[ Index ]

PHP Cross Reference of phpBB-3.3.14-deutsch

title

Body

[close]

/vendor/s9e/text-formatter/src/Configurator/TemplateChecks/ -> DisallowPHPTags.php (source)

[Summary view] [Print] [Text view] 

   1  <?php
   2  
   3  /**
   4  * @package   s9e\TextFormatter
   5  * @copyright Copyright (c) 2010-2022 The s9e authors
   6  * @license   http://www.opensource.org/licenses/mit-license.php The MIT License
   7  */
   8  namespace s9e\TextFormatter\Configurator\TemplateChecks;
   9  
  10  use DOMElement;
  11  use DOMXPath;
  12  use s9e\TextFormatter\Configurator\Exceptions\UnsafeTemplateException;
  13  use s9e\TextFormatter\Configurator\Items\Tag;
  14  use s9e\TextFormatter\Configurator\TemplateCheck;
  15  
  16  class DisallowPHPTags extends TemplateCheck
  17  {
  18      /**
  19      * Prevent PHP tags from appearing in the stylesheet or in renderings
  20      *
  21      * Targets <?php tags as well as <script language="php">. Cannot target short tags or ASP tags.
  22      * Assumes that element names and attribute names are normalized to lowercase by the template
  23      * normalizer. Does not cover script elements in the output, dynamic xsl:element names are
  24      * handled by DisallowDynamicElementNames.
  25      *
  26      * NOTE: PHP tags have no effect in templates or in renderings, they are removed on the remote
  27      *       chance of being used as a vector, for example if a template is saved in a publicly
  28      *       accessible file that the webserver is somehow configured to process as PHP, or if the
  29      *       output is saved in a file (e.g. for static archives) that is parsed by PHP
  30      *
  31      * @param  DOMElement $template <xsl:template/> node
  32      * @param  Tag        $tag      Tag this template belongs to
  33      * @return void
  34      */
  35  	public function check(DOMElement $template, Tag $tag)
  36      {
  37          $queries = [
  38              '//processing-instruction()["php" = translate(name(),"HP","hp")]'
  39                  => 'PHP tags are not allowed in the template',
  40  
  41              '//script["php" = translate(@language,"HP","hp")]'
  42                  => 'PHP tags are not allowed in the template',
  43  
  44              '//xsl:processing-instruction["php" = translate(@name,"HP","hp")]'
  45                  => 'PHP tags are not allowed in the output',
  46  
  47              '//xsl:processing-instruction[contains(@name, "{")]'
  48                  => 'Dynamic processing instructions are not allowed',
  49          ];
  50  
  51          $xpath = new DOMXPath($template->ownerDocument);
  52          foreach ($queries as $query => $error)
  53          {
  54              $nodes = $xpath->query($query); 
  55  
  56              if ($nodes->length)
  57              {
  58                  throw new UnsafeTemplateException($error, $nodes->item(0));
  59              }
  60          }
  61      }
  62  }

Body

Body

Body

Body


Generated: Mon Nov 25 19:05:08 2024 Cross-referenced by PHPXref 0.7.1