[Summary view] [Print] [Text view]

   1  <?php
   2  
   3  /**
   4  * @package   s9e\TextFormatter
   5  * @copyright Copyright (c) 2010-2022 The s9e authors
   6  * @license   http://www.opensource.org/licenses/mit-license.php The MIT License
   7  */
   8  namespace s9e\TextFormatter\Configurator\TemplateChecks;
   9  
  10  use DOMElement;
  11  use DOMXPath;
  12  use s9e\TextFormatter\Configurator\Exceptions\UnsafeTemplateException;
  13  use s9e\TextFormatter\Configurator\Helpers\AVTHelper;
  14  use s9e\TextFormatter\Configurator\Items\Tag;
  15  use s9e\TextFormatter\Configurator\TemplateCheck;
  16  
  17  class DisallowXPathFunction extends TemplateCheck
  18  {
  19      /**
  20      * @var string Name of the disallowed function
  21      */
  22      public $funcName;
  23  
  24      /**
  25      * Constructor
  26      *
  27      * @param  string $funcName Name of the disallowed function
  28      */
  29  	public function __construct($funcName)
  30      {
  31          $this->funcName = $funcName;
  32      }
  33  
  34      /**
  35      * Test for the presence of given XPath function
  36      *
  37      * @param  DOMElement $template <xsl:template/> node
  38      * @param  Tag        $tag      Tag this template belongs to
  39      * @return void
  40      */
  41  	public function check(DOMElement $template, Tag $tag)
  42      {
  43          // Regexp that matches the function call
  44          $regexp = '#(?!<\\pL)' . preg_quote($this->funcName, '#') . '\\s*\\(#iu';
  45  
  46          // Allow whitespace around colons (NOTE: colons are unnecessarily escaped by preg_quote())
  47          $regexp = str_replace('\\:', '\\s*:\\s*', $regexp);
  48  
  49          foreach ($this->getExpressions($template) as $expr => $node)
  50          {
  51              // Remove string literals from the expression
  52              $expr = preg_replace('#([\'"]).*?\\1#s', '', $expr);
  53  
  54              // Test whether the expression contains a document() call
  55              if (preg_match($regexp, $expr))
  56              {
  57                  throw new UnsafeTemplateException('An XPath expression uses the ' . $this->funcName . '() function', $node);
  58              }
  59          }
  60      }
  61  
  62      /**
  63      * Get all the potential XPath expressions used in given template
  64      *
  65      * @param  DOMElement $template <xsl:template/> node
  66      * @return array                XPath expression as key, reference node as value
  67      */
  68  	protected function getExpressions(DOMElement $template)
  69      {
  70          $xpath = new DOMXPath($template->ownerDocument);
  71          $exprs = [];
  72  
  73          foreach ($xpath->query('//@*') as $attribute)
  74          {
  75              if ($attribute->parentNode->namespaceURI === self::XMLNS_XSL)
  76              {
  77                  // Attribute of an XSL element. May or may not use XPath, but it shouldn't produce
  78                  // false-positives
  79                  $expr = $attribute->value;
  80                  $exprs[$expr] = $attribute;
  81              }
  82              else
  83              {
  84                  // Attribute of an HTML (or otherwise) element -- Look for inline expressions
  85                  foreach (AVTHelper::parse($attribute->value) as $token)
  86                  {
  87                      if ($token[0] === 'expression')
  88                      {
  89                          $exprs[$token[1]] = $attribute;
  90                      }
  91                  }
  92              }
  93          }
  94  
  95          return $exprs;
  96      }
  97  }