[ Index ]

PHP Cross Reference of phpBB-3.3.0-deutsch

title

Body

[close]

/vendor/twig/twig/src/Extension/ -> EscaperExtension.php (source)

   1  <?php
   2  
   3  /*
   4   * This file is part of Twig.
   5   *
   6   * (c) Fabien Potencier
   7   *
   8   * For the full copyright and license information, please view the LICENSE
   9   * file that was distributed with this source code.
  10   */
  11  
  12  namespace Twig\Extension {
  13  use Twig\FileExtensionEscapingStrategy;
  14  use Twig\NodeVisitor\EscaperNodeVisitor;
  15  use Twig\TokenParser\AutoEscapeTokenParser;
  16  use Twig\TwigFilter;
  17  
  18  final class EscaperExtension extends AbstractExtension
  19  {
  20      private $defaultStrategy;
  21      private $escapers = [];
  22  
  23      /** @internal */
  24      public $safeClasses = [];
  25  
  26      /** @internal */
  27      public $safeLookup = [];
  28  
  29      /**
  30       * @param string|false|callable $defaultStrategy An escaping strategy
  31       *
  32       * @see setDefaultStrategy()
  33       */
  34      public function __construct($defaultStrategy = 'html')
  35      {
  36          $this->setDefaultStrategy($defaultStrategy);
  37      }
  38  
  39      public function getTokenParsers()
  40      {
  41          return [new AutoEscapeTokenParser()];
  42      }
  43  
  44      public function getNodeVisitors()
  45      {
  46          return [new EscaperNodeVisitor()];
  47      }
  48  
  49      public function getFilters()
  50      {
  51          return [
  52              new TwigFilter('escape', 'twig_escape_filter', ['needs_environment' => true, 'is_safe_callback' => 'twig_escape_filter_is_safe']),
  53              new TwigFilter('e', 'twig_escape_filter', ['needs_environment' => true, 'is_safe_callback' => 'twig_escape_filter_is_safe']),
  54              new TwigFilter('raw', 'twig_raw_filter', ['is_safe' => ['all']]),
  55          ];
  56      }
  57  
  58      /**
  59       * Sets the default strategy to use when not defined by the user.
  60       *
  61       * The strategy can be a valid PHP callback that takes the template
  62       * name as an argument and returns the strategy to use.
  63       *
  64       * @param string|false|callable $defaultStrategy An escaping strategy
  65       */
  66      public function setDefaultStrategy($defaultStrategy)
  67      {
  68          if ('name' === $defaultStrategy) {
  69              $defaultStrategy = [FileExtensionEscapingStrategy::class, 'guess'];
  70          }
  71  
  72          $this->defaultStrategy = $defaultStrategy;
  73      }
  74  
  75      /**
  76       * Gets the default strategy to use when not defined by the user.
  77       *
  78       * @param string $name The template name
  79       *
  80       * @return string|false The default strategy to use for the template
  81       */
  82      public function getDefaultStrategy($name)
  83      {
  84          // disable string callables to avoid calling a function named html or js,
  85          // or any other upcoming escaping strategy
  86          if (!\is_string($this->defaultStrategy) && false !== $this->defaultStrategy) {
  87              return \call_user_func($this->defaultStrategy, $name);
  88          }
  89  
  90          return $this->defaultStrategy;
  91      }
  92  
  93      /**
  94       * Defines a new escaper to be used via the escape filter.
  95       *
  96       * @param string   $strategy The strategy name that should be used as a strategy in the escape call
  97       * @param callable $callable A valid PHP callable
  98       */
  99      public function setEscaper($strategy, callable $callable)
 100      {
 101          $this->escapers[$strategy] = $callable;
 102      }
 103  
 104      /**
 105       * Gets all defined escapers.
 106       *
 107       * @return callable[] An array of escapers
 108       */
 109      public function getEscapers()
 110      {
 111          return $this->escapers;
 112      }
 113  
 114      public function setSafeClasses(array $safeClasses = [])
 115      {
 116          $this->safeClasses = [];
 117          $this->safeLookup = [];
 118          foreach ($safeClasses as $class => $strategies) {
 119              $this->addSafeClass($class, $strategies);
 120          }
 121      }
 122  
 123      public function addSafeClass(string $class, array $strategies)
 124      {
 125          $class = ltrim($class, '\\');
 126          if (!isset($this->safeClasses[$class])) {
 127              $this->safeClasses[$class] = [];
 128          }
 129          $this->safeClasses[$class] = array_merge($this->safeClasses[$class], $strategies);
 130  
 131          foreach ($strategies as $strategy) {
 132              $this->safeLookup[$strategy][$class] = true;
 133          }
 134      }
 135  }
 136  
 137  class_alias('Twig\Extension\EscaperExtension', 'Twig_Extension_Escaper');
 138  }
 139  
 140  namespace {
 141  use Twig\Environment;
 142  use Twig\Error\RuntimeError;
 143  use Twig\Extension\CoreExtension;
 144  use Twig\Extension\EscaperExtension;
 145  use Twig\Markup;
 146  use Twig\Node\Expression\ConstantExpression;
 147  use Twig\Node\Node;
 148  
 149  /**
 150   * Marks a variable as being safe.
 151   *
 152   * @param string $string A PHP variable
 153   *
 154   * @return string
 155   */
 156  function twig_raw_filter($string)
 157  {
 158      return $string;
 159  }
 160  
 161  /**
 162   * Escapes a string.
 163   *
 164   * @param mixed  $string     The value to be escaped
 165   * @param string $strategy   The escaping strategy
 166   * @param string $charset    The charset
 167   * @param bool   $autoescape Whether the function is called by the auto-escaping feature (true) or by the developer (false)
 168   *
 169   * @return string
 170   */
 171  function twig_escape_filter(Environment $env, $string, $strategy = 'html', $charset = null, $autoescape = false)
 172  {
 173      if ($autoescape && $string instanceof Markup) {
 174          return $string;
 175      }
 176  
 177      if (!\is_string($string)) {
 178          if (\is_object($string) && method_exists($string, '__toString')) {
 179              if ($autoescape) {
 180                  $c = \get_class($string);
 181                  $ext = $env->getExtension(EscaperExtension::class);
 182                  if (!isset($ext->safeClasses[$c])) {
 183                      $ext->safeClasses[$c] = [];
 184                      foreach (class_parents($string) + class_implements($string) as $class) {
 185                          if (isset($ext->safeClasses[$class])) {
 186                              $ext->safeClasses[$c] = array_unique(array_merge($ext->safeClasses[$c], $ext->safeClasses[$class]));
 187                              foreach ($ext->safeClasses[$class] as $s) {
 188                                  $ext->safeLookup[$s][$c] = true;
 189                              }
 190                          }
 191                      }
 192                  }
 193                  if (isset($ext->safeLookup[$strategy][$c]) || isset($ext->safeLookup['all'][$c])) {
 194                      return (string) $string;
 195                  }
 196              }
 197  
 198              $string = (string) $string;
 199          } elseif (\in_array($strategy, ['html', 'js', 'css', 'html_attr', 'url'])) {
 200              return $string;
 201          }
 202      }
 203  
 204      if ('' === $string) {
 205          return '';
 206      }
 207  
 208      if (null === $charset) {
 209          $charset = $env->getCharset();
 210      }
 211  
 212      switch ($strategy) {
 213          case 'html':
 214              // see https://secure.php.net/htmlspecialchars
 215  
 216              // Using a static variable to avoid initializing the array
 217              // each time the function is called. Moving the declaration on the
 218              // top of the function slow downs other escaping strategies.
 219              static $htmlspecialcharsCharsets = [
 220                  'ISO-8859-1' => true, 'ISO8859-1' => true,
 221                  'ISO-8859-15' => true, 'ISO8859-15' => true,
 222                  'utf-8' => true, 'UTF-8' => true,
 223                  'CP866' => true, 'IBM866' => true, '866' => true,
 224                  'CP1251' => true, 'WINDOWS-1251' => true, 'WIN-1251' => true,
 225                  '1251' => true,
 226                  'CP1252' => true, 'WINDOWS-1252' => true, '1252' => true,
 227                  'KOI8-R' => true, 'KOI8-RU' => true, 'KOI8R' => true,
 228                  'BIG5' => true, '950' => true,
 229                  'GB2312' => true, '936' => true,
 230                  'BIG5-HKSCS' => true,
 231                  'SHIFT_JIS' => true, 'SJIS' => true, '932' => true,
 232                  'EUC-JP' => true, 'EUCJP' => true,
 233                  'ISO8859-5' => true, 'ISO-8859-5' => true, 'MACROMAN' => true,
 234              ];
 235  
 236              if (isset($htmlspecialcharsCharsets[$charset])) {
 237                  return htmlspecialchars($string, ENT_QUOTES | ENT_SUBSTITUTE, $charset);
 238              }
 239  
 240              if (isset($htmlspecialcharsCharsets[strtoupper($charset)])) {
 241                  // cache the lowercase variant for future iterations
 242                  $htmlspecialcharsCharsets[$charset] = true;
 243  
 244                  return htmlspecialchars($string, ENT_QUOTES | ENT_SUBSTITUTE, $charset);
 245              }
 246  
 247              $string = iconv($charset, 'UTF-8', $string);
 248              $string = htmlspecialchars($string, ENT_QUOTES | ENT_SUBSTITUTE, 'UTF-8');
 249  
 250              return iconv('UTF-8', $charset, $string);
 251  
 252          case 'js':
 253              // escape all non-alphanumeric characters
 254              // into their \x or \uHHHH representations
 255              if ('UTF-8' !== $charset) {
 256                  $string = iconv($charset, 'UTF-8', $string);
 257              }
 258  
 259              if (!preg_match('//u', $string)) {
 260                  throw new RuntimeError('The string to escape is not a valid UTF-8 string.');
 261              }
 262  
 263              $string = preg_replace_callback('#[^a-zA-Z0-9,\._]#Su', function ($matches) {
 264                  $char = $matches[0];
 265  
 266                  /*
 267                   * A few characters have short escape sequences in JSON and JavaScript.
 268                   * Escape sequences supported only by JavaScript, not JSON, are ommitted.
 269                   * \" is also supported but omitted, because the resulting string is not HTML safe.
 270                   */
 271                  static $shortMap = [
 272                      '\\' => '\\\\',
 273                      '/' => '\\/',
 274                      "\x08" => '\b',
 275                      "\x0C" => '\f',
 276                      "\x0A" => '\n',
 277                      "\x0D" => '\r',
 278                      "\x09" => '\t',
 279                  ];
 280  
 281                  if (isset($shortMap[$char])) {
 282                      return $shortMap[$char];
 283                  }
 284  
 285                  // \uHHHH
 286                  $char = twig_convert_encoding($char, 'UTF-16BE', 'UTF-8');
 287                  $char = strtoupper(bin2hex($char));
 288  
 289                  if (4 >= \strlen($char)) {
 290                      return sprintf('\u%04s', $char);
 291                  }
 292  
 293                  return sprintf('\u%04s\u%04s', substr($char, 0, -4), substr($char, -4));
 294              }, $string);
 295  
 296              if ('UTF-8' !== $charset) {
 297                  $string = iconv('UTF-8', $charset, $string);
 298              }
 299  
 300              return $string;
 301  
 302          case 'css':
 303              if ('UTF-8' !== $charset) {
 304                  $string = iconv($charset, 'UTF-8', $string);
 305              }
 306  
 307              if (!preg_match('//u', $string)) {
 308                  throw new RuntimeError('The string to escape is not a valid UTF-8 string.');
 309              }
 310  
 311              $string = preg_replace_callback('#[^a-zA-Z0-9]#Su', function ($matches) {
 312                  $char = $matches[0];
 313  
 314                  return sprintf('\\%X ', 1 === \strlen($char) ? \ord($char) : mb_ord($char, 'UTF-8'));
 315              }, $string);
 316  
 317              if ('UTF-8' !== $charset) {
 318                  $string = iconv('UTF-8', $charset, $string);
 319              }
 320  
 321              return $string;
 322  
 323          case 'html_attr':
 324              if ('UTF-8' !== $charset) {
 325                  $string = iconv($charset, 'UTF-8', $string);
 326              }
 327  
 328              if (!preg_match('//u', $string)) {
 329                  throw new RuntimeError('The string to escape is not a valid UTF-8 string.');
 330              }
 331  
 332              $string = preg_replace_callback('#[^a-zA-Z0-9,\.\-_]#Su', function ($matches) {
 333                  /**
 334                   * This function is adapted from code coming from Zend Framework.
 335                   *
 336                   * @copyright Copyright (c) 2005-2012 Zend Technologies USA Inc. (https://www.zend.com)
 337                   * @license   https://framework.zend.com/license/new-bsd New BSD License
 338                   */
 339                  $chr = $matches[0];
 340                  $ord = \ord($chr);
 341  
 342                  /*
 343                   * The following replaces characters undefined in HTML with the
 344                   * hex entity for the Unicode replacement character.
 345                   */
 346                  if (($ord <= 0x1f && "\t" != $chr && "\n" != $chr && "\r" != $chr) || ($ord >= 0x7f && $ord <= 0x9f)) {
 347                      return '&#xFFFD;';
 348                  }
 349  
 350                  /*
 351                   * Check if the current character to escape has a name entity we should
 352                   * replace it with while grabbing the hex value of the character.
 353                   */
 354                  if (1 === \strlen($chr)) {
 355                      /*
 356                       * While HTML supports far more named entities, the lowest common denominator
 357                       * has become HTML5's XML Serialisation which is restricted to the those named
 358                       * entities that XML supports. Using HTML entities would result in this error:
 359                       *     XML Parsing Error: undefined entity
 360                       */
 361                      static $entityMap = [
 362                          34 => '&quot;', /* quotation mark */
 363                          38 => '&amp;',  /* ampersand */
 364                          60 => '&lt;',   /* less-than sign */
 365                          62 => '&gt;',   /* greater-than sign */
 366                      ];
 367  
 368                      if (isset($entityMap[$ord])) {
 369                          return $entityMap[$ord];
 370                      }
 371  
 372                      return sprintf('&#x%02X;', $ord);
 373                  }
 374  
 375                  /*
 376                   * Per OWASP recommendations, we'll use hex entities for any other
 377                   * characters where a named entity does not exist.
 378                   */
 379                  return sprintf('&#x%04X;', mb_ord($chr, 'UTF-8'));
 380              }, $string);
 381  
 382              if ('UTF-8' !== $charset) {
 383                  $string = iconv('UTF-8', $charset, $string);
 384              }
 385  
 386              return $string;
 387  
 388          case 'url':
 389              return rawurlencode($string);
 390  
 391          default:
 392              static $escapers;
 393  
 394              if (null === $escapers) {
 395                  // merge the ones set on CoreExtension for BC (to be removed in 3.0)
 396                  $escapers = array_merge(
 397                      $env->getExtension(CoreExtension::class)->getEscapers(false),
 398                      $env->getExtension(EscaperExtension::class)->getEscapers()
 399                  );
 400              }
 401  
 402              if (isset($escapers[$strategy])) {
 403                  return $escapers[$strategy]($env, $string, $charset);
 404              }
 405  
 406              $validStrategies = implode(', ', array_merge(['html', 'js', 'url', 'css', 'html_attr'], array_keys($escapers)));
 407  
 408              throw new RuntimeError(sprintf('Invalid escaping strategy "%s" (valid ones: %s).', $strategy, $validStrategies));
 409      }
 410  }
 411  
 412  /**
 413   * @internal
 414   */
 415  function twig_escape_filter_is_safe(Node $filterArgs)
 416  {
 417      foreach ($filterArgs as $arg) {
 418          if ($arg instanceof ConstantExpression) {
 419              return [$arg->getAttribute('value')];
 420          }
 421  
 422          return [];
 423      }
 424  
 425      return ['html'];
 426  }
 427  }


Generated: Tue Apr 7 19:44:41 2020 Cross-referenced by PHPXref 0.7.1