diff options
Diffstat (limited to 'framework')
-rw-r--r-- | framework/3rdParty/readme.html | 11 | ||||
-rw-r--r-- | framework/Web/UI/WebControls/TTextBox.php | 29 |
2 files changed, 33 insertions, 7 deletions
diff --git a/framework/3rdParty/readme.html b/framework/3rdParty/readme.html index e48eba45..b84425f2 100644 --- a/framework/3rdParty/readme.html +++ b/framework/3rdParty/readme.html @@ -19,8 +19,8 @@ projects. </tr>
<tr>
- <td>geshi</td>
- <td><a href="http://qbnz.com/highlighter/">GeSHi</a> - Generic Syntax Highlighter</a> (v1.0.7.5)</td>
+ <td><a href="geshi">geshi</a></td>
+ <td><a href="http://qbnz.com/highlighter/">GeSHi - Generic Syntax Highlighter</a> (v1.0.7.5)</td>
<td><a href="http://qbnz.com/highlighter/license.php">GNU</a></td>
<td>System.Web.UI.WebControls.TTextHighlighter</td>
<td>Many syntax files are stripped off to reduce the size of PRADO release.
@@ -28,6 +28,13 @@ projects. recognize PHP5-specific keywords. Modified geshi.php so that it conforms to
strict PHP5 syntax.</td>
</tr>
+<tr>
+ <td><a href="SafeHtml">SafeHtml</a></td>
+ <td><a href="http://pixel-apes.com/safehtml/">SafeHTML</a> (v1.3.7)</td>
+ <td><a href="SafeHtml/license.txt">BSD License (3 Clause)</a></td>
+ <td>System.Web.UI.WebControls.TSafeHtml</td>
+ <td>TSafeHtml removes malicious javascript code from its rendered output.</td>
+</tr>
</table>
</p>
</body>
diff --git a/framework/Web/UI/WebControls/TTextBox.php b/framework/Web/UI/WebControls/TTextBox.php index e37b98b8..dae0ccf8 100644 --- a/framework/Web/UI/WebControls/TTextBox.php +++ b/framework/Web/UI/WebControls/TTextBox.php @@ -10,6 +10,8 @@ * @package System.Web.UI.WebControls
*/
+Prado::using('System.3rdParty.SafeHtml.TSafeHtmlParser');
+
/**
* TTextBox class
*
@@ -55,6 +57,8 @@ class TTextBox extends TWebControl implements IPostBackDataHandler, IValidatable */
private static $_autoCompleteTypes=array('BusinessCity','BusinessCountryRegion','BusinessFax','BusinessPhone','BusinessState','BusinessStreetAddress','BusinessUrl','BusinessZipCode','Cellular','Company','Department','Disabled','DisplayName','Email','FirstName','Gender','HomeCity','HomeCountryRegion','HomeFax','Homepage','HomePhone','HomeState','HomeStreetAddress','HomeZipCode','JobTitle','LastName','MiddleName','None','Notes','Office','Pager','Search');
+ protected $_safeContent;
+
/**
* @return string tag name of the textbox
*/
@@ -90,7 +94,7 @@ class TTextBox extends TWebControl implements IPostBackDataHandler, IValidatable if($textMode==='SingleLine')
{
$writer->addAttribute('type','text');
- if(($text=$this->getText())!=='')
+ if(($text=$this->getRawText())!=='')
$writer->addAttribute('value',$text);
if(($act=$this->getAutoCompleteType())!=='None')
{
@@ -169,7 +173,7 @@ class TTextBox extends TWebControl implements IPostBackDataHandler, IValidatable public function loadPostData($key,$values)
{
$value=$values[$key];
- if(!$this->getReadOnly() && $this->getText()!==$value)
+ if(!$this->getReadOnly() && $this->getRawText()!==$value)
{
$this->setText($value);
return true;
@@ -226,7 +230,7 @@ class TTextBox extends TWebControl implements IPostBackDataHandler, IValidatable protected function renderContents($writer)
{
if($this->getTextMode()==='MultiLine')
- $writer->write(THttpUtility::htmlEncode($this->getText()));
+ $writer->write(THttpUtility::htmlEncode($this->getRawText()));
}
/**
@@ -358,20 +362,35 @@ class TTextBox extends TWebControl implements IPostBackDataHandler, IValidatable }
/**
- * @return string the text content of the TTextBox control.
+ * @return string the unmodified text content of the TTextBox control.
*/
- public function getText()
+ public function getRawText()
{
return $this->getViewState('Text','');
}
/**
+ * @return string safe text content.
+ */
+ public function getText()
+ {
+ $text = $this->getRawText();
+ if(is_null($this->_safeContent))
+ {
+ $renderer = new TSafeHtmlParser();
+ $this->_safeContent = $renderer->parse($text);
+ }
+ return $this->_safeContent;
+ }
+
+ /**
* Sets the text content of the TTextBox control.
* @param string the text content
*/
public function setText($value)
{
$this->setViewState('Text',$value,'');
+ $this->_safeContent = null;
}
/**
|