From f744b3227b116d4f7ccd7c71f8b8498ebf86d85f Mon Sep 17 00:00:00 2001 From: Kevin Chabowski Date: Mon, 13 Apr 2015 22:35:27 +0200 Subject: Implemented autoescaping Still needs some cleanup and documentation. --- src/ste/STECore.php | 19 +++++++++++++++++++ src/ste/STEStandardLibrary.php | 18 ++++++++++++++++-- src/ste/Transcompiler.php | 10 +++++++--- 3 files changed, 42 insertions(+), 5 deletions(-) (limited to 'src') diff --git a/src/ste/STECore.php b/src/ste/STECore.php index 35a92d5..4637aaa 100644 --- a/src/ste/STECore.php +++ b/src/ste/STECore.php @@ -10,9 +10,13 @@ namespace kch42\ste; * The Core of STE */ class STECore { + const ESCAPE_NONE = "none"; + const ESCAPE_HTML = "html"; + private $tags; private $storage_access; private $cur_tpl_dir; + public $escape_method = self::ESCAPE_NONE; public $scope; /* @@ -101,6 +105,21 @@ class STECore { } } + public function autoescape($content) { + if ($this->escape_method == self::ESCAPE_HTML) { + return htmlspecialchars($content); + } + return $content; + } + + public function eval_sub_with_escaping($sub, $method) { + $old_method = $this->escape_method; + $this->escape_method = $method; + $retval = $sub($this); + $this->escape_method = $old_method; + return $retval; + } + public function calc($expression) { return Calc::calc($expression); } diff --git a/src/ste/STEStandardLibrary.php b/src/ste/STEStandardLibrary.php index 915b699..68ba06a 100644 --- a/src/ste/STEStandardLibrary.php +++ b/src/ste/STEStandardLibrary.php @@ -12,13 +12,27 @@ class STEStandardLibrary { } static public function escape($ste, $params, $sub) { + $content = $ste->eval_sub_with_escaping($sub, STECore::ESCAPE_NONE); + if($ste->evalbool(@$params["lines"])) { - return nl2br(htmlspecialchars(str_replace("\r\n", "\n", $sub($ste)))); + return nl2br(htmlspecialchars(str_replace("\r\n", "\n", $content))); } else { - return htmlspecialchars($sub($ste)); + return htmlspecialchars($content); } } + static public function raw($ste, $params, $sub) { + return $ste->eval_sub_with_escaping($sub, STECore::ESCAPE_NONE); + } + + static public function autoescape($ste, $params, $sub) { + if(empty($params["mode"])) { + throw new RuntimeError("Missing mode parameter in ."); + } + + return $content = $ste->eval_sub_with_escaping($sub, $params['mode']); + } + static public function strlen($ste, $params, $sub) { return strlen($sub($ste)); } diff --git a/src/ste/Transcompiler.php b/src/ste/Transcompiler.php index 12fc59d..9961b15 100644 --- a/src/ste/Transcompiler.php +++ b/src/ste/Transcompiler.php @@ -401,7 +401,7 @@ class Transcompiler { return "try\n{\n" . self::indent_code($code) . "\n}\ncatch(\\kch42\\ste\\BreakException \$e) { break; }\ncatch(\\kch42\\ste\\ContinueException \$e) { continue; }\n"; } - private static function _transcompile($ast, $avoid_outputstack = false) { /* The real self::transcompile function, does not add boilerplate code. */ + private static function _transcompile($ast, $avoid_outputstack = false, $in_args = false) { /* The real self::transcompile function, does not add boilerplate code. */ $code = ""; $text_and_var_buffer = array(); @@ -410,7 +410,11 @@ class Transcompiler { if($node instanceof TextNode) { $text_and_var_buffer[] = '"' . Misc::escape_text($node->text) . '"'; } else if($node instanceof VariableNode) { - $text_and_var_buffer[] = $node->transcompile(); + if ($in_args) { + $text_and_var_buffer[] = $node->transcompile(); + } else { + $text_and_var_buffer[] = "\$ste->autoescape(".$node->transcompile().")"; + } } else if($node instanceof TagNode) { if(!empty($text_and_var_buffer)) { $code .= "\$outputstack[\$outputstack_i] .= " . implode (" . ", $text_and_var_buffer) . ";\n"; @@ -423,7 +427,7 @@ class Transcompiler { $code .= "\$$paramarray = array();\n"; foreach($node->params as $pname => $pcontent) { - list($pval, $pre) = self::_transcompile($pcontent, true); + list($pval, $pre) = self::_transcompile($pcontent, true, true); $code .= $pre . "\$${paramarray}['" . Misc::escape_text($pname) . "'] = " . $pval . ";\n"; } -- cgit v1.2.3-54-g00ecf