summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--demos/quickstart/protected/pages/Controls/SafeHtml.page4
-rw-r--r--demos/quickstart/protected/pages/Controls/Samples/TSafeHtml/Home.page8
-rw-r--r--framework/3rdParty/SafeHtml/TSafeHtmlParser.php9
-rw-r--r--framework/Web/UI/WebControls/TSafeHtml.php27
4 files changed, 41 insertions, 7 deletions
diff --git a/demos/quickstart/protected/pages/Controls/SafeHtml.page b/demos/quickstart/protected/pages/Controls/SafeHtml.page
index 0bdea616..fb7ca46b 100644
--- a/demos/quickstart/protected/pages/Controls/SafeHtml.page
+++ b/demos/quickstart/protected/pages/Controls/SafeHtml.page
@@ -20,6 +20,10 @@
To use <tt>TSafeHtml</tt>, simply enclose the content to be secured within the <tt>TSafeHtml</tt> component tag in a template. The content may consist of both static text and PRADO controls. If the latter, the rendering result of the controls will be secured.
</p>
+<p class="block-content">
+If the content is encoded in UTF-7, you'll need to enable the <tt>RepackUTF7</tt> property to ensure the contents gets parsed correctly.
+</p>
+
<com:RunBar PagePath="Controls.Samples.TSafeHtml.Home" />
</com:TContent>
diff --git a/demos/quickstart/protected/pages/Controls/Samples/TSafeHtml/Home.page b/demos/quickstart/protected/pages/Controls/Samples/TSafeHtml/Home.page
index cb681709..bf5947f9 100644
--- a/demos/quickstart/protected/pages/Controls/Samples/TSafeHtml/Home.page
+++ b/demos/quickstart/protected/pages/Controls/Samples/TSafeHtml/Home.page
@@ -20,6 +20,14 @@ Safeguard the control rendering results:
</com:TSafeHtml>
</td></tr>
+<tr><td class="samplenote">
+Safeguard and UTF-7 string:
+</td><td class="sampleaction">
+<com:TSafeHtml RepackUTF7="true" >
+ <com:TLiteral Text="+ADw-script+AD4-alert(document.location)+ADw-/script+AD4-" />
+</com:TSafeHtml>
+</td></tr>
+
</table>
</com:TContent>
diff --git a/framework/3rdParty/SafeHtml/TSafeHtmlParser.php b/framework/3rdParty/SafeHtml/TSafeHtmlParser.php
index 36b28274..b80f31a6 100644
--- a/framework/3rdParty/SafeHtml/TSafeHtmlParser.php
+++ b/framework/3rdParty/SafeHtml/TSafeHtmlParser.php
@@ -24,7 +24,7 @@ Prado::using('System.3rdParty.SafeHtml.HTMLSax3');
/**
*
- * SafeHTML Parser
+ * TSafeHtmlParser
*
* This parser strips down all potentially dangerous content within HTML:
* <ul>
@@ -43,7 +43,7 @@ Prado::using('System.3rdParty.SafeHtml.HTMLSax3');
*
* <b>Example:</b>
* <pre>
- * $parser =& new SafeHTML();
+ * $parser = Prado::createComponent('System.3rdParty.SafeHtml.TSafeHtmlParser');
* $result = $parser->parse($doc);
* </pre>
*
@@ -589,7 +589,7 @@ class TSafeHtmlParser
* @return string Processed (X)HTML document
* @access public
*/
- public function parse($doc)
+ public function parse($doc, $isUTF7=false)
{
$this->clear();
@@ -603,7 +603,8 @@ class TSafeHtmlParser
$doc = str_replace("\xC0\xBC", '&lt;', $doc);
// UTF-7 encoding ASCII decode
- $doc = $this->repackUTF7($doc);
+ if($isUTF7)
+ $doc = $this->repackUTF7($doc);
// Instantiate the parser
$parser= new TSax3();
diff --git a/framework/Web/UI/WebControls/TSafeHtml.php b/framework/Web/UI/WebControls/TSafeHtml.php
index f9bcca46..491dde0a 100644
--- a/framework/Web/UI/WebControls/TSafeHtml.php
+++ b/framework/Web/UI/WebControls/TSafeHtml.php
@@ -4,7 +4,7 @@
*
* @author Wei Zhuo <weizhuo[at]gmail[dot]com>
* @link http://www.pradosoft.com/
- * @copyright Copyright &copy; 2005-2011 PradoSoft
+ * @copyright Copyright &copy; 2005-2011 PradoSoft
* @license http://www.pradosoft.com/license/
* @version $Id$
* @package System.Web.UI.WebControls
@@ -14,7 +14,7 @@
* TSafeHtml class
*
* TSafeHtml is a control that strips down all potentially dangerous
- * HTML content. It is mainly a wrapper of {@link http://pixel-apes.com/safehtml/ SafeHTML}
+ * HTML content. It is mainly a wrapper of {@link http://pear.php.net/package/SafeHTML SafeHTML}
* project. According to the SafeHTML project, it tries to safeguard
* the following situations when the string is to be displayed to end-users,
* - Opening tag without its closing tag
@@ -30,6 +30,9 @@
* To use TSafeHtml, simply enclose the content to be secured within
* the body of TSafeHtml in a template.
*
+ * If the content is encoded in UTF-7, you'll need to enable the {@link setRepackUTF7 RepackUTF7} property
+ * to ensure the contents gets parsed correctly.
+ *
* @author Wei Zhuo <weizhuo[at]gmail[dot]com>
* @version $Id$
* @package System.Web.UI.WebControls
@@ -38,6 +41,24 @@
class TSafeHtml extends TControl
{
/**
+ * Sets whether to parse the contents as UTF-7. This property enables a routine
+ * that repacks the content as UTF-7 before parsing it. Defaults to false.
+ * @param boolean whether to parse the contents as UTF-7
+ */
+ public function setRepackUTF7($value)
+ {
+ $this->setViewState('RepackUTF7',TPropertyValue::ensureBoolean($value),false);
+ }
+
+ /**
+ * @return boolean whether to parse the contents as UTF-7. Defaults to false.
+ */
+ public function getRepackUTF7()
+ {
+ return $this->getViewState('RepackUTF7',false);
+ }
+
+ /**
* Renders body content.
* This method overrides parent implementation by removing
* malicious javascript code from the body content
@@ -58,7 +79,7 @@ class TSafeHtml extends TControl
protected function parseSafeHtml($text)
{
$renderer = Prado::createComponent('System.3rdParty.SafeHtml.TSafeHtmlParser');
- return $renderer->parse($text);
+ return $renderer->parse($text, $this->getRepackUTF7());
}
}