smarty-php/smarty
1
0
Fork 0
mirror of https://github.com/smarty-php/smarty.git synced 2025-08-04 10:24:26 +02:00
Code Issues Packages Projects Releases Wiki Activity

update functions with separate escape_special_chars routine

Browse Source
This commit is contained in:
mohrt
2003-02-24 21:45:19 +00:00
parent f83592dc82
commit ae704af588
5 changed files with 58 additions and 21 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
libs/plugins/function.html_checkboxes.php
View File

@@ -21,6 +21,7 @@
* {html_checkboxes values=$ids checked=$checked separator='<br>' output=$names} * {html_checkboxes values=$ids checked=$checked separator='<br>' output=$names}
* ------------------------------------------------------------- * -------------------------------------------------------------
*/ */
require_once $this->_get_plugin_filepath('shared','escape_special_chars');
function smarty_function_html_checkboxes($params, &$smarty) function smarty_function_html_checkboxes($params, &$smarty)
{ {
extract($params); extract($params);
@@ -47,12 +48,12 @@ function smarty_function_html_checkboxes($params, &$smarty)
} }
function smarty_function_html_checkboxes_output($name, $value, $output, $checked, $separator) { function smarty_function_html_checkboxes_output($name, $value, $output, $checked, $separator) {
$_output = '<input type="checkbox" name="' . htmlspecialchars($name) . '[]' .'" value="' . htmlspecialchars($value) . '"'; $_output = '<input type="checkbox" name="' . smarty_function_escape_special_chars($name) . '[]' .'" value="' . smarty_function_escape_special_chars($value) . '"';
if (in_array($value, $checked)) { if (in_array($value, $checked)) {
$_output .= " checked=\"checked\""; $_output .= " checked=\"checked\"";
} }
$_output .= '>' . $name . $separator . "\n"; $_output .= '>' . $output . $separator . "\n";
return $_output; return $_output;
} }

27
libs/plugins/function.html_image.php
View File

@@ -20,16 +20,35 @@
* Output: <img src="images/masthead.gif" border=0 width=400 height=23> * Output: <img src="images/masthead.gif" border=0 width=400 height=23>
* ------------------------------------------------------------- * -------------------------------------------------------------
*/ */
require_once $this->_get_plugin_filepath('shared','escape_special_chars');
function smarty_function_html_image($params, &$smarty) function smarty_function_html_image($params, &$smarty)
{ {
$name = ''; $name = '';
$border = 0; $border = 0;
$height = null; $height = null;
$width = null; $width = null;
$extra = '';
$basedir = isset($GLOBALS['HTTP_SERVER_VARS']['DOCUMENT_ROOT']) $basedir = isset($GLOBALS['HTTP_SERVER_VARS']['DOCUMENT_ROOT'])
? $GLOBALS['HTTP_SERVER_VARS']['DOCUMENT_ROOT'] : null; ? $GLOBALS['HTTP_SERVER_VARS']['DOCUMENT_ROOT'] : null;
extract($params); foreach($params as $_key => $_val) {
switch($_key) {
case 'name':
$name = $_val;
break;
case 'border':
$border = $_val;
break;
case 'height':
$height = $_val;
break;
case 'width':
$width = $_val;
break;
default:
$extra .= ' '.$_key.'="'.smarty_function_escape_special_chars($_val).'"';
}
}
if (empty($name)) { if (empty($name)) {
$smarty->trigger_error("html_image: missing 'name' parameter", E_USER_ERROR); $smarty->trigger_error("html_image: missing 'name' parameter", E_USER_ERROR);
@@ -49,11 +68,15 @@ function smarty_function_html_image($params, &$smarty)
$smarty->trigger_error("html_image: unable to read '$_image_path'", E_USER_ERROR); $smarty->trigger_error("html_image: unable to read '$_image_path'", E_USER_ERROR);
} }
if(!$smarty->security && substr($_image_path,0,strlen($basedir)) != $basedir) {
$smarty->trigger_error("html_image: (secure) '$_image_path' not within basedir ($basedir)", E_USER_ERROR);
}
if(!$_image_data = getimagesize($_image_path)) { if(!$_image_data = getimagesize($_image_path)) {
$smarty->trigger_error("html_image: '$_image_path' is not a valid image file", E_USER_ERROR); $smarty->trigger_error("html_image: '$_image_path' is not a valid image file", E_USER_ERROR);
} }
return "<img src=\"$name\" border=\"$border\" ".$_image_data[3].'>'; return "<img src=\"$name\" border=\"$border\" ".$_image_data[3]."$extra>";
} }
/* vim: set expandtab: */ /* vim: set expandtab: */

18
libs/plugins/function.html_options.php
View File

@@ -1,5 +1,7 @@
<?php <?php
require('shared.escape_special_chars.php');
/* /*
* Smarty plugin * Smarty plugin
* ------------------------------------------------------------- * -------------------------------------------------------------
@@ -38,11 +40,11 @@ function smarty_function_html_options($params, &$smarty)
function smarty_function_html_options_optoutput($key, $value, $selected) { function smarty_function_html_options_optoutput($key, $value, $selected) {
if(!is_array($value)) { if(!is_array($value)) {
$html_result = '<option label="' . smarty_function_html_options_htmlspecialchars($value) . '" value="' . $html_result = '<option label="' . smarty_function_escape_special_chars($value) . '" value="' .
smarty_function_html_options_htmlspecialchars($key) . '"'; smarty_function_escape_special_chars($key) . '"';
if (in_array($key, $selected)) if (in_array($key, $selected))
$html_result .= " selected=\"selected\""; $html_result .= " selected=\"selected\"";
$html_result .= '>' . smarty_function_html_options_htmlspecialchars($value) . '</option>' . "\n"; $html_result .= '>' . smarty_function_escape_special_chars($value) . '</option>' . "\n";
} else { } else {
$html_result = smarty_function_html_options_optgroup($key, $value, $selected); $html_result = smarty_function_html_options_optgroup($key, $value, $selected);
} }
@@ -50,7 +52,7 @@ function smarty_function_html_options_optoutput($key, $value, $selected) {
} }
function smarty_function_html_options_optgroup($key, $values, $selected) { function smarty_function_html_options_optgroup($key, $values, $selected) {
$optgroup_html = '<optgroup label="' . smarty_function_html_options_htmlspecialchars($value) . '">' . "\n"; $optgroup_html = '<optgroup label="' . smarty_function_escape_special_chars($value) . '">' . "\n";
foreach ($values as $key => $value) { foreach ($values as $key => $value) {
$optgroup_html .= smarty_function_html_options_optoutput($key, $value, $selected); $optgroup_html .= smarty_function_html_options_optoutput($key, $value, $selected);
} }
@@ -58,14 +60,6 @@ function smarty_function_html_options_optgroup($key, $values, $selected) {
return $optgroup_html; return $optgroup_html;
} }
function smarty_function_html_options_htmlspecialchars($text) {
// do not escape already escaped entities (&amp; &#123;)
$text = preg_replace('!&(#?\w+);!', '%%%SMARTY_START%%%\\1%%%SMARTY_END%%%', $text);
$text = htmlspecialchars($text);
$text = str_replace(array('%%%SMARTY_START%%%','%%%SMARTY_END%%%'), array('&',';'), $text);
return $text;
}
/* vim: set expandtab: */ /* vim: set expandtab: */
?> ?>

9
libs/plugins/function.html_radios.php
View File

@@ -8,7 +8,7 @@
* Name: html_radios * Name: html_radios
* Version: 1.0 * Version: 1.0
* Date: 24.Feb.2003 * Date: 24.Feb.2003
* Purpose: Prints out a list of radio button input types * Purpose: Prints out a list of radio input types
* Input: name (optional) - string default "radio" * Input: name (optional) - string default "radio"
* values (required) - array * values (required) - array
* checked (optional) - array default not set * checked (optional) - array default not set
@@ -17,10 +17,11 @@
* Author: Christopher Kvarme <christopher.kvarme@flashjab.com> * Author: Christopher Kvarme <christopher.kvarme@flashjab.com>
* Credits: Monte Ohrt <monte@ispi.net> * Credits: Monte Ohrt <monte@ispi.net>
* Examples: {html_radios values=$ids output=$names} * Examples: {html_radios values=$ids output=$names}
* {html_radios values=$ids name='choices' separator='<br>' output=$names} * {html_radios values=$ids name='box' separator='<br>' output=$names}
* {html_radios values=$ids checked=$checked separator='<br>' output=$names} * {html_radios values=$ids checked=$checked separator='<br>' output=$names}
* ------------------------------------------------------------- * -------------------------------------------------------------
*/ */
require_once $this->_get_plugin_filepath('shared','escape_special_chars');
function smarty_function_html_radios($params, &$smarty) function smarty_function_html_radios($params, &$smarty)
{ {
extract($params); extract($params);
@@ -47,12 +48,12 @@ function smarty_function_html_radios($params, &$smarty)
} }
function smarty_function_html_radios_output($name, $value, $output, $checked, $separator) { function smarty_function_html_radios_output($name, $value, $output, $checked, $separator) {
$_output = '<input type="radio" name="' . htmlspecialchars($name) . '[]' .'" value="' . htmlspecialchars($value) . '"'; $_output = '<input type="radio" name="' . smarty_function_escape_special_chars($name) . '[]' .'" value="' . smarty_function_escape_special_chars($value) . '"';
if (in_array($value, $checked)) { if (in_array($value, $checked)) {
$_output .= " checked=\"checked\""; $_output .= " checked=\"checked\"";
} }
$_output .= '>' . $name . $separator . "\n"; $_output .= '>' . $output . $separator . "\n";
return $_output; return $_output;
} }

18
libs/plugins/shared.escape_special_chars.php Normal file
View File

@@ -0,0 +1,18 @@
<?php
/*======================================================================*\
Function: smarty_function_escape_special_chars
Purpose: used by other smarty functions to escape
special chars except for already escaped ones
\*======================================================================*/
function smarty_function_escape_special_chars($string)
{
$string = preg_replace('!&(#?\w+);!', '%%%SMARTY_START%%%\\1%%%SMARTY_END%%%', $string);
$string = htmlspecialchars($string);
$string = str_replace(array('%%%SMARTY_START%%%','%%%SMARTY_END%%%'), array('&',';'), $string);
return $string;
}
/* vim: set expandtab: */
?>