diff options
Diffstat (limited to 'framework/Web/UI/WebControls/TSafeHtml.php')
| -rw-r--r-- | framework/Web/UI/WebControls/TSafeHtml.php | 170 | 
1 files changed, 85 insertions, 85 deletions
| diff --git a/framework/Web/UI/WebControls/TSafeHtml.php b/framework/Web/UI/WebControls/TSafeHtml.php index e88277d4..1cd0a597 100644 --- a/framework/Web/UI/WebControls/TSafeHtml.php +++ b/framework/Web/UI/WebControls/TSafeHtml.php @@ -1,85 +1,85 @@ -<?php
 -/**
 - * TSafeHtml class file
 - *
 - * @author Wei Zhuo <weizhuo[at]gmail[dot]com>
 - * @link http://www.pradosoft.com/
 - * @copyright Copyright © 2005-2012 PradoSoft
 - * @license http://www.pradosoft.com/license/
 - * @version $Id$
 - * @package System.Web.UI.WebControls
 - */
 -
 -/**
 - * TSafeHtml class
 - *
 - * TSafeHtml is a control that strips down all potentially dangerous
 - * HTML content. It is mainly a wrapper of {@link http://pear.php.net/package/SafeHTML SafeHTML}
 - * project. According to the SafeHTML project, it tries to safeguard
 - * the following situations when the string is to be displayed to end-users,
 - * - Opening tag without its closing tag
 - * - closing tag without its opening tag
 - * - any of these tags: base, basefont, head, html, body, applet, object,
 - *   iframe, frame, frameset, script, layer, ilayer, embed, bgsound, link,
 - *   meta, style, title, blink, xml, etc.
 - * - any of these attributes: on*, data*, dynsrc
 - * - javascript:/vbscript:/about: etc. protocols
 - * - expression/behavior etc. in styles
 - * - any other active content.
 - *
 - * To use TSafeHtml, simply enclose the content to be secured within
 - * the body of TSafeHtml in a template.
 - *
 - * If the content is encoded in UTF-7, you'll need to enable the  {@link setRepackUTF7 RepackUTF7} property
 - * to ensure the contents gets parsed correctly.
 - *
 - * @author Wei Zhuo <weizhuo[at]gmail[dot]com>
 - * @version $Id$
 - * @package System.Web.UI.WebControls
 - * @since 3.0
 - */
 -class TSafeHtml extends TControl
 -{
 -	/**
 -	 * Sets whether to parse the contents as UTF-7. This property enables a routine
 -	 * that repacks the content as UTF-7 before parsing it. Defaults to false.
 -	 * @param boolean whether to parse the contents as UTF-7
 -	 */
 -	public function setRepackUTF7($value)
 -	{
 -		$this->setViewState('RepackUTF7',TPropertyValue::ensureBoolean($value),false);
 -	}
 -
 -	/**
 -	 * @return boolean whether to parse the contents as UTF-7. Defaults to false.
 -	 */
 -	public function getRepackUTF7()
 -	{
 -		return $this->getViewState('RepackUTF7',false);
 -	}
 -
 -	/**
 -	 * Renders body content.
 -	 * This method overrides parent implementation by removing
 -	 * malicious javascript code from the body content
 -	 * @param THtmlWriter writer
 -	 */
 -	public function render($writer)
 -	{
 -		$htmlWriter = Prado::createComponent($this->GetResponse()->getHtmlWriterType(), new TTextWriter());
 -		parent::render($htmlWriter);
 -		$writer->write($this->parseSafeHtml($htmlWriter->flush()));
 -	}
 -
 -	/**
 -	 * Use SafeHTML to remove malicous javascript from the HTML content.
 -	 * @param string HTML content
 -	 * @return string safer HTML content
 -	 */
 -	protected function parseSafeHtml($text)
 -	{
 -		$renderer = Prado::createComponent('System.3rdParty.SafeHtml.TSafeHtmlParser');
 -		return $renderer->parse($text, $this->getRepackUTF7());
 -	}
 -}
 -
 +<?php +/** + * TSafeHtml class file + * + * @author Wei Zhuo <weizhuo[at]gmail[dot]com> + * @link http://www.pradosoft.com/ + * @copyright Copyright © 2005-2012 PradoSoft + * @license http://www.pradosoft.com/license/ + * @version $Id$ + * @package System.Web.UI.WebControls + */ + +/** + * TSafeHtml class + * + * TSafeHtml is a control that strips down all potentially dangerous + * HTML content. It is mainly a wrapper of {@link http://pear.php.net/package/SafeHTML SafeHTML} + * project. According to the SafeHTML project, it tries to safeguard + * the following situations when the string is to be displayed to end-users, + * - Opening tag without its closing tag + * - closing tag without its opening tag + * - any of these tags: base, basefont, head, html, body, applet, object, + *   iframe, frame, frameset, script, layer, ilayer, embed, bgsound, link, + *   meta, style, title, blink, xml, etc. + * - any of these attributes: on*, data*, dynsrc + * - javascript:/vbscript:/about: etc. protocols + * - expression/behavior etc. in styles + * - any other active content. + * + * To use TSafeHtml, simply enclose the content to be secured within + * the body of TSafeHtml in a template. + * + * If the content is encoded in UTF-7, you'll need to enable the  {@link setRepackUTF7 RepackUTF7} property + * to ensure the contents gets parsed correctly. + * + * @author Wei Zhuo <weizhuo[at]gmail[dot]com> + * @version $Id$ + * @package System.Web.UI.WebControls + * @since 3.0 + */ +class TSafeHtml extends TControl +{ +	/** +	 * Sets whether to parse the contents as UTF-7. This property enables a routine +	 * that repacks the content as UTF-7 before parsing it. Defaults to false. +	 * @param boolean whether to parse the contents as UTF-7 +	 */ +	public function setRepackUTF7($value) +	{ +		$this->setViewState('RepackUTF7',TPropertyValue::ensureBoolean($value),false); +	} + +	/** +	 * @return boolean whether to parse the contents as UTF-7. Defaults to false. +	 */ +	public function getRepackUTF7() +	{ +		return $this->getViewState('RepackUTF7',false); +	} + +	/** +	 * Renders body content. +	 * This method overrides parent implementation by removing +	 * malicious javascript code from the body content +	 * @param THtmlWriter writer +	 */ +	public function render($writer) +	{ +		$htmlWriter = Prado::createComponent($this->GetResponse()->getHtmlWriterType(), new TTextWriter()); +		parent::render($htmlWriter); +		$writer->write($this->parseSafeHtml($htmlWriter->flush())); +	} + +	/** +	 * Use SafeHTML to remove malicous javascript from the HTML content. +	 * @param string HTML content +	 * @return string safer HTML content +	 */ +	protected function parseSafeHtml($text) +	{ +		$renderer = Prado::createComponent('System.3rdParty.SafeHtml.TSafeHtmlParser'); +		return $renderer->parse($text, $this->getRepackUTF7()); +	} +} + | 
