From 952c8856098dcfd9673d344fc71be85b303c8fb1 Mon Sep 17 00:00:00 2001
From: Andy Staudacher <andy.st@gmail.com>
Date: Sat, 29 Aug 2009 22:31:23 -0700
Subject: Adding html::clean(), ::purify(), etc.

---
 modules/gallery/helpers/MY_html.php | 91 +++++++++++++++++++++++++++++++++++++
 1 file changed, 91 insertions(+)
 create mode 100644 modules/gallery/helpers/MY_html.php

(limited to 'modules/gallery/helpers')

diff --git a/modules/gallery/helpers/MY_html.php b/modules/gallery/helpers/MY_html.php
new file mode 100644
index 00000000..eb388811
--- /dev/null
+++ b/modules/gallery/helpers/MY_html.php
@@ -0,0 +1,91 @@
+<?php defined("SYSPATH") or die("No direct script access.");
+/**
+ * Gallery - a web based photo album viewer and editor
+ * Copyright (C) 2000-2009 Bharat Mediratta
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or (at
+ * your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA  02110-1301, USA.
+ */
+class html extends html_Core {
+  /**
+   * Returns a string that is safe to be used in HTML (XSS protection).
+   *
+   * If $html is a string, the returned string will be HTML escaped.
+   * If $html is a SafeString instance, the returned string may contain
+   * unescaped HTML which is assumed to be safe.
+   *
+   * Example:<pre>
+   *   <div><?= html::clean($php_var) ?> 
+   * </pre>
+   */
+  static function clean($html) {
+    return new SafeString($html);
+  }
+
+  /**
+   * Returns a string that is safe to be used in HTML (XSS protection),
+   * purifying (filtering) the given HTML to ensure that the result contains
+   * only non-malicious HTML.
+   *
+   * Example:<pre>
+   *   <div><?= html::purify($item->title) ?> 
+   * </pre>
+   */
+  static function purify($html) {
+    return SafeString::purify($html);
+  }
+
+  /**
+   * Flags the given string as safe to be used in HTML (free of malicious HTML/JS).
+   *
+   * Example:<pre>
+   *   // Parameters to t() are automatically escaped by default.
+   *   // If the parameter is marked as safe, it won't get escaped.
+   *   t('Go <a href="%url">there</a>',
+   *     array("url" => html::mark_safe(url::current())))
+   * </pre>
+   */
+  static function mark_safe($html) {
+    return SafeString::of_safe_html($html);
+  }
+
+  /**
+   * Escapes the given string for use in JavaScript.
+   *
+   * Example:<pre>
+   *   <script type="text/javascript>"
+   *     var some_js_var = "<?= html::escape_for_js($php_var) ?>";
+   *   </script>
+   * </pre>
+   */
+  static function escape_for_js($string) {
+    return SafeString::of($string)->for_js();
+  }
+
+  /**
+   * Returns a string safe for use in HTML element attributes.
+   *
+   * Assumes that the HTML element attribute is already
+   * delimited by single or double quotes
+   *
+   * Example:<pre>
+   *     <a title="<?= html::clean_for_attribute($php_var) ?>">;
+   *   </script>
+   * </pre>
+   * @return the string escaped for use in HTML attributes.
+   */
+  static function clean_attribute($string) {
+    return self::clean($string)->for_html_attr();
+  }
+}
-- 
cgit v1.2.3