Changeset 8260
- Timestamp:
- 04/04/08 11:10:11 (1 year ago)
- Files:
-
- branches/1.1/lib/autoload/sfCoreAutoload.class.php (modified) (1 diff)
- branches/1.1/lib/config/config/core_compile.yml (modified) (1 diff)
- branches/1.1/lib/config/config/settings.yml (modified) (1 diff)
- branches/1.1/lib/plugins/sfPropelPlugin/test/functional/m2mTest.php (modified) (1 diff)
- branches/1.1/lib/task/generator/sfGenerateAppTask.class.php (modified) (1 diff)
- branches/1.1/lib/task/generator/skeleton/app/app/config/settings.yml (modified) (1 diff)
- branches/1.1/lib/view/escaper/sfOutputEscaper.class.php (modified) (2 diffs)
- branches/1.1/lib/view/sfEscapedViewParameterHolder.class.php (deleted)
- branches/1.1/lib/view/sfView.class.php (modified) (1 diff)
- branches/1.1/lib/view/sfViewParameterHolder.class.php (modified) (10 diffs)
- branches/1.1/test/functional/escapingTest.php (modified) (2 diffs)
- branches/1.1/test/functional/fixtures/project/apps/frontend/modules/escaping/actions/actions.class.php (modified) (1 diff)
- branches/1.1/test/functional/fixtures/project/apps/frontend/modules/escaping/templates/indexSuccess.php (modified) (1 diff)
- branches/1.1/test/unit/view/sfEscapedViewParameterHolderTest.php (deleted)
- branches/1.1/test/unit/view/sfViewParameterHolderTest.php (modified) (6 diffs)
Legend:
- Unmodified
- Added
- Removed
- Modified
- Copied
- Moved
branches/1.1/lib/autoload/sfCoreAutoload.class.php
r8248 r8260 396 396 'sfOutputEscaperObjectDecorator' => 'view/escaper', 397 397 'sfOutputEscaperSafe' => 'view/escaper', 398 'sfEscapedViewParameterHolder' => 'view',399 398 'sfPHPView' => 'view', 400 399 'sfPartialView' => 'view', branches/1.1/lib/config/config/core_compile.yml
r8201 r8260 24 24 - %SF_SYMFONY_LIB_DIR%/view/sfView.class.php 25 25 - %SF_SYMFONY_LIB_DIR%/view/sfViewParameterHolder.class.php 26 - %SF_SYMFONY_LIB_DIR%/view/sfEscapedViewParameterHolder.class.php27 26 28 27 # these classes are optionals but very likely to be used (in web context) branches/1.1/lib/config/config/settings.yml
r8201 r8260 25 25 26 26 # Output escaping settings 27 escaping_strategy: off # Determines how variables are made available to templates. Accepted values: both, on, off. The value off deactivates escaping completely and gives a slight boost.27 escaping_strategy: off # Determines how variables are made available to templates. Accepted values: on, off. 28 28 escaping_method: ESC_SPECIALCHARS # Function or helper used for escaping. Accepted values: ESC_RAW, ESC_ENTITIES, ESC_JS, ESC_JS_NO_ENTITIES, and ESC_SPECIALCHARS. 29 29 branches/1.1/lib/plugins/sfPropelPlugin/test/functional/m2mTest.php
r6482 r8260 20 20 $b = new backendTestBrowser(); 21 21 22 sfConfig::set('sf_escaping_strategy', 'off'); 22 23 launch_tests($b); 23 24 24 sfConfig::set('sf_escaping_strategy', ' both');25 sfConfig::set('sf_escaping_strategy', 'on'); 25 26 launch_tests($b); 26 27 branches/1.1/lib/task/generator/sfGenerateAppTask.class.php
r8201 r8260 73 73 You can enable output escaping (to prevent XSS) by using the [escaping-strategy|COMMENT] option: 74 74 75 [./symfony generate:app frontend --escaping-strategy= both|INFO]75 [./symfony generate:app frontend --escaping-strategy=on|INFO] 76 76 77 77 You can enable session token in forms (to prevent CSRF) by defining branches/1.1/lib/task/generator/skeleton/app/app/config/settings.yml
r8201 r8260 26 26 27 27 # Output escaping settings 28 escaping_strategy: ##ESCAPING_STRATEGY## # Determines how variables are made available to templates. Accepted values: both, on, off. The value off deactivates escaping completely and gives a slight boost.28 escaping_strategy: ##ESCAPING_STRATEGY## # Determines how variables are made available to templates. Accepted values: on, off. 29 29 escaping_method: ESC_SPECIALCHARS # Function or helper used for escaping. Accepted values: ESC_RAW, ESC_ENTITIES, ESC_JS, ESC_JS_NO_ENTITIES, and ESC_SPECIALCHARS. 30 30 branches/1.1/lib/view/escaper/sfOutputEscaper.class.php
r8201 r8260 75 75 * @param string $escapingMethod the escaping method (a PHP callable) to apply to the value 76 76 * @param mixed $value the value to escape 77 * @param mixed the escaped value78 77 * 79 78 * @return mixed Escaping value … … 83 82 public static function escape($escapingMethod, $value) 84 83 { 85 if (is_null($value) || 'esc_raw' == $escapingMethod)84 if (is_null($value)) 86 85 { 87 86 return $value; branches/1.1/lib/view/sfView.class.php
r8227 r8260 150 150 protected function initializeAttributeHolder($attributes = array()) 151 151 { 152 $attributeHolder = false === sfConfig::get('sf_escaping_method') ? new sfViewParameterHolder() : new sfEscapedViewParameterHolder(); 153 $attributeHolder->initialize($this->dispatcher, $attributes, array( 152 if ('both' == sfConfig::get('sf_escaping_strategy')) 153 { 154 $this->dispatcher->notify(new sfEvent($this, 'application.log', array('Escaping strategy "both" is deprecated, please use "on".', 'priority' => sfLogger::ERR))); 155 sfConfig::set('sf_escaping_strategy', 'on'); 156 } 157 else if ('bc' == sfConfig::get('sf_escaping_strategy')) 158 { 159 $this->dispatcher->notify(new sfEvent($this, 'application.log', array('Escaping strategy "bc" is deprecated, please use "off".', 'priority' => sfLogger::ERR))); 160 sfConfig::set('sf_escaping_strategy', 'off'); 161 } 162 163 $attributeHolder = new sfViewParameterHolder($this->dispatcher, $attributes, array( 154 164 'escaping_method' => sfConfig::get('sf_escaping_method'), 155 165 'escaping_strategy' => sfConfig::get('sf_escaping_strategy'), branches/1.1/lib/view/sfViewParameterHolder.class.php
r6176 r8260 3 3 /* 4 4 * This file is part of the symfony package. 5 * (c) 2004-2006Fabien Potencier <fabien.potencier@symfony-project.com>5 * (c) Fabien Potencier <fabien.potencier@symfony-project.com> 6 6 * 7 7 * For the full copyright and license information, please view the LICENSE … … 10 10 11 11 /** 12 * A Template Context stores all parameters that will be available to templates. 12 * sfViewParameterHolder stores all variables that will be available to the template. 13 * 14 * It can also escape variables with an escaping method. 13 15 * 14 16 * @package symfony … … 20 22 { 21 23 protected 22 $dispatcher = null; 24 $dispatcher = null, 25 $escaping = null, 26 $escapingMethod = null; 27 28 /** 29 * Constructor. 30 */ 31 public function __construct(sfEventDispatcher $dispatcher, $parameters = array(), $options = array()) 32 { 33 $this->initialize($dispatcher, $parameters, $options); 34 } 23 35 24 36 /** … … 29 41 * @param array An associative array of options. 30 42 * 31 * @return Boolean true, if initialization completes successfully, otherwise false. 43 * <b>Options:</b> 44 * 45 * # <b>escaping_strategy</b> - [off] - The escaping strategy (on or off) 46 * # <b>escaping_method</b> - [ESC_SPECIALCHARS] - The escaping method (ESC_RAW, ESC_ENTITIES, ESC_JS, ESC_JS_NO_ENTITIES, or ESC_SPECIALCHARS) 47 * 48 * @return Boolean true, if initialization completes successfully, otherwise false. 32 49 * 33 50 * @throws <b>sfInitializationException</b> If an error occurs while initializing this view parameter holder. … … 41 58 42 59 $this->add($parameters); 60 61 $this->setEscaping(isset($options['escaping_strategy']) ? $options['escaping_strategy'] : false); 62 $this->setEscapingMethod(isset($options['escaping_method']) ? $options['escaping_method'] : 'ESC_SPECIALCHARS'); 43 63 } 44 64 … … 50 70 public function isEscaped() 51 71 { 52 return false;72 return in_array($this->getEscaping(), array('on', true), true); 53 73 } 54 74 … … 57 77 * 58 78 * @return array An array of view parameters 79 * 80 * @throws InvalidArgumentException 59 81 */ 60 82 public function toArray() 61 83 { 62 return $this->getAll(); 84 $attributes = array(); 85 86 if ($this->isEscaped()) 87 { 88 $attributes['sf_data'] = sfOutputEscaper::escape($this->getEscapingMethod(), $this->getAll()); 89 foreach ($attributes['sf_data'] as $key => $value) 90 { 91 $attributes[$key] = $value; 92 } 93 } 94 else if (in_array($this->getEscaping(), array('off', false), true)) 95 { 96 $attributes = $this->getAll(); 97 $attributes['sf_data'] = sfOutputEscaper::escape(ESC_RAW, $this->getAll()); 98 } 99 else 100 { 101 throw new InvalidArgumentException(sprintf('Unknown strategy "%s".', $this->getEscaping())); 102 } 103 104 return $attributes; 105 } 106 107 /** 108 * Gets the default escaping strategy associated with this view. 109 * 110 * The escaping strategy specifies how the variables get passed to the view. 111 * 112 * @return string the escaping strategy 113 */ 114 public function getEscaping() 115 { 116 return $this->escaping; 117 } 118 119 /** 120 * Sets the escape character strategy. 121 * 122 * @param string Escape code 123 */ 124 public function setEscaping($escaping) 125 { 126 $this->escaping = $escaping; 127 } 128 129 /** 130 * Returns the name of the function that is to be used as the escaping method. 131 * 132 * If the escaping method is empty, then that is returned. The default value 133 * specified by the sub-class will be used. If the method does not exist (in 134 * the sense there is no define associated with the method), an exception is 135 * thrown. 136 * 137 * @return string The escaping method as the name of the function to use 138 * 139 * @throws InvalidArgumentException If the method does not exist 140 */ 141 public function getEscapingMethod() 142 { 143 if (empty($this->escapingMethod)) 144 { 145 return $this->escapingMethod; 146 } 147 148 if (!defined($this->escapingMethod)) 149 { 150 throw new InvalidArgumentException(sprintf('The escaping method "%s" is not available.', $this->escapingMethod)); 151 } 152 153 return constant($this->escapingMethod); 154 } 155 156 /** 157 * Sets the escaping method for the current view. 158 * 159 * @param string Method for escaping 160 */ 161 public function setEscapingMethod($method) 162 { 163 $this->escapingMethod = $method; 63 164 } 64 165 … … 70 171 public function serialize() 71 172 { 173 $this->set('_sf_escaping_method', $this->escapingMethod); 174 $this->set('_sf_escaping', $this->escaping); 175 72 176 $tmp = clone $this; 73 177 foreach ($tmp->getNames() as $key) … … 80 184 $tmp->dispatcher = null; 81 185 82 return serialize($tmp->getAll()); 186 $serialized = serialize($tmp->getAll()); 187 188 $this->remove('_sf_escaping_method'); 189 $this->remove('_sf_escaping'); 190 191 return $serialized; 83 192 } 84 193 … … 91 200 92 201 $this->initialize(sfContext::hasInstance() ? sfContext::getInstance()->getEventDispatcher() : new sfEventDispatcher()); 202 203 $this->setEscapingMethod($this->remove('_sf_escaping_method')); 204 $this->setEscaping($this->remove('_sf_escaping')); 93 205 } 94 206 } branches/1.1/test/functional/escapingTest.php
r8201 r8260 18 18 19 19 $b-> 20 get('/escaping/both')->21 isStatusCode(200)->22 isRequestParameter('module', 'escaping')->23 isRequestParameter('action', 'both')->24 responseContains('<h1>Lorem <strong>ipsum</strong> dolor sit amet.</h1>')->25 responseContains('<h2>Lorem <strong>ipsum</strong> dolor sit amet.</h2>');26 ;27 28 $b->29 20 get('/escaping/on')-> 30 21 isStatusCode(200)-> 31 22 isRequestParameter('module', 'escaping')-> 32 23 isRequestParameter('action', 'on')-> 33 responseContains('<h1> -</h1>')->24 responseContains('<h1>Lorem <strong>ipsum</strong> dolor sit amet.</h1>')-> 34 25 responseContains('<h2>Lorem <strong>ipsum</strong> dolor sit amet.</h2>'); 35 26 ; … … 41 32 isRequestParameter('action', 'off')-> 42 33 responseContains('<h1>Lorem <strong>ipsum</strong> dolor sit amet.</h1>')-> 43 responseContains('<h2> -</h2>');34 responseContains('<h2>Lorem <strong>ipsum</strong> dolor sit amet.</h2>'); 44 35 ; branches/1.1/test/functional/fixtures/project/apps/frontend/modules/escaping/actions/actions.class.php
r8201 r8260 18 18 } 19 19 20 public function executeBoth()21 {22 sfConfig::set('sf_escaping_strategy', 'both');23 }24 25 20 public function executeOn() 26 21 { branches/1.1/test/functional/fixtures/project/apps/frontend/modules/escaping/templates/indexSuccess.php
r6723 r8260 1 <h1><?php echo isset($var) ? $var : '-'?></h1>2 <h2><?php echo isset($sf_data) ? $sf_data->get('var') : '-'?></h2>1 <h1><?php echo $var ?></h1> 2 <h2><?php echo $sf_data->get('var') ?></h2> branches/1.1/test/unit/view/sfViewParameterHolderTest.php
r7107 r8260 3 3 /* 4 4 * This file is part of the symfony package. 5 * (c) 2004-2006Fabien Potencier <fabien.potencier@symfony-project.com>5 * (c) Fabien Potencier <fabien.potencier@symfony-project.com> 6 6 * 7 7 * For the full copyright and license information, please view the LICENSE … … 12 12 require_once($_test_dir.'/unit/sfContextMock.class.php'); 13 13 14 $t = new lime_test(5, new lime_output_color()); 14 $t = new lime_test(24, new lime_output_color()); 15 16 define('ESC_SPECIALCHARS', 'esc_specialchars'); 17 function esc_specialchars($value) 18 { 19 return "-ESCAPED-$value-ESCAPED-"; 20 } 21 22 define('ESC_RAW', 'esc_raw'); 23 function esc_raw($value) 24 { 25 return $value; 26 } 15 27 16 28 class myRequest … … 34 46 } 35 47 36 $context = sfContext::getInstance(array('request' => 'myRequest')); 48 $context = sfContext::getInstance(array( 49 'request' => 'myRequest', 50 )); 37 51 $dispatcher = $context->dispatcher; 38 52 … … 42 56 // ->initialize() 43 57 $t->diag('->initialize()'); 44 $p = new sfViewParameterHolder(); 58 $p = new sfViewParameterHolder($dispatcher); 59 $t->is($p->get('sf_user'), $context->user, '->initialize() add some symfony shortcuts as parameters'); 60 $t->is($p->get('sf_request'), $context->request, '->initialize() add some symfony shortcuts as parameters'); 61 $t->is($p->get('sf_response'), $context->response, '->initialize() add some symfony shortcuts as parameters'); 62 45 63 $p->initialize($dispatcher, array('foo' => 'bar')); 46 64 $t->is($p->get('foo'), 'bar', '->initialize() takes an array of default parameters as its second argument'); 47 65 66 $p->initialize($dispatcher, array(), array('escaping_strategy' => 'on', 'escaping_method' => 'ESC_RAW')); 67 $t->is($p->getEscaping(), 'on', '->initialize() takes an array of options as its third argument'); 68 $t->is($p->getEscapingMethod(), ESC_RAW, '->initialize() takes an array of options as its third argument'); 69 48 70 // ->isEscaped() 49 71 $t->diag('->isEscaped()'); 50 $t->is($p->isEscaped(), false, '->isEscaped() always returns false'); 72 $p->setEscaping('on'); 73 $t->is($p->isEscaped(), true, '->isEscaped() returns true if data will be escaped'); 74 $p->setEscaping('off'); 75 $t->is($p->isEscaped(), false, '->isEscaped() returns false if data won\'t be escaped'); 76 77 // ->getEscaping() ->setEscaping() 78 $t->diag('->getEscaping() ->setEscaping()'); 79 $p->initialize($dispatcher); 80 $p->setEscaping('on'); 81 $t->is($p->getEscaping(), 'on', '->setEscaping() changes the escaping strategy'); 82 83 // ->getEscapingMethod() ->setEscapingMethod() 84 $t->diag('->getEscapingMethod() ->setEscapingMethod()'); 85 $p->setEscapingMethod('ESC_RAW'); 86 $t->is($p->getEscapingMethod(), ESC_RAW, '->setEscapingMethod() changes the escaping method'); 87 88 $p->setEscapingMethod(''); 89 $t->is($p->getEscapingMethod(), '', '->getEscapingMethod() returns an empty value if the method is empty'); 90 91 try 92 { 93 $p->setEscapingMethod('nonexistant'); 94 $p->getEscapingMethod(); 95 $t->fail('->getEscapingMethod() throws an InvalidArgumentException if the escaping method does not exist'); 96 } 97 catch (InvalidArgumentException $e) 98 { 99 $t->pass('->getEscapingMethod() throws an InvalidArgumentException if the escaping method does not exist'); 100 } 51 101 52 102 // ->toArray() … … 55 105 $a = $p->toArray(); 56 106 $t->is($a['foo'], 'bar', '->toArray() returns an array representation of the parameter holder'); 107 108 // escaping strategies 109 $p = new sfViewParameterHolder(new sfEventDispatcher(), array('foo' => 'bar')); 110 111 try 112 { 113 $p->setEscaping('null'); 114 $p->toArray(); 115 $t->fail('->toArray() throws an InvalidArgumentException if the escaping strategy does not exist'); 116 } 117 catch (InvalidArgumentException $e) 118 { 119 $t->pass('->toArray() throws an InvalidArgumentException if the escaping strategy does not exist'); 120 } 121 122 $t->diag('Escaping strategy to on'); 123 $p->setEscaping('on'); 124 $values = $p->toArray(); 125 $t->is(count($values), 2, '->toArray() knows about the "on" strategy'); 126 $t->is(count($values['sf_data']), 1, '->toArray() knows about the "on" strategy'); 127 $t->is($values['foo'], '-ESCAPED-bar-ESCAPED-', '->toArray() knows about the "on" strategy'); 128 $t->is($values['sf_data']['foo'], '-ESCAPED-bar-ESCAPED-', '->toArray() knows about the "on" strategy'); 129 130 $t->diag('Escaping strategy to off'); 131 $p->setEscaping('off'); 132 $values = $p->toArray(); 133 $t->is(count($values), 2, '->toArray() knows about the "off" strategy'); 134 $t->is(count($values['sf_data']), 1, '->toArray() knows about the "on" strategy'); 135 $t->is($values['foo'], 'bar', '->toArray() knows about the "off" strategy'); 136 $t->is($values['sf_data']['foo'], 'bar', '->toArray() knows about the "off" strategy'); 57 137 58 138 // ->serialize() / ->unserialize() … … 63 143 64 144 // template.filter_parameters 65 $p = new sfViewParameterHolder(); 66 $p->initialize($dispatcher); 145 $p = new sfViewParameterHolder($dispatcher); 67 146 $t->is($p->get('sf_request'), $context->request, '->initialize() add some symfony shortcuts as parameters');
