js
index e54d6bcd80..f294b308de 100644
--- a/templates/CRM/Admin/Page/APIExplorer.js
+++ b/templates/CRM/Admin/Page/APIExplorer.js
@@ -11,7 +11,6 @@
     getFieldsCache = {},
     getActionsCache = {},
     params = {},
-    smartyPhp,
     entityDoc,
     fieldTpl = _.template($('#api-param-tpl').html()),
     optionsTpl = _.template($('#api-options-tpl').html()),
@@ -596,21 +595,6 @@
     return JSON.stringify(val).replace(/\$/g, '\\$');
   }
 
-  /**
-   * @param value string
-   * @param js string
-   * @param key string
-   */
-  function smartyFormat(value, js, key) {
-    var varName = 'param_' + key.replace(/[. -]/g, '_').toLowerCase();
-    // Can't pass array literals directly into smarty so we add a php snippet
-    if (_.includes(js, '[') || _.includes(js, '{')) {
-      smartyPhp.push('$this->assign("'+ varName + '", '+ phpFormat(value) +');');
-      return '$' + varName;
-    }
-    return js;
-  }
-
   /**
    * Create the params array from user input
    * @param e
@@ -716,7 +700,6 @@
         "curl '" + http.url + "?" + $.param(http.query) + "'"
         : "curl -X " + http.method + " -d '" + $.param(http.query) +"' \\\n  '" + http.url + "'"
     };
-    smartyPhp = [];
     $.each(params, function(key, value) {
       var json = JSON.stringify(value),
         // Encourage 'return' to be an array - at least in php & js
@@ -732,7 +715,7 @@
       q.json += "  \"" + key + '": ' + js;
       // smarty already defaults to sequential
       if (key !== 'sequential') {
-        q.smarty += ' ' + key + '=' + smartyFormat(value, json, key);
+        q.smarty += ' ' + key + '=' + phpFormat(value);
       }
       // FIXME: This is not totally correct cli syntax
       q.cv += key + '=' + json + ' ';
@@ -748,8 +731,6 @@
     q.smarty += "}\n{foreach from=$result.values item=" + entity.toLowerCase() + "}\n  {$" + entity.toLowerCase() + ".some_field}\n{/foreach}";
     if (!_.includes(action, 'get')) {
       q.smarty = '{* Smarty API only works with get actions *}';
-    } else if (smartyPhp.length) {
-      q.smarty = "{php}\n  " + smartyPhp.join("\n  ") + "\n{/php}\n" + q.smarty;
     }
     $('#api-rest').html(restTpl(http));
     $.each(q, function(type, val) {