From 952c8856098dcfd9673d344fc71be85b303c8fb1 Mon Sep 17 00:00:00 2001 From: Andy Staudacher Date: Sat, 29 Aug 2009 22:31:23 -0700 Subject: Adding html::clean(), ::purify(), etc. --- modules/gallery/helpers/MY_html.php | 91 +++++++++++++++++++++++++++++++++++++ 1 file changed, 91 insertions(+) create mode 100644 modules/gallery/helpers/MY_html.php (limited to 'modules/gallery/helpers/MY_html.php') diff --git a/modules/gallery/helpers/MY_html.php b/modules/gallery/helpers/MY_html.php new file mode 100644 index 00000000..eb388811 --- /dev/null +++ b/modules/gallery/helpers/MY_html.php @@ -0,0 +1,91 @@ + + *
+ * + */ + static function clean($html) { + return new SafeString($html); + } + + /** + * Returns a string that is safe to be used in HTML (XSS protection), + * purifying (filtering) the given HTML to ensure that the result contains + * only non-malicious HTML. + * + * Example:
+   *   
title) ?> 
+   *
+ */ + static function purify($html) { + return SafeString::purify($html); + } + + /** + * Flags the given string as safe to be used in HTML (free of malicious HTML/JS). + * + * Example:
+   *   // Parameters to t() are automatically escaped by default.
+   *   // If the parameter is marked as safe, it won't get escaped.
+   *   t('Go there',
+   *     array("url" => html::mark_safe(url::current())))
+   *
+ */ + static function mark_safe($html) { + return SafeString::of_safe_html($html); + } + + /** + * Escapes the given string for use in JavaScript. + * + * Example:
+   *   
+   *
+ * @return the string escaped for use in HTML attributes. + */ + static function clean_attribute($string) { + return self::clean($string)->for_html_attr(); + } +} -- cgit v1.2.3 From b9bd1681a3b1496c0f1bbe5e6254ab4fd0c9fe30 Mon Sep 17 00:00:00 2001 From: Andy Staudacher Date: Sat, 29 Aug 2009 22:54:20 -0700 Subject: Update all code to use helper method html::clean(), html::purify(), ... instead of SafeString directly. --- modules/comment/controllers/comments.php | 8 ++++---- modules/comment/helpers/comment_rss.php | 8 ++++---- modules/comment/views/admin_block_recent_comments.html.php | 6 +++--- modules/comment/views/admin_comments.html.php | 10 +++++----- modules/comment/views/comment.html.php | 6 +++--- modules/comment/views/comment.mrss.php | 12 ++++++------ modules/comment/views/comments.html.php | 6 +++--- modules/digibug/controllers/digibug.php | 2 +- modules/exif/views/exif_dialog.html.php | 4 ++-- modules/g2_import/helpers/g2_import.php | 2 +- modules/gallery/controllers/admin_advanced_settings.php | 2 +- modules/gallery/controllers/quick.php | 10 +++++----- modules/gallery/helpers/MY_html.php | 4 ++-- modules/gallery/helpers/gallery_rss.php | 4 ++-- modules/gallery/helpers/gallery_task.php | 4 ++-- modules/gallery/tests/Html_Helper_Test.php | 4 ++-- modules/gallery/tests/Xss_Security_Test.php | 4 ++-- modules/gallery/views/admin_advanced_settings.html.php | 6 +++--- modules/gallery/views/admin_block_log_entries.html.php | 2 +- modules/gallery/views/admin_block_photo_stream.html.php | 4 ++-- modules/gallery/views/admin_languages.html.php | 4 ++-- modules/gallery/views/admin_maintenance.html.php | 4 ++-- modules/gallery/views/admin_maintenance_show_log.html.php | 2 +- modules/gallery/views/move_tree.html.php | 8 ++++---- modules/gallery/views/permissions_browse.html.php | 4 ++-- modules/gallery/views/permissions_form.html.php | 2 +- modules/gallery/views/simple_uploader.html.php | 14 +++++++------- modules/info/views/info_block.html.php | 10 +++++----- modules/notification/views/comment_published.html.php | 12 ++++++------ modules/notification/views/item_added.html.php | 8 ++++---- modules/notification/views/item_deleted.html.php | 6 +++--- modules/notification/views/item_updated.html.php | 12 ++++++------ modules/organize/views/organize_dialog.html.php | 2 +- modules/organize/views/organize_tree.html.php | 6 +++--- modules/rss/views/feed.mrss.php | 14 +++++++------- modules/rss/views/rss_block.html.php | 2 +- modules/search/views/search.html.php | 6 +++--- modules/server_add/views/admin_server_add.html.php | 2 +- modules/server_add/views/server_add_tree.html.php | 4 ++-- modules/server_add/views/server_add_tree_dialog.html.php | 6 +++--- modules/tag/controllers/admin_tags.php | 2 +- modules/tag/views/admin_tags.html.php | 6 +++--- modules/tag/views/tag_cloud.html.php | 2 +- modules/user/controllers/logout.php | 2 +- modules/user/views/admin_users.html.php | 8 ++++---- modules/user/views/admin_users_group.html.php | 4 ++-- modules/user/views/login.html.php | 2 +- themes/default/views/album.html.php | 6 +++--- themes/default/views/dynamic.html.php | 4 ++-- themes/default/views/header.html.php | 4 ++-- themes/default/views/movie.html.php | 4 ++-- themes/default/views/photo.html.php | 6 +++--- 52 files changed, 143 insertions(+), 143 deletions(-) (limited to 'modules/gallery/helpers/MY_html.php') diff --git a/modules/comment/controllers/comments.php b/modules/comment/controllers/comments.php index 87633f4c..82b12893 100644 --- a/modules/comment/controllers/comments.php +++ b/modules/comment/controllers/comments.php @@ -39,9 +39,9 @@ class Comments_Controller extends REST_Controller { foreach ($comments as $comment) { $data[] = array( "id" => $comment->id, - "author_name" => SafeString::of($comment->author_name()), + "author_name" => html::clean($comment->author_name()), "created" => $comment->created, - "text" => nl2br(SafeString::purify($comment->text))); + "text" => nl2br(html::purify($comment->text))); } print json_encode($data); break; @@ -126,9 +126,9 @@ class Comments_Controller extends REST_Controller { array("result" => "success", "data" => array( "id" => $comment->id, - "author_name" => SafeString::of($comment->author_name()), + "author_name" => html::clean($comment->author_name()), "created" => $comment->created, - "text" => nl2br(SafeString::purify($comment->text))))); + "text" => nl2br(html::purify($comment->text))))); } else { $view = new Theme_View("comment.html", "fragment"); $view->comment = $comment; diff --git a/modules/comment/helpers/comment_rss.php b/modules/comment/helpers/comment_rss.php index 4151dcd0..b539887b 100644 --- a/modules/comment/helpers/comment_rss.php +++ b/modules/comment/helpers/comment_rss.php @@ -23,7 +23,7 @@ class comment_rss_Core { $feeds["comment/newest"] = t("All new comments"); if ($item) { $feeds["comment/item/$item->id"] = - t("Comments on %title", array("title" => SafeString::purify($item->title))); + t("Comments on %title", array("title" => html::purify($item->title))); } return $feeds; } @@ -49,13 +49,13 @@ class comment_rss_Core { $item = $comment->item(); $feed->children[] = new ArrayObject( array("pub_date" => date("D, d M Y H:i:s T", $comment->created), - "text" => nl2br(SafeString::purify($comment->text)), + "text" => nl2br(html::purify($comment->text)), "thumb_url" => $item->thumb_url(), "thumb_height" => $item->thumb_height, "thumb_width" => $item->thumb_width, "item_uri" => url::abs_site("{$item->type}s/$item->id"), - "title" => SafeString::purify($item->title), - "author" => SafeString::of($comment->author_name())), + "title" => html::purify($item->title), + "author" => html::clean($comment->author_name())), ArrayObject::ARRAY_AS_PROPS); } diff --git a/modules/comment/views/admin_block_recent_comments.html.php b/modules/comment/views/admin_block_recent_comments.html.php index 2c7a5cf1..dc3975e0 100644 --- a/modules/comment/views/admin_block_recent_comments.html.php +++ b/modules/comment/views/admin_block_recent_comments.html.php @@ -4,13 +4,13 @@
  • "> " class="gAvatar" - alt="author_name()) ?>" + alt="author_name()) ?>" width="32" height="32" /> created) ?> %author_name said %comment_text', - array("author_name" => SafeString::of($comment->author_name()), - "comment_text" => text::limit_words(nl2br(SafeString::purify($comment->text)), 50))); ?> + array("author_name" => html::clean($comment->author_name()), + "comment_text" => text::limit_words(nl2br(html::purify($comment->text)), 50))); ?>
    • diff --git a/modules/comment/views/admin_comments.html.php b/modules/comment/views/admin_comments.html.php index 8b0b4c29..801ce2b3 100644 --- a/modules/comment/views/admin_comments.html.php +++ b/modules/comment/views/admin_comments.html.php @@ -108,12 +108,12 @@ " class="gAvatar" - alt="author_name()) ?>" + alt="author_name()) ?>" width="40" height="40" /> -

    author_name()) ?>

    +

    author_name()) ?>

    @@ -122,7 +122,7 @@ has_thumb()): ?> <?= SafeString::purify($item->title) ?>thumb_width, $item->thumb_height, 75) ?> /> @@ -132,7 +132,7 @@

    created) ?>

    - text)) ?> + text)) ?>     diff --git a/modules/gallery/controllers/admin_languages.php b/modules/gallery/controllers/admin_languages.php index d85c47f9..894daedb 100644 --- a/modules/gallery/controllers/admin_languages.php +++ b/modules/gallery/controllers/admin_languages.php @@ -111,7 +111,7 @@ class Admin_Languages_Controller extends Admin_Controller { $group->input("api_key") ->label(empty($api_key) ? t("This is a unique key that will allow you to send translations to the remote server. To get your API key go to %server-link.", - array("server-link" => html::mark_safe(html::anchor($server_link)))) + array("server-link" => html::mark_clean(html::anchor($server_link)))) : t("API Key")) ->value($api_key) ->error_messages("invalid", t("The API key you provided is invalid.")); diff --git a/modules/gallery/helpers/MY_html.php b/modules/gallery/helpers/MY_html.php index 4522d01c..b29f287f 100644 --- a/modules/gallery/helpers/MY_html.php +++ b/modules/gallery/helpers/MY_html.php @@ -51,12 +51,12 @@ class html extends html_Core { * * Example:
        *   // Parameters to t() are automatically escaped by default.
-   *   // If the parameter is marked as safe, it won't get escaped.
+   *   // If the parameter is marked as clean, it won't get escaped.
    *   t('Go there',
-   *     array("url" => html::mark_safe(url::current())))
+   *     array("url" => html::mark_clean(url::current())))
    *
    */ - static function mark_safe($html) { + static function mark_clean($html) { return SafeString::of_safe_html($html); } diff --git a/modules/gallery/helpers/graphics.php b/modules/gallery/helpers/graphics.php index 787f8dc3..acbcb9b2 100644 --- a/modules/gallery/helpers/graphics.php +++ b/modules/gallery/helpers/graphics.php @@ -443,7 +443,7 @@ class graphics_Core { if (!module::get_var("gallery", "graphics_toolkit")) { site_status::warning( t("Graphics toolkit missing! Please choose a toolkit", - array("url" => html::mark_safe(url::site("admin/graphics")))), + array("url" => html::mark_clean(url::site("admin/graphics")))), "missing_graphics_toolkit"); } } diff --git a/modules/gallery/tests/Html_Helper_Test.php b/modules/gallery/tests/Html_Helper_Test.php index 3623705e..bfce6dcf 100644 --- a/modules/gallery/tests/Html_Helper_Test.php +++ b/modules/gallery/tests/Html_Helper_Test.php @@ -32,8 +32,8 @@ class Html_Helper_Test extends Unit_Test_Case { $this->assert_true($safe_string instanceof SafeString); } - public function mark_safe_test() { - $safe_string = html::mark_safe("hello

    world

    "); + public function mark_clean_test() { + $safe_string = html::mark_clean("hello

    world

    "); $this->assert_true($safe_string instanceof SafeString); $safe_string_2 = html::clean($safe_string); $this->assert_equal("hello

    world

    ", diff --git a/modules/gallery/tests/Xss_Security_Test.php b/modules/gallery/tests/Xss_Security_Test.php index ef36f6b7..0ba5a587 100644 --- a/modules/gallery/tests/Xss_Security_Test.php +++ b/modules/gallery/tests/Xss_Security_Test.php @@ -195,7 +195,7 @@ class Xss_Security_Test extends Unit_Test_Case { in_array($tokens[$token_number + 2][1], array("clean", "purify", "js_string", "clean_attribute")) && self::_token_matches("(", $tokens, $token_number + 3)) { - // Not checking for mark_safe(). We want such calls to be marked dirty (thus reviewed). + // Not checking for mark_clean(). We want such calls to be marked dirty (thus reviewed). $method = $tokens[$token_number + 2][1]; $frame->expr_append("::$method("); diff --git a/modules/gallery/views/admin_block_welcome.html.php b/modules/gallery/views/admin_block_welcome.html.php index 71ef4368..d8c96187 100644 --- a/modules/gallery/views/admin_block_welcome.html.php +++ b/modules/gallery/views/admin_block_welcome.html.php @@ -5,16 +5,16 @@
    • graphics and language settings.", - array("graphics_url" => html::mark_safe(url::site("admin/graphics")), - "language_url" => html::mark_safe(url::site("admin/languages")))) ?> + array("graphics_url" => html::mark_clean(url::site("admin/graphics")), + "language_url" => html::mark_clean(url::site("admin/languages")))) ?>
    • choose a theme, or customize the way it looks.", - array("theme_url" => html::mark_safe(url::site("admin/themes")), - "theme_options_url" => html::mark_safe(url::site("admin/theme_options")))) ?> + array("theme_url" => html::mark_clean(url::site("admin/themes")), + "theme_options_url" => html::mark_clean(url::site("admin/theme_options")))) ?>
    • install modules to add cool features!", - array("modules_url" => html::mark_safe(url::site("admin/modules")))) ?> + array("modules_url" => html::mark_clean(url::site("admin/modules")))) ?>
    diff --git a/modules/gallery/views/permissions_browse.html.php b/modules/gallery/views/permissions_browse.html.php index 231daa04..b9af9117 100644 --- a/modules/gallery/views/permissions_browse.html.php +++ b/modules/gallery/views/permissions_browse.html.php @@ -29,7 +29,7 @@
    • mod_rewrite and set AllowOverride FileInfo Options to fix this.", - array("mod_rewrite_attrs" => html::mark_safe("href=\"http://httpd.apache.org/docs/2.0/mod/mod_rewrite.html\" target=\"_blank\"", "apache_attrs" => "href=\"http://httpd.apache.org/docs/2.0/mod/core.html#allowoverride\" target=\"_blank\""))) ?> + array("mod_rewrite_attrs" => html::mark_clean("href=\"http://httpd.apache.org/docs/2.0/mod/mod_rewrite.html\" target=\"_blank\"", "apache_attrs" => "href=\"http://httpd.apache.org/docs/2.0/mod/core.html#allowoverride\" target=\"_blank\""))) ?>
    diff --git a/modules/gallery/views/upgrader.html.php b/modules/gallery/views/upgrader.html.php index de6ce0e7..04200920 100644 --- a/modules/gallery/views/upgrader.html.php +++ b/modules/gallery/views/upgrader.html.php @@ -18,7 +18,7 @@

    Gallery is up to date.", - array("url" => html::mark_safe(url::site("albums/1")))) ?> + array("url" => html::mark_clean(url::site("albums/1")))) ?>

    diff --git a/modules/recaptcha/helpers/recaptcha.php b/modules/recaptcha/helpers/recaptcha.php index 5ac65661..bead6156 100644 --- a/modules/recaptcha/helpers/recaptcha.php +++ b/modules/recaptcha/helpers/recaptcha.php @@ -43,7 +43,7 @@ class recaptcha_Core { if (empty($public_key) || empty($private_key)) { site_status::warning( t("reCAPTCHA is not quite ready! Please configure the reCAPTCHA Keys", - array("url" => html::mark_safe(url::site("admin/recaptcha")))), + array("url" => html::mark_clean(url::site("admin/recaptcha")))), "recaptcha_config"); } else { site_status::clear("recaptcha_config"); diff --git a/modules/search/helpers/search.php b/modules/search/helpers/search.php index 5e23a04b..0080b4ce 100644 --- a/modules/search/helpers/search.php +++ b/modules/search/helpers/search.php @@ -58,7 +58,7 @@ class search_Core { if ($remaining) { site_status::warning( t('Your search index needs to be updated. Fix this now', - array("url" => html::mark_safe(url::site("admin/maintenance/start/search_task::update_index?csrf=__CSRF__")))), + array("url" => html::mark_clean(url::site("admin/maintenance/start/search_task::update_index?csrf=__CSRF__")))), "search_index_out_of_date"); } } diff --git a/modules/server_add/helpers/server_add.php b/modules/server_add/helpers/server_add.php index a84e1afd..27794855 100644 --- a/modules/server_add/helpers/server_add.php +++ b/modules/server_add/helpers/server_add.php @@ -25,7 +25,7 @@ class server_add_Core { if (empty($paths)) { site_status::warning( t("Server Add needs configuration. Configure it now!", - array("url" => html::mark_safe(url::site("admin/server_add")))), + array("url" => html::mark_clean(url::site("admin/server_add")))), "server_add_configuration"); } else { site_status::clear("server_add_configuration"); diff --git a/modules/user/views/login.html.php b/modules/user/views/login.html.php index dfd09661..27431ce8 100644 --- a/modules/user/views/login.html.php +++ b/modules/user/views/login.html.php @@ -8,7 +8,7 @@
  • - html::mark_safe( + html::mark_clean( 'id}") . '" title="' . t("Edit Your Profile")->for_html_attr() . '" id="gUserProfileLink" class="gDialogLink">' . diff --git a/modules/user/views/reset_password.html.php b/modules/user/views/reset_password.html.php index 4097bb82..92ca4917 100644 --- a/modules/user/views/reset_password.html.php +++ b/modules/user/views/reset_password.html.php @@ -10,7 +10,7 @@

    %site_url. If you made this request, you can confirm it by clicking this link. If you didn't request this password reset, it's ok to ignore this mail.", - array("site_url" => html::mark_safe(url::base(false, "http")), + array("site_url" => html::mark_clean(url::base(false, "http")), "confirm_url" => $confirm_url)) ?>

    -- cgit v1.2.3