Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in
Toggle navigation
W
webbasics
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Analytics
Analytics
CI / CD
Repository
Value Stream
Wiki
Wiki
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
Taddeüs Kroes
webbasics
Commits
cc2ee344
Commit
cc2ee344
authored
Sep 09, 2012
by
Taddeus Kroes
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Template variable values are not HTML-excaped by default.
parent
130a7468
Changes
3
Hide whitespace changes
Inline
Side-by-side
Showing
3 changed files
with
45 additions
and
10 deletions
+45
-10
TODO.txt
TODO.txt
+0
-3
template.php
template.php
+25
-7
tests/test_template.php
tests/test_template.php
+20
-0
No files found.
TODO.txt
View file @
cc2ee344
Template:
- Escape variable values by default, prevent escape using $$ in template instead of $.
- Be less 'forgiving': throw errors if requested constant/variable does not exist.
\ No newline at end of file
template.php
View file @
cc2ee344
...
...
@@ -267,7 +267,7 @@ class Template extends Node {
*
* This function is a helper for {@link evaluate_expression()}.
*
* @param
array
$matches Regex matches for variable pattern.
* @param
string[]
$matches Regex matches for variable pattern.
* @return string The evaluation of the variable.
* @param Node $data A data tree containing variable values to use.
* @throws \BadMethodCallException If an error occured while calling a variable method.
...
...
@@ -276,12 +276,13 @@ class Template extends Node {
*/
private
static
function
evaluate_variable
(
array
$matches
,
Node
$data
)
{
$before
=
$matches
[
1
];
$variable
=
$matches
[
2
];
$noescape_sign
=
$matches
[
2
];
$variable
=
$matches
[
3
];
$value
=
$data
->
get
(
$variable
);
if
(
count
(
$matches
)
==
4
)
{
if
(
count
(
$matches
)
==
5
)
{
// $<name>.<name>
$attribute
=
$matches
[
3
];
$attribute
=
$matches
[
4
];
if
(
$value
===
null
)
{
throw
new
\UnexpectedValueException
(
...
...
@@ -304,9 +305,9 @@ class Template extends Node {
}
else
{
$attr_error
(
'variable is no array or object'
);
}
}
elseif
(
count
(
$matches
)
==
5
)
{
}
elseif
(
count
(
$matches
)
==
6
)
{
// $<name>.<name>()
$method
=
$matches
[
3
];
$method
=
$matches
[
4
];
if
(
$value
===
null
)
{
throw
new
\UnexpectedValueException
(
...
...
@@ -328,9 +329,25 @@ class Template extends Node {
}
}
// Escape value
if
(
is_string
(
$value
)
&&
!
$noescape_sign
)
$value
=
self
::
escape_variable_value
(
$value
);
return
$before
.
$value
;
}
/**
* Escape a vairable value for displaying in HTML.
*
* Uses {@link http://php.net/htmlentities} with ENT_QUOTES.
*
* @param string $value The variable value to escape.
* @return string The escaped value.
*/
private
static
function
escape_variable_value
(
$value
)
{
return
htmlentities
(
$value
,
ENT_QUOTES
);
}
/**
* Evaluate a conditional expression.
*
...
...
@@ -420,8 +437,9 @@ class Template extends Node {
if
(
preg_match
(
"/^([^?]*?)\s*\?([^:]*)(?::(.*))?$/"
,
$expression
,
$matches
)
)
{
// <nested_exp>?<nested_exp> | <nested_exp>?<nested_exp>:<nested_exp>
return
self
::
evaluate_condition
(
$matches
,
$data
);
}
elseif
(
preg_match
(
"/^(.*?)
\\
$(
$name
)(?:\.(
$name
)(\(\))?)?$/"
,
$expression
,
$matches
)
)
{
}
elseif
(
preg_match
(
"/^(.*?)
\\
$(
\\
$?)(
$name
)(?:\.(
$name
)(\(\))?)?$/"
,
$expression
,
$matches
)
)
{
// $<name> | $<name>.<name> | $<name>.<name>()
// | $$<name> | $$<name>.<name> | $$<name>.<name>()
return
self
::
evaluate_variable
(
$matches
,
$data
);
}
elseif
(
preg_match
(
"/^(
$function
)\((.+?)\)?$/"
,
$expression
,
$matches
)
)
{
// <function>(<nested_exp>)
...
...
tests/test_template.php
View file @
cc2ee344
...
...
@@ -21,6 +21,8 @@ class DataObject {
}
class
TemplateTest
extends
PHPUnit_Framework_TestCase
{
const
INTERNATIONALIZATION_STRING
=
'Itrntinliztin'
;
/**
* @depends test_add_root_success
*/
...
...
@@ -43,6 +45,8 @@ class TemplateTest extends PHPUnit_Framework_TestCase {
'object'
=>
new
DataObject
,
'foobar'
=>
'my_foobar_variable'
,
'foobaz'
=>
'MY_FOOBAZ_VARIABLE'
,
'html'
=>
'<script></script>'
,
'internationalization'
=>
self
::
INTERNATIONALIZATION_STRING
,
));
}
...
...
@@ -284,6 +288,22 @@ class TemplateTest extends PHPUnit_Framework_TestCase {
$this
->
assert_evaluates
(
'foobar'
,
'$object.baz()'
);
}
/**
* @depends test_evaluate_variable_success
*/
function
test_evaluate_variable_escape
()
{
$this
->
assert_evaluates
(
'<script></script>'
,
'$html'
);
$this
->
assert_evaluates
(
'Iñtërnâtiônàlizætiøn'
,
'$internationalization'
);
}
/**
* @depends test_evaluate_variable_success
*/
function
test_evaluate_variable_noescape
()
{
$this
->
assert_evaluates
(
'<script></script>'
,
'$$html'
);
$this
->
assert_evaluates
(
'Itrntinliztin'
,
'$$internationalization'
);
}
function
test_evaluate_constant
()
{
$this
->
assert_evaluates
(
'foobar_const'
,
'FOOBAR'
);
$this
->
assert_evaluates
(
'{NON_DEFINED_CONST}'
,
'NON_DEFINED_CONST'
);
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment