From: colemanw Date: Fri, 22 Sep 2023 23:13:20 +0000 (-0400) Subject: dev/core#4618 - Update APIv3 explorer to not encourage php-eval in smarty X-Git-Url: https://vcs.fsf.org/?a=commitdiff_plain;h=9856c28a482cc9d122f0a3c0e9dc9341e0b64526;p=civicrm-core.git dev/core#4618 - Update APIv3 explorer to not encourage php-eval in smarty --- diff --git a/templates/CRM/Admin/Page/APIExplorer.js b/templates/CRM/Admin/Page/APIExplorer.js index e54d6bcd80..f294b308de 100644 --- a/templates/CRM/Admin/Page/APIExplorer.js +++ b/templates/CRM/Admin/Page/APIExplorer.js @@ -11,7 +11,6 @@ getFieldsCache = {}, getActionsCache = {}, params = {}, - smartyPhp, entityDoc, fieldTpl = _.template($('#api-param-tpl').html()), optionsTpl = _.template($('#api-options-tpl').html()), @@ -596,21 +595,6 @@ return JSON.stringify(val).replace(/\$/g, '\\$'); } - /** - * @param value string - * @param js string - * @param key string - */ - function smartyFormat(value, js, key) { - var varName = 'param_' + key.replace(/[. -]/g, '_').toLowerCase(); - // Can't pass array literals directly into smarty so we add a php snippet - if (_.includes(js, '[') || _.includes(js, '{')) { - smartyPhp.push('$this->assign("'+ varName + '", '+ phpFormat(value) +');'); - return '$' + varName; - } - return js; - } - /** * Create the params array from user input * @param e @@ -716,7 +700,6 @@ "curl '" + http.url + "?" + $.param(http.query) + "'" : "curl -X " + http.method + " -d '" + $.param(http.query) +"' \\\n '" + http.url + "'" }; - smartyPhp = []; $.each(params, function(key, value) { var json = JSON.stringify(value), // Encourage 'return' to be an array - at least in php & js @@ -732,7 +715,7 @@ q.json += " \"" + key + '": ' + js; // smarty already defaults to sequential if (key !== 'sequential') { - q.smarty += ' ' + key + '=' + smartyFormat(value, json, key); + q.smarty += ' ' + key + '=' + phpFormat(value); } // FIXME: This is not totally correct cli syntax q.cv += key + '=' + json + ' '; @@ -748,8 +731,6 @@ q.smarty += "}\n{foreach from=$result.values item=" + entity.toLowerCase() + "}\n {$" + entity.toLowerCase() + ".some_field}\n{/foreach}"; if (!_.includes(action, 'get')) { q.smarty = '{* Smarty API only works with get actions *}'; - } else if (smartyPhp.length) { - q.smarty = "{php}\n " + smartyPhp.join("\n ") + "\n{/php}\n" + q.smarty; } $('#api-rest').html(restTpl(http)); $.each(q, function(type, val) {