Fixed #390 and #391

7 files changed, 61 insertions, 29 deletions

diff --git a/HISTORY b/HISTORY
index 22e72889..56fb4a23 100644
--- a/HISTORY
+++ b/HISTORY
@@ -67,6 +67,8 @@ BUG: Issue #381 - The property CausesValidation in the TActiveDatePicker not wor
 BUG: Issue #382	- TJavaScript::quoteString() vulnerable to Unicode strings & TJavaScript::jsonEncode() doesn't check for errors (gabor)
 BUG: Issue #383 - Some THttpRequest methods raise NOTICE level errors on missing headers (gabor)
 BUG: Issue #388 - Output caching will raise error in Performance mode (gabor)
+BUG: Issue #390 - TJavaScript::encode() float encoding depends on current locale (gabor)
+BUG: Issue #391 - TJavaScript::encode() provides no simple way to pass strings in an XSS-safe way (gabor, ctrlaltca)
 
 Version 3.1.10 Jul 17, 2011
 BUG: Added missing timeout on TCacheHttpSession (ctrlaltca)
diff --git a/UPGRADE b/UPGRADE
index c05ff8ab..c329d99d 100644
--- a/UPGRADE
+++ b/UPGRADE
@@ -45,7 +45,9 @@ Upgrading from v3.1.x
 - Some TJavaScript methods have been modified to clear their use and provide better xss protection:
   the undocumented quoteUTF8() was removed, since it didn't provide any real protection;
   quoteString() now safely adds quotes around a string: previously it only added escape characters;
-  the json* family of methods actually checks for errors and generate exceptions on fail.
+  the json* family of methods actually checks for errors and generate exceptions on fail;
+  strings beginning with "javascript:" doesn't bypass security checks in TJavascript::encode(), you need
+  to explicitly use TJavascript::quoteFunction() to ensure raw javascript will be published.
 - The php JSON extension is required; it ships by default with php 5.3 and is a lot faster that the old
   TJSON-based implementation. TJSON has been removed, if you were calling it directly to encode/decode
   you can switch to TJavaScript::jsonEncode(), TJavaScript::jsonDecode().    
diff --git a/framework/Web/Javascripts/TJavaScript.php b/framework/Web/Javascripts/TJavaScript.php
index 4f12eb94..ad120771 100644
--- a/framework/Web/Javascripts/TJavaScript.php
+++ b/framework/Web/Javascripts/TJavaScript.php
@@ -82,23 +82,24 @@ class TJavaScript
 	}

 

 	/**

-	 * @return string considers the string as raw javascript function code

+	 * @return Marks a string as a javascript function. Once marke, the string is considered as a

+	 * raw javascript function that is not supposed to be encoded by {@link encode}

 	 */

 	public static function quoteFunction($js)

 	{

-		if(self::isFunction($js))

+		if($js instanceof TJavaScriptFunction)

 			return $js;

 		else

-			return 'javascript:'.$js;

+			return new TJavaScriptFunction($js);

 	}

 

 	/**

-	 * @return boolean true if string is raw javascript function code, i.e., if

-	 * the string begins with <tt>javascript:</tt>

+	 * @return boolean true if the parameter is marked as a javascript function, i.e. if it's considered as a

+	 * raw javascript function that is not supposed to be encoded by {@link encode}

 	 */

 	public static function isFunction($js)

 	{

-		return preg_match('/^\s*javascript:/i', $js);

+		return ($js instanceof TJavaScriptFunction);

 	}

 

 	/**

@@ -136,11 +137,7 @@ class TJavaScript
 				if(($first==='[' && $last===']') || ($first==='{' && $last==='}'))

 					return $value;

 			}

-			// if string begins with javascript: return the raw string minus the prefix

-			if(self::isFunction($value))

-				return preg_replace('/^\s*javascript:/', '', $value);

-			else

-				return self::quoteString($value);

+			return self::quoteString($value);

 		}

 		else if(is_bool($value))

 			return $value?'true':'false';

@@ -178,15 +175,28 @@ class TJavaScript
 			return "$value";

 		else if(is_float($value))

 		{

-			if($value===-INF)

-				return 'Number.NEGATIVE_INFINITY';

-			else if($value===INF)

-				return 'Number.POSITIVE_INFINITY';

-			else

-				return "$value";

+			switch($value)

+			{

+				case -INF:

+					return 'Number.NEGATIVE_INFINITY';

+					break;

+				case INF:

+					return 'Number.POSITIVE_INFINITY';

+					break;

+				default:

+					$locale=localeConv();

+					if($locale['decimal_point']=='.')

+						return "$value";

+					else

+						return str_replace($locale['decimal_point'], '.', "$value");

+					break;

+			}

 		}

 		else if(is_object($value))

-			return self::encode(get_object_vars($value),$toMap);

+			if ($value instanceof TJavaScriptFunction)

+				return preg_replace('/^\s*javascript:/', '', $value);

+			else

+				return self::encode(get_object_vars($value),$toMap);

 		else if($value===null)

 			return 'null';

 		else

@@ -265,3 +275,23 @@ class TJavaScript
 	}

 }

 

+/**

+ * TJavaScriptFunction class that encloses string literals that are not 

+ * supposed to be escaped by TJavaScript::encode()

+ *

+ */

+class TJavaScriptFunction

+{

+	private $_s;

+

+	public function __construct($s)

+	{

+		$this->_s = $s;

+	}

+

+	public function __toString()

+	{

+		return $this->_s;

+	}

+}

+

diff --git a/framework/Web/UI/ActiveControls/TCallbackClientSide.php b/framework/Web/UI/ActiveControls/TCallbackClientSide.php
index cfef37c4..54e6c1a3 100644
--- a/framework/Web/UI/ActiveControls/TCallbackClientSide.php
+++ b/framework/Web/UI/ActiveControls/TCallbackClientSide.php
@@ -54,8 +54,7 @@ class TCallbackClientSide extends TClientSideOptions
 {

 	/**

 	 * Returns javascript statement enclosed within a javascript function.

-	 * @param string javascript statement, if string begins within

-	 * "javascript:" the whole string is assumed to be a function.

+	 * @param string javascript statement

 	 * @return string javascript statement wrapped in a javascript function

 	 */

 	protected function ensureFunction($javascript)

diff --git a/framework/Web/UI/WebControls/TSlider.php b/framework/Web/UI/WebControls/TSlider.php
index da2189cb..f453e3ac 100644
--- a/framework/Web/UI/WebControls/TSlider.php
+++ b/framework/Web/UI/WebControls/TSlider.php
@@ -457,7 +457,7 @@ class TSlider extends TWebControl implements IPostBackDataHandler, IDataRenderer
 		$options['axis'] = strtolower($this->getDirection());

 		$options['maximum'] = $maxValue;

 		$options['minimum'] = $minValue;

-		$options['range'] = 'javascript:$R('.$minValue.",".$maxValue.")";

+		$options['range'] = TJavascript::quoteFunction('$R('.$minValue.",".$maxValue.")");

 		$options['sliderValue'] = $this->getValue();

 		$options['disabled'] = !$this->getEnabled();

 		$values=$this->getValues();

@@ -520,7 +520,7 @@ class TSliderClientScript extends TClientSideOptions
 	 */

 	public function setOnChange($javascript)

 	{

-		$code="javascript: function (value) { {$javascript} }";

+		$code=TJavascript::quoteFunction("function (value) { {$javascript} }");

 		$this->setFunction('onChange', $code);

 	}

 

@@ -537,7 +537,7 @@ class TSliderClientScript extends TClientSideOptions
 	 */

 	public function setOnSlide($javascript)

 	{

-		$code="javascript: function (value) { {$javascript} }";

+		$code=TJavascript::quoteFunction("function (value) { {$javascript} }");

 		$this->setFunction('onSlide', $code);

 	}

 

diff --git a/framework/Web/UI/WebControls/TValidationSummary.php b/framework/Web/UI/WebControls/TValidationSummary.php
index 5f6a59ce..f3164d86 100644
--- a/framework/Web/UI/WebControls/TValidationSummary.php
+++ b/framework/Web/UI/WebControls/TValidationSummary.php
@@ -475,9 +475,8 @@ class TClientSideValidationSummaryOptions extends TClientSideOptions
 	}

 

 	/**

-	 * Ensure the string is a valid javascript function. If the string begins

-	 * with "javascript:" valid javascript function is assumed, otherwise the

-	 * code block is enclosed with "function(summary, validators){ }" block.

+	 * Ensure the string is a valid javascript function. The code block

+	 * is enclosed with "function(summary, validators){ }" block.

 	 * @param string javascript code.

 	 * @return string javascript function code.

 	 */

diff --git a/index.html b/index.html
index b2ae9bd1..fabe2c83 100644
--- a/index.html
+++ b/index.html
@@ -28,10 +28,10 @@ Developers who have sufficient OOP experience will find PRADO is easy to learn a
 
 <h2>Requirements</h2>
 <p>
-The sole requirement for PRADO is PHP 5.2.0 or higher. Please run <a href="requirements/index.php">requirement checker</a> to obtain more detailed requirement information.
+The sole requirement for PRADO is PHP 5.3.3 or higher. Please run <a href="requirements/index.php">requirement checker</a> to obtain more detailed requirement information.
 </p>
 <p>
-PRADO has been tested with Apache 2.2 on both Windows XP and RedHat Linux.
+PRADO has been tested with Apache 2.2 on both Windows XP, various Linux flavours and Mac OSX.
 </p>
 
 <h2>Installation</h2>