mirror/php-e107
1
0
Fork 0
mirror of https://github.com/e107inc/e107.git synced 2025-07-25 17:01:43 +02:00
Code Issues Releases Wiki Activity

e_parse::toAttributes(): New API to concatenate HTML attributes

Browse Source 
`e_parse::toAttributes()` is an expansion of the formerly private method
`e_form::attributes()`. Now, all client code can use
`e_parse::toAttributes()` to make it easy to concatenate variable-length
HTML attributes. Values are guaranteed to be encoded so that they cannot
escape an HTML attribute value.

All client code usages are encouraged to build HTML tags with this new
method to prevent cross-site scripting (XSS) attacks and prevent
breaking the HTML validity due to improperly escaped HTML attributes.

This new method is an extension to `e_parse::toAttribute()`, which
escaped one single HTML attribute value.
This commit is contained in:
Nick Liu
2022-02-06 16:49:56 +01:00
parent 2097778cc5
commit 169efa09b9
3 changed files with 3220 additions and 3088 deletions
Download Patch File Download Diff File Expand all files Collapse all files

128
e107_handlers/e_parse_class.php
View File

@@ -313,6 +313,7 @@ class e_parse
if ($bool === false)
{
$this->multibyte = false;
return null;
}
@@ -632,6 +633,7 @@ class e_parse
/**
* Check for umatched 'dangerous' HTML tags
* (these can destroy page layout where users are able to post HTML)
*
* @param string $data
* @param string $tagList - if empty, uses default list of input tags. Otherwise a CSV list of tags to check (any type)
*
@@ -684,6 +686,7 @@ class e_parse
/**
* Takes a multi-dimensional array and converts the keys to a list of routing paths.
* paths are the key and value are the top most key.
*
* @param array $array
* @return array
*/
@@ -727,8 +730,6 @@ class e_parse
}
public function toForm($text)
{
@@ -839,6 +840,7 @@ class e_parse
$text = e107::getScParser()->parseCodes($text, $parseSCFiles, $extraCodes, $eVars);
$text = str_replace('<!-- >', '', $text); // cleanup
$parse->setMode('default');
return $text;
}
@@ -1109,6 +1111,7 @@ class e_parse
/**
* Universal text/bbcode/html truncate method.
* new in v2.3.1
*
* @param $text
* @param int $length
* @param string $ending
@@ -1131,6 +1134,11 @@ class e_parse
}
/**
* @param string $text String to truncate.
* @param integer $length Length of returned string, including ellipsis.
* @param string $ending It will be used as Ending and appended to the trimmed string.
* @param boolean $exact If false, $text will not be cut mid-word
* @return string Trimmed string.
* @deprecated Soon to be made private. Use $tp->truncate() instead.
* CakePHP(tm) : Rapid Development Framework (http://www.cakephp.org)
* Copyright 2005-2008, Cake Software Foundation, Inc. (http://www.cakefoundation.org)
@@ -1138,11 +1146,6 @@ class e_parse
* Truncate a HTML string
*
* Cuts a string to the length of $length and adds the value of $ending if the text is longer than length.
* @param string $text String to truncate.
* @param integer $length Length of returned string, including ellipsis.
* @param string $ending It will be used as Ending and appended to the trimmed string.
* @param boolean $exact If false, $text will not be cut mid-word
* @return string Trimmed string.
*/
public function html_truncate($text, $length = 100, $ending = '...', $exact = true)
{
@@ -1237,19 +1240,15 @@ class e_parse
}
/**
* @deprecated for public use. Will be made private. Use $tp->truncate() instead.
* Truncate a string of text to a maximum length $len append the string $more if it was truncated
* Uses current CHARSET for utf-8, returns $len characters rather than $len bytes
*
* @param string $text string to process
* @param integer $len length of characters to be truncated
* @param string $more string which will be added if truncation
* @return string Always returns text.
* @deprecated for public use. Will be made private. Use $tp->truncate() instead.
* Truncate a string of text to a maximum length $len append the string $more if it was truncated
* Uses current CHARSET for utf-8, returns $len characters rather than $len bytes
*
*/
public function text_truncate($text, $len = 200, $more = ' ... ')
{
@@ -1336,6 +1335,7 @@ class e_parse
/**
* Replace text represenation of website urls and email addresses with clickable equivalents.
*
* @param string $text
* @param string $type email|url
* @param array $opts options. (see below)
@@ -1409,6 +1409,7 @@ class e_parse
/**
* Strips block tags from html.
* ie. <p> <div> <blockquote> <h1> <h2> <h3> etc are removed.
*
* @param string $text
* @return string
*/
@@ -1425,7 +1426,8 @@ class e_parse
return strip_tags($html, $parm);
}
public function stripAttributes($s, $allowedattr = array()) {
public function stripAttributes($s, $allowedattr = array())
{
if (preg_match_all("/<[^>]*\\s([^>]*)\\/*>/msiU", $s, $res, PREG_SET_ORDER))
{
@@ -1709,6 +1711,7 @@ class e_parse
/**
* Check if a string begins with a preformatter flag.
*
* @param $str
* @return bool
*/
@@ -1838,39 +1841,70 @@ class e_parse
/**
* Use it on html attributes to avoid breaking markup .
*
* @param string $text
* @param bool $pure True to skip the text mutation by {@see e_parse::replaceConstants()}
* @example echo "<a href='#' title='".$tp->toAttribute($text)."'>Hello</a>";
*/
public function toAttribute($text)
public function toAttribute($text, $pure = false)
{
// URLs posted without HTML access may have an &amp; in them.
// Xhtml compliance.
$text = htmlspecialchars($text, ENT_QUOTES, 'UTF-8');
$text = htmlspecialchars((string) $text, ENT_QUOTES, 'UTF-8');
if(!preg_match('/&#|\'|"|<|>/s', $text))
if (!$pure && !preg_match('/&#|\'|"|<|>/s', $text))
{
$text = $this->replaceConstants($text);
}
return $text;
}
else
/**
* Build a series of HTML attributes from the provided array
*
* Because of legacy loose typing client code usages, values that are {@see empty()} will not be added to the
* concatenated HTML attribute string except when the key is `value`, the key begins with `data-`, or the value is
* a number.
*
* @param array $attributes Key-value pairs of HTML attributes. The value must not be HTML-encoded. If the value is
* boolean true, the value will be set to the key (e.g. `['required' => true]` becomes
* "required='required'").
* @param bool $pure True to skip the text mutation by {@see e_parse::replaceConstants()}
* @return string The HTML attributes to concatenate inside an HTML tag
* @see e_parseTest::testToAttributesMixedPureAndReplaceConstants() for an example of how to use this method
*/
public function toAttributes($attributes, $pure = false)
{
return $text;
$stringifiedAttributes = [];
foreach ($attributes as $key => $value)
{
if ($value === true && (strpos($key, 'data-') !== 0))
{
$value = $key;
}
if (!empty($value) || is_numeric($value) || $key === "value" || strpos($key, 'data-') === 0)
{
$stringifiedAttributes[] = $key . "='" . $this->toAttribute($value, $pure) . "'";
}
}
return count($stringifiedAttributes) > 0 ? " " . implode(" ", $stringifiedAttributes) : "";
}
/**
* Flatten a multi-dimensional associative array with slashes.
*
* Based on Illuminate\Support\Arr::dot()
* @copyright Copyright (c) Taylor Otwell
* @license https://github.com/illuminate/support/blob/master/LICENSE.md MIT License
*
* @param $array
* @param string $prepend
* @return array
* @license https://github.com/illuminate/support/blob/master/LICENSE.md MIT License
* @copyright Copyright (c) Taylor Otwell
*/
public static function toFlatArray($array, $prepend = '')
{
@@ -1907,7 +1941,9 @@ class e_parse
foreach ($array as $key => $value)
{
if (!empty($unprepend) && substr($key, 0, strlen($unprepend)) == $unprepend)
{
$key = substr($key, strlen($unprepend));
}
$parts = explode('/', $key);
$nested = &$output;
while (count($parts) > 1)
@@ -1917,6 +1953,7 @@ class e_parse
}
$nested[array_shift($parts)] = $value;
}
return $output;
}
@@ -2046,6 +2083,7 @@ class e_parse
/**
* Clean and Encode Ampersands '&' for output to browser.
*
* @param string $text
* @return array|string|string[]
*/
@@ -2062,6 +2100,7 @@ class e_parse
/**
* Convert any string back to plain text.
*
* @param $text
* @return array|string|string[]
*/
@@ -2129,6 +2168,7 @@ class e_parse
/**
* Retrieve img tag width and height attributes for current thumbnail.
*
* @return string
*/
public function thumbDimensions($type = 'single')
@@ -2145,6 +2185,7 @@ class e_parse
/**
* Set or Get the value of the thumbNail Width.
*
* @param $width (optional)
*/
public function thumbWidth($width = null)
@@ -2160,6 +2201,7 @@ class e_parse
/**
* Set or Get the value of the thumbNailbCrop.
*
* @param bool $status = true/false
*/
public function thumbCrop($status = false)
@@ -2176,6 +2218,7 @@ class e_parse
/**
* Set or Get the value of the thumbNail height.
*
* @param $height (optional)
*/
public function thumbHeight($height = null)
@@ -2192,6 +2235,7 @@ class e_parse
/**
* Generated a Thumb Cache File Name from path and options.
*
* @param string $path
* @param array $options
* @param string $log (optional) - log file name
@@ -2383,6 +2427,7 @@ class e_parse
/**
* Used internally to store e_HTTP_STATIC.
*
* @param string|null $url The static URL ie. e_HTTP_STATIC
*/
public function setStaticUrl($url)
@@ -2393,6 +2438,7 @@ class e_parse
/**
* Generate an auto-sized Image URL.
*
* @param $url - path to image or leave blank for a placeholder. eg. {e_MEDIA}folder/my-image.jpg
* @param array $options - width and height, but leaving this empty and using $this->thumbWidth() and $this->thumbHeight() is preferred. ie. {SETWIDTH: w=x&y=x}
* @param int $options ['w'] width (optional)
@@ -2557,6 +2603,7 @@ class e_parse
/**
* Split a thumb.php url into an array which can be parsed back into the thumbUrl method. .
*
* @param $src
* @return array
*/
@@ -2608,6 +2655,7 @@ class e_parse
/**
* Experimental: Generate a Thumb URL for use in the img srcset attribute.
*
* @param string $src eg. {e_MEDIA_IMAGE}myimage.jpg
* @param int|string|array $width - desired size in px or '2x' or '3x' or null for all or array (
* @return string
@@ -2628,7 +2676,6 @@ class e_parse
}
// $encode = $this->thumbEncode();;
if ($width == null || $width === 'all')
{
@@ -2728,6 +2775,7 @@ class e_parse
/**
* Used by thumbUrl when SEF Image URLS is active. @param $url
*
* @param array $options
* @return string
* @see e107.htaccess
@@ -2890,6 +2938,7 @@ class e_parse
* Replace e107 path constants
* Note: only an ADMIN user can convert {e_ADMIN}
* TODO - runtime cache of search/replace arrays (object property) when $mode !== ''
*
* @param string $text
* @param string $mode [optional] abs|full "full" = produce absolute URL path, e.g. http://sitename.com/e107_plugins/etc
* 'abs' = produce truncated URL path, e.g. e107plugins/etc
@@ -3315,6 +3364,7 @@ class e_parse
/**
* Convert Text to a suitable format for use in emails. eg. relative links will be replaced with full links etc.
*
* @param string $text
* @param boolean $posted - if the text has been posted. (uses stripslashes etc)
* @param string $mods - flags for text transformation.
@@ -3394,6 +3444,7 @@ class e_parse
/**
* Obfuscate text from bots using Randomized encoding.
*
* @param $text
* @return string
*/
@@ -3548,6 +3599,7 @@ class e_parse
/**
* Add Allowed Tags.
*
* @param string
*/
public function addAllowedTag($tag)
@@ -3570,6 +3622,7 @@ class e_parse
/**
* Set Allowed Tags.
*
* @param $array
*/
public function setAllowedTags($array = array())
@@ -3580,6 +3633,7 @@ class e_parse
/**
* Set Script Access
*
* @param $val int e_UC_MEMBER, e_UC_NOBODY, e_UC_MAINADMIN or userclass number.
*/
public function setScriptAccess($val)
@@ -3620,6 +3674,7 @@ class e_parse
/**
* Set Allowed Attributes.
*
* @param $array
*/
public function setAllowedAttributes($array = array())
@@ -3630,6 +3685,7 @@ class e_parse
/**
* Set Script Tags.
*
* @param $array
*/
public function setScriptTags($array = array())
@@ -3660,6 +3716,7 @@ class e_parse
/**
* Add leading zeros to a number. eg. 3 might become 000003
*
* @param $num integer
* @param $numDigits - total number of digits
* @return string number with leading zeros.
@@ -3671,6 +3728,7 @@ class e_parse
/**
* Generic variable translator for LAN definitions.
*
* @param $lan - string LAN
* @param string | array $vals - either a single value, which will replace '[x]' or an array with key=>value pairs.
* @return string
@@ -3703,6 +3761,7 @@ class e_parse
/**
* Return an Array of all specific tags found in an HTML document and their attributes.
*
* @param $html - raw html code
* @param $taglist - comma separated list of tags to search or '*' for all.
* @param $header - if the $html includes the html head or body tags - it should be set to true.
@@ -3762,6 +3821,7 @@ class e_parse
/**
* Glyph Embed Method Direct from svg file.
*
* @param string $cat far|fab|fas
* @param string $id eg. fa-search
* @param array $parm eg. ['fw'=>true]
@@ -3791,6 +3851,7 @@ class e_parse
/**
* Parse xxxxx.glyph file to bootstrap glyph format.
*
* @param string $text ie. fa-xxxx, fab-xxx, fas-xxxx
* @param array|string $options
* @param bool $options ['size'] 2x, 3x, 4x, or 5x
@@ -3948,8 +4009,6 @@ class e_parse
}
}
elseif (strpos($text, 'glyphicon-') === 0) // Bootstrap 3
{
@@ -4013,6 +4072,7 @@ class e_parse
/**
* Return a Bootstrap Badge tag
*
* @param $text
* @param null $parm
* @return string
@@ -4028,6 +4088,7 @@ class e_parse
/**
* Return a Bootstrap Label tag
*
* @param $text
* @param null $type
* @return string
@@ -4053,6 +4114,7 @@ class e_parse
/**
* Take a file-path and convert it to a download link.
*
* @param $text
* @param array $parm
* @return string
@@ -4077,6 +4139,7 @@ class e_parse
/**
* Render an avatar based on supplied user data or current user when missing.
*
* @param array $userData - user data from e107_user. ie. user_image, user_id etc.
* @param array $options
* @param int $options ['w'] - image width in px
@@ -4237,6 +4300,7 @@ class e_parse
/**
* Display an icon.
*
* @param string $icon
* @example $tp->toIcon("{e_IMAGES}icons/something.png");
*/
@@ -4326,6 +4390,7 @@ class e_parse
/**
* Render an img tag.
*
* @param string $file
* @param array $parm keys: legacy|w|h|alt|class|id|crop|loading
* @param array $parm ['legacy'] Usually a legacy path like {e_FILE}
@@ -4498,6 +4563,7 @@ class e_parse
/**
* Check if a string contains bbcode.
*
* @param $text
* @return bool
*/
@@ -4533,6 +4599,7 @@ class e_parse
/**
* Check if a string is HTML
*
* @param $text
* @return bool
*/
@@ -4567,6 +4634,7 @@ class e_parse
/**
* Check if string is json and parse or return false.
*
* @param $text
* @return bool|mixed return false if not json, and json values if true.
*/
@@ -4636,6 +4704,7 @@ class e_parse
/**
* Check if a file is an video or not.
*
* @param $file string
* @return boolean
*/
@@ -4655,6 +4724,7 @@ class e_parse
/**
* Check if a file is an image or not.
*
* @param $file string
* @return boolean
*/
@@ -4707,6 +4777,7 @@ class e_parse
/**
* Display a Video file.
*
* @param string $file - format: id.type eg. x123dkax.youtube
* @param boolean $thumbnail - set to 'tag' to return an image thumbnail and 'src' to return the src url or 'video' for a small video thumbnail.
*/
@@ -4865,6 +4936,7 @@ class e_parse
/**
* Display a Date in the browser.
* Includes support for 'livestamp' (http://mattbradley.github.io/livestampjs/)
*
* @param integer $datestamp - unix timestamp
* @param string $format - short | long | relative
* @return string converted date (html)
@@ -4887,6 +4959,7 @@ class e_parse
/**
* Parse new <x-bbcode> tags into bbcode output.
*
* @param bool $retainTags : when you want to replace html and retain the <bbcode> tags wrapping it.
* @return string html
*/
@@ -5012,6 +5085,7 @@ class e_parse
$filter = function($element) use ($filter)
{
$element = (string) $element;
return is_callable($filter) ? $filter($element) : filter_var($element, $filter);
};
if (is_array($text))
@@ -5058,6 +5132,7 @@ class e_parse
/**
* Process and clean HTML from user input.
* TODO Html5 tag support.
*
* @param string $html raw HTML
* @param boolean $checkPref
* @return string
@@ -5306,6 +5381,7 @@ class e_parse
/**
* Check for Invalid Attribute Values
*
* @param $value string
* @return bool true/false
*/

90
e107_handlers/form_handler.php
View File

@@ -79,6 +79,11 @@ class e_form
protected $_required_string;
/**
* @var e_parse
*/
private $tp;
public function __construct($enable_tabindex = false)
{
e107::loadAdminIcons(); // required below.
@@ -103,6 +108,8 @@ class e_form
}
$this->_helptip = (int) e107::getPref('admin_helptip', 1);
$this->tp = e107::getParser();
}
@@ -1011,7 +1018,7 @@ class e_form
// XXX - $name ?!
// $parms = $name."|".$width."|".$height."|".$id;
$sc_parameters = 'mode=preview&default='.$default.'&id='.$id;
return e107::getParser()->parseTemplate('{ICONPICKER=' .$sc_parameters. '}');
return $this->tp->parseTemplate('{ICONPICKER=' .$sc_parameters. '}');
}
/**
@@ -1175,8 +1182,7 @@ class e_form
*/
public function avatarpicker($name, $curVal='', $options=array())
{
$tp = e107::getParser();
$tp = $this->tp;
$pref = e107::getPref();
$attr = 'aw=' .$pref['im_width']. '&ah=' .$pref['im_height'];
@@ -1254,7 +1260,7 @@ class e_form
{
$EAVATAR = e_AVATAR_DEFAULT;
$text .= "<div class='alert alert-danger'>";
$text .= e107::getParser()->lanVars(e107::getParser()->toHTML(LAN_EFORM_006, true), array('x'=>$EAVATAR));
$text .= $this->tp->lanVars($this->tp->toHTML(LAN_EFORM_006, true), array('x'=>$EAVATAR));
$text .= '</div>';
}
@@ -1310,12 +1316,6 @@ class e_form
*/
public function imagepicker($name, $default, $previewURL = '', $sc_parameters = '')
{
// $tp = e107::getParser();
// $name_id = $this->name2id($name);
// $meta_id = $name_id."-meta";
if(is_string($sc_parameters))
{
if(strpos($sc_parameters, '=') === false)
@@ -1373,9 +1373,7 @@ class e_form
*/
public function mediapicker($name, $default, $parms = '')
{
$tp = e107::getParser();
$tp = $this->tp;
$name_id = $this->name2id($name);
$meta_id = $name_id. '-meta';
@@ -1601,7 +1599,7 @@ class e_form
*/
public function filepicker($name, $default, $label = '', $sc_parameters = null)
{
$tp = e107::getParser();
$tp = $this->tp;
$name_id = $this->name2id($name);
unset($label);
@@ -2693,7 +2691,7 @@ class e_form
{
$key = $label;
//print_a($label);
$c = in_array($label, e107::getParser()->toDB($checked)) ? true : false;
$c = in_array($label, $this->tp->toDB($checked));
}
else
{
@@ -3297,7 +3295,7 @@ class e_form
*/
public function search($name, $searchVal, $submitName, $filterName='', $filterArray=false, $filterVal=false)
{
$tp = e107::getParser();
$tp = $this->tp;
$text = '<span class="input-append input-group e-search">
'.$this->text($name, $searchVal,20,'class=search-query&placeholder='.LAN_SEARCH.'&hellip;').'
@@ -3623,7 +3621,7 @@ var_dump($select_options);*/
public function submit_image($name, $value, $image, $title='', $options = array())
{
$tp = e107::getParser();
$tp = $this->tp;
if(!empty($options['icon']))
{
@@ -3758,7 +3756,7 @@ var_dump($select_options);*/
else
{
$fallbackIcon = '<svg class="svg-inline--fa fa-home fa-w-16" role="img" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 576 512"><!-- Font Awesome Free 5.15.2 by @fontawesome - https://fontawesome.com License - https://fontawesome.com/license/free (Icons: CC BY 4.0, Fonts: SIL OFL 1.1, Code: MIT License) --><path d="M280.37 148.26L96 300.11V464a16 16 0 0 0 16 16l112.06-.29a16 16 0 0 0 15.92-16V368a16 16 0 0 1 16-16h64a16 16 0 0 1 16 16v95.64a16 16 0 0 0 16 16.05L464 480a16 16 0 0 0 16-16V300L295.67 148.26a12.19 12.19 0 0 0-15.3 0zM571.6 251.47L488 182.56V44.05a12 12 0 0 0-12-12h-56a12 12 0 0 0-12 12v72.61L318.47 43a48 48 0 0 0-61 0L4.34 251.47a12 12 0 0 0-1.6 16.9l25.5 31A12 12 0 0 0 45.15 301l235.22-193.74a12.19 12.19 0 0 1 15.3 0L530.9 301a12 12 0 0 0 16.9-1.6l25.5-31a12 12 0 0 0-1.7-16.93z"></path></svg>';
$homeIcon = ($this->_fontawesome) ? e107::getParser()->toGlyph('fa-home.glyph') : $fallbackIcon;
$homeIcon = ($this->_fontawesome) ? $this->tp->toGlyph('fa-home.glyph') : $fallbackIcon;
}
@@ -3812,7 +3810,7 @@ var_dump($select_options);*/
'target' => '_blank',
'title' => LAN_EDIT,
'href' => $url,
]) . ">" . e107::getParser()->toGlyph('fa-edit') . '</a></span>';
]) . ">" . $this->tp->toGlyph('fa-edit') . '</a></span>';
}
return '';
@@ -4037,22 +4035,7 @@ var_dump($select_options);*/
*/
private function attributes($attributes)
{
$stringifiedAttributes = [];
foreach ($attributes as $key => $value)
{
if ($value === true && (strpos($key,'data-') !== 0))
{
$value = $key;
}
if (!empty($value) || is_numeric($value) || $key === "value" || strpos($key,'data-') === 0)
{
$stringifiedAttributes[] = $key . "='" . htmlspecialchars((string) $value, ENT_QUOTES) . "'";
}
}
return count($stringifiedAttributes) > 0 ? " ".implode(" ", $stringifiedAttributes) : "";
return $this->tp->toAttributes($attributes, true);
}
public function get_attributes($options, $name = '', $value = '')
@@ -4454,7 +4437,6 @@ var_dump($select_options);*/
public function thead($fieldarray, $columnPref = array(), $querypattern = '', $requeststr = '')
{
$tp = e107::getParser();
$text = '';
$querypattern = strip_tags($querypattern);
@@ -4631,7 +4613,7 @@ var_dump($select_options);*/
$tp = e107::getParser();
$tp = $this->tp;
$types = explode(',',$parm['types']);
$list = array();
@@ -4857,7 +4839,7 @@ var_dump($select_options);*/
}
}
$source = e107::getParser()->toJSON($jsonArray, true);
$source = $this->tp->toJSON($jsonArray, true);
$mode = preg_replace('/[\W]/', '', vartrue($_GET['mode']));
@@ -4946,7 +4928,7 @@ var_dump($select_options);*/
}
elseif (!empty($model)) // old way.
{
$tp = e107::getParser();
$tp = $this->tp;
$data = $model->getData();
@@ -4994,7 +4976,7 @@ var_dump($select_options);*/
private function renderOptions($parms, $id, $attributes)
{
$tp = e107::getParser();
$tp = $this->tp;
$cls = false;
$editIconDefault = deftrue('ADMIN_EDIT_ICON', $tp->toGlyph('fa-edit'));
@@ -5134,7 +5116,7 @@ var_dump($select_options);*/
}
// @see custom fields in cpage which accept json params.
if(!empty($attributes['writeParms']) && $tmpOpt = e107::getParser()->isJSON($attributes['writeParms']))
if(!empty($attributes['writeParms']) && $tmpOpt = $this->tp->isJSON($attributes['writeParms']))
{
$attributes['writeParms'] = $tmpOpt;
unset($tmpOpt);
@@ -5158,7 +5140,7 @@ var_dump($select_options);*/
$this->renderValueTrigger($field, $value, $parms, $id);
$tp = e107::getParser();
$tp = $this->tp;
switch($field) // special fields
{
case 'options':
@@ -5602,7 +5584,7 @@ var_dump($select_options);*/
}
else
{
$url = e107::getParser()->replaceConstants($value, 'full');
$url = $this->tp->replaceConstants($value, 'full');
}
$name = basename($value);
$value = '<a href="'.$url.'" title="Direct link to '.$name.'" rel="external">'.$name.'</a>';
@@ -5640,7 +5622,7 @@ var_dump($select_options);*/
$vparm = array('thumb'=>'tag','w'=> vartrue($parms['thumb_aw'],'80'));
if($video = e107::getParser()->toVideo($value,$vparm))
if($video = $tp->toVideo($value,$vparm))
{
return $video;
}
@@ -5653,7 +5635,7 @@ var_dump($select_options);*/
$icon = '{e_IMAGE}filemanager/zip_32.png';
$src = $tp->replaceConstants(vartrue($parms['pre']).$icon, 'abs');
// return $value;
return e107::getParser()->toGlyph('fa-file','size=2x');
return $tp->toGlyph('fa-file','size=2x');
// return '<img src="'.$src.'" alt="'.$value.'" class="e-thumb" title="'.$value.'" />';
}
@@ -6275,7 +6257,7 @@ var_dump($select_options);*/
$value = html_entity_decode($value, ENT_QUOTES);
}
$tp = e107::getParser();
$tp = $this->tp;
$ret = '';
$parms = vartrue($attributes['writeParms'], array());
@@ -6498,7 +6480,7 @@ var_dump($select_options);*/
if(!empty($parms['maxlength']) && empty($parms['post']))
{
$charMsg = e107::getParser()->lanVars(defset('LAN_X_CHARS_REMAINING', '[x] chars remaining'), "<span>" . $parms['maxlength'] . "</span>");
$charMsg = $tp->lanVars(defset('LAN_X_CHARS_REMAINING', '[x] chars remaining'), "<span>" . $parms['maxlength'] . "</span>");
$parms['post'] = "<small" . $this->attributes([
'id' => $this->name2id($key) . "-char-count",
'class' => 'text-muted',
@@ -6928,7 +6910,7 @@ var_dump($select_options);*/
case 'upload': //TODO - from method
// TODO uploadfile SC is now processing uploads as well (add it to admin UI), write/readParms have to be added (see uploadfile.php parms)
$disbut = varset($parms['disable_button'], '0');
$ret = $tp->parseTemplate('{UPLOADFILE=' .(vartrue($parms['path']) ? e107::getParser()->replaceConstants($parms['path']) : e_UPLOAD)."|nowarn&trigger=etrigger_uploadfiles&disable_button={$disbut}}");
$ret = $tp->parseTemplate('{UPLOADFILE=' .(vartrue($parms['path']) ? $tp->replaceConstants($parms['path']) : e_UPLOAD)."|nowarn&trigger=etrigger_uploadfiles&disable_button={$disbut}}");
break;
case 'hidden':
@@ -7014,7 +6996,7 @@ var_dump($select_options);*/
foreach($parms['optArray'] as $key=>$val)
{
$thumbnail = e107::getParser()->toImage($val['thumbnail'], $parms);
$thumbnail = $this->tp->toImage($val['thumbnail'], $parms);
$active = ($key === $value) ? ' active' : '';
$text .= "<div class='e-image-radio " . $class . "' >
@@ -7055,7 +7037,7 @@ var_dump($select_options);*/
foreach($parms['optArray'] as $key=>$val)
{
$thumbnail = e107::getParser()->toImage($val,$parms);
$thumbnail = $this->tp->toImage($val,$parms);
$text .= "
<div class='col-md-2 e-image-radio' >
<label" . $this->attributes([
@@ -7122,7 +7104,7 @@ var_dump($select_options);*/
*/
public function renderListForm($form_options, $tree_models, $nocontainer = false)
{
$tp = e107::getParser();
$tp = $this->tp;
$text = '';
$formPre = '';
$formPost = '';
@@ -7294,7 +7276,7 @@ var_dump($select_options);*/
*/
public function renderGridForm($form_options, $tree_models, $nocontainer = false)
{
$tp = e107::getParser();
$tp = $this->tp;
$text = '';
@@ -7516,7 +7498,7 @@ var_dump($select_options);*/
}
$query = isset($form['query']) ? $form['query'] : e_QUERY ;
$url = (isset($form['url']) ? e107::getParser()->replaceConstants($form['url'], 'abs') : e_SELF).($query ? '?'.$query : '');
$url = (isset($form['url']) ? $this->tp->replaceConstants($form['url'], 'abs') : e_SELF).($query ? '?'.$query : '');
$curTab = (string) varset($_GET['tab'], '0');
$text .= "
@@ -7902,7 +7884,7 @@ var_dump($select_options);*/
foreach ($forms as $fid => $form)
{
$query = isset($form['query']) ? $form['query'] : e_QUERY ;
$url = (isset($form['url']) ? e107::getParser()->replaceConstants($form['url'], 'abs') : e_SELF).($query ? '?'.$query : '');
$url = (isset($form['url']) ? $this->tp->replaceConstants($form['url'], 'abs') : e_SELF).($query ? '?'.$query : '');
$text .= '
' .vartrue($form['form_pre'])."

130
e107_tests/tests/unit/e_parseTest.php
View File

@@ -90,7 +90,6 @@
}
}
/*
@@ -181,6 +180,7 @@ while(&#036;row = &#036;sql-&gt;fetch())
}
/*
public function testUstrpos()
{
@@ -415,7 +415,6 @@ while(&#036;row = &#036;sql-&gt;fetch())
);
$ret = [];
foreach ($list as $mod => $val)
{
@@ -437,7 +436,6 @@ while(&#036;row = &#036;sql-&gt;fetch())
}
function testToHTMLWithBBcode()
{
$tests = array(
@@ -485,7 +483,6 @@ while(&#036;row = &#036;sql-&gt;fetch())
}
}
public function testParseTemplateWithEnabledCoreShortcodes()
@@ -644,6 +641,7 @@ while(&#036;row = &#036;sql-&gt;fetch())
$this->assertSame('[html]Something "hi"[/html]', $actual);
}
/*
public function testUstristr()
{
@@ -669,7 +667,6 @@ while(&#036;row = &#036;sql-&gt;fetch())
}
}
public function testToNumber()
@@ -780,6 +777,7 @@ while(&#036;row = &#036;sql-&gt;fetch())
}
/*
public function testUstrlen()
{
@@ -967,8 +965,8 @@ while(&#036;row = &#036;sql-&gt;fetch())
}
}
/*
public function testToJSONhelper()
@@ -1055,6 +1053,7 @@ while(&#036;row = &#036;sql-&gt;fetch())
}
/*
public function testCheckHighlighting()
{
@@ -1094,6 +1093,7 @@ while(&#036;row = &#036;sql-&gt;fetch())
}
}
/*
public function testHtmlwrap()
{
@@ -1252,11 +1252,8 @@ while(&#036;row = &#036;sql-&gt;fetch())
}
}
/*
public function testParseBBCodes()
{
@@ -1277,12 +1274,93 @@ while(&#036;row = &#036;sql-&gt;fetch())
{
}
public function testToAttribute()
{
}
*/
public function testToAttributeReplaceConstants()
{
$input = "This is e_THEME: {e_THEME}";
$expected = "This is e_THEME: ./e107_themes/";
$actual = $this->tp->toAttribute($input);
$this->assertEquals($expected, $actual);
}
public function testToAttributeDoesNotReplaceConstantsWhenStringHasSingleQuote()
{
$input = "This isn't e_THEME: {e_THEME}";
$expected = "This isn&#039;t e_THEME: {e_THEME}";
$actual = $this->tp->toAttribute($input);
$this->assertEquals($expected, $actual);
}
public function testToAttributeDoesReplaceConstantsWhenStringHasLeftAngleBracket()
{
$input = "{e_THEME} <-- e_THEME";
$expected = "./e107_themes/ &lt;-- e_THEME";
$actual = $this->tp->toAttribute($input);
$this->assertEquals($expected, $actual);
}
public function testToAttributeExplicitPure()
{
$input = "{e_THEME} <-- Not e_THEME";
$expected = "{e_THEME} &lt;-- Not e_THEME";
$actual = $this->tp->toAttribute($input, true);
$this->assertEquals($expected, $actual);
}
public function testToAttributeImplicitPure()
{
$input = "\"It's a Wonderful Life (1946)\"";
$expected = "&quot;It&#039;s a Wonderful Life (1946)&quot;";
$actual = $this->tp->toAttribute($input);
$this->assertEquals($expected, $actual);
}
public function testToAttributesEmpty()
{
$input = [];
$expected = "";
$actual = $this->tp->toAttributes($input);
$this->assertEquals($expected, $actual);
}
public function testToAttributesOne()
{
$input = ["href" => "https://e107.org"];
$expected = " href='https://e107.org'";
$actual = $this->tp->toAttributes($input);
$this->assertEquals($expected, $actual);
}
public function testToAttributesMixedPureAndReplaceConstants()
{
$input = [
"href" => "{e_THEME}",
"title" => "I would say, \"I'm the e_THEME folder!\"",
"alt" => "'{e_THEME}'",
];
$expected = " href='./e107_themes/'" .
" title='I would say, &quot;I&#039;m the e_THEME folder!&quot;'" .
" alt='&#039;{e_THEME}&#039;'";
$actual = $this->tp->toAttributes($input);
$this->assertEquals($expected, $actual);
}
public function testThumbCacheFile()
{
$tests = array(
@@ -1310,8 +1388,6 @@ while(&#036;row = &#036;sql-&gt;fetch())
}
}
public function testText_truncate()
@@ -1352,6 +1428,7 @@ while(&#036;row = &#036;sql-&gt;fetch())
$this->assertSame('This is a long st...', $result);
}
/*
public function testSetThumbSize()
{
@@ -1655,6 +1732,7 @@ while(&#036;row = &#036;sql-&gt;fetch())
}
}
/*
public function testUstrtolower()
{
@@ -1713,8 +1791,8 @@ while(&#036;row = &#036;sql-&gt;fetch())
$this->tp->setStaticUrl(null);
}
/*
public function testGetUrlConstants()
{
@@ -1761,6 +1839,7 @@ while(&#036;row = &#036;sql-&gt;fetch())
$result = $this->tp->getScriptAccess();
$this->assertEquals(e_UC_PUBLIC, $result);
}
/*
public function testGetAllowedTags()
{
@@ -1991,8 +2070,6 @@ while(&#036;row = &#036;sql-&gt;fetch())
);
$result = $this->tp->getAllowedAttributes();
$this->assertSame($expected, $result);
@@ -2002,6 +2079,7 @@ while(&#036;row = &#036;sql-&gt;fetch())
// $this->assertTrue($true);
}
/*
public function testSetScriptTags()
{
@@ -2123,8 +2201,6 @@ while(&#036;row = &#036;sql-&gt;fetch())
}
}
function testToGlyphFallback()
@@ -2133,6 +2209,7 @@ while(&#036;row = &#036;sql-&gt;fetch())
$result = $this->tp->toGlyph('fa-paypal.glyph');
$this->assertSame("<i class='fab fa-paypal' ></i> ", $result);
}
/*
public function testToBadge()
{
@@ -2315,8 +2392,6 @@ while(&#036;row = &#036;sql-&gt;fetch())
$this->assertStringContainsString('&amp;type=webp', $result5); // src
$tests = array(
0 => array(
'src' => '{e_PLUGIN}gallery/images/butterfly.jpg',
@@ -2406,6 +2481,7 @@ while(&#036;row = &#036;sql-&gt;fetch())
}
/*
public function testIsJSON()
{
@@ -2440,6 +2516,7 @@ Your browser does not support the audio tag.
$this->assertEquals($expected, $result);
}
/*
public function testToVideo()
{
@@ -2513,9 +2590,6 @@ Your browser does not support the audio tag.
}
public function testToDate()
{
@@ -2538,8 +2612,8 @@ Your browser does not support the audio tag.
$this->assertStringContainsString('<span>24-Feb-18</span>', $custom);
}
/*
public function testParseBBTags()
{