* @link http://www.pradosoft.com/
* @copyright Copyright © 2005-2014 PradoSoft
* @license http://www.pradosoft.com/license/
* @package Prado\Web\UI\WebControls
*/
namespace Prado\Web\UI\WebControls;
use Prado\IO\TTextWriter;
use Prado\Prado;
use Prado\TPropertyValue;
/**
* TSafeHtml class
*
* TSafeHtml is a control that strips down all potentially dangerous
* HTML content. It is mainly a wrapper of {@link http://pear.php.net/package/SafeHTML SafeHTML}
* project. According to the SafeHTML project, it tries to safeguard
* the following situations when the string is to be displayed to end-users,
* - Opening tag without its closing tag
* - closing tag without its opening tag
* - any of these tags: base, basefont, head, html, body, applet, object,
* iframe, frame, frameset, script, layer, ilayer, embed, bgsound, link,
* meta, style, title, blink, xml, etc.
* - any of these attributes: on*, data*, dynsrc
* - javascript:/vbscript:/about: etc. protocols
* - expression/behavior etc. in styles
* - any other active content.
*
* To use TSafeHtml, simply enclose the content to be secured within
* the body of TSafeHtml in a template.
*
* If the content is encoded in UTF-7, you'll need to enable the {@link setRepackUTF7 RepackUTF7} property
* to ensure the contents gets parsed correctly.
*
* @author Wei Zhuo
* @package Prado\Web\UI\WebControls
* @since 3.0
*/
class TSafeHtml extends \Prado\Web\UI\TControl
{
/**
* Sets whether to parse the contents as UTF-7. This property enables a routine
* that repacks the content as UTF-7 before parsing it. Defaults to false.
* @param boolean whether to parse the contents as UTF-7
*/
public function setRepackUTF7($value)
{
$this->setViewState('RepackUTF7',TPropertyValue::ensureBoolean($value),false);
}
/**
* @return boolean whether to parse the contents as UTF-7. Defaults to false.
*/
public function getRepackUTF7()
{
return $this->getViewState('RepackUTF7',false);
}
/**
* Renders body content.
* This method overrides parent implementation by removing
* malicious javascript code from the body content
* @param THtmlWriter writer
*/
public function render($writer)
{
$htmlWriter = Prado::createComponent($this->GetResponse()->getHtmlWriterType(), new TTextWriter());
parent::render($htmlWriter);
$writer->write($this->parseSafeHtml($htmlWriter->flush()));
}
/**
* Use SafeHTML to remove malicous javascript from the HTML content.
* @param string HTML content
* @return string safer HTML content
*/
protected function parseSafeHtml($text)
{
$renderer = Prado::createComponent('System.Vendor.SafeHtml.TSafeHtmlParser');
return $renderer->parse($text, $this->getRepackUTF7());
}
}