mirror of
https://github.com/silverstripe/silverstripe-framework
synced 2024-10-22 14:05:37 +02:00
ENHANCEMENT #5055 Convert unpredictability and replacing inconsistent conversion. Use htmlspecialchars() and html_entity_decode() wherever possible which are faster than str_replace()
git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/trunk@115140 467b73ca-7a2a-4603-9d3b-597d59a354a9
This commit is contained in:
parent
ac2d6fa6d8
commit
c7a98407b1
@ -29,14 +29,19 @@ class Convert {
|
|||||||
* @return array|string
|
* @return array|string
|
||||||
*/
|
*/
|
||||||
static function raw2att($val) {
|
static function raw2att($val) {
|
||||||
if(is_array($val)) {
|
return self::raw2xml($val);
|
||||||
foreach($val as $k => $v) $val[$k] = self::raw2att($v);
|
|
||||||
return $val;
|
|
||||||
} else {
|
|
||||||
return str_replace(array('&','"',"'",'<','>'), array('&','"',''','<','>'), $val);
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Convert a value to be suitable for an HTML attribute.
|
||||||
|
*
|
||||||
|
* @param string|array $val String to escape, or array of strings
|
||||||
|
* @return array|string
|
||||||
|
*/
|
||||||
|
static function raw2htmlatt($val) {
|
||||||
|
return self::raw2att($val);
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Convert a value to be suitable for an HTML attribute.
|
* Convert a value to be suitable for an HTML attribute.
|
||||||
*
|
*
|
||||||
@ -48,14 +53,12 @@ class Convert {
|
|||||||
* @param array|string $val String to escape, or array of strings
|
* @param array|string $val String to escape, or array of strings
|
||||||
* @return array|string
|
* @return array|string
|
||||||
*/
|
*/
|
||||||
static function raw2htmlatt($val) {
|
static function raw2htmlname($val) {
|
||||||
if(is_array($val)) {
|
if(is_array($val)) {
|
||||||
foreach($val as $k => $v) $val[$k] = self::raw2htmlatt($v);
|
foreach($val as $k => $v) $val[$k] = self::raw2htmlname($v);
|
||||||
return $val;
|
return $val;
|
||||||
} else {
|
} else {
|
||||||
$val = self::raw2att($val);
|
return preg_replace('/[^a-zA-Z0-9\-_:.]+/','', $val);
|
||||||
$val = preg_replace('/[^a-zA-Z0-9\-_]*/', '', $val);
|
|
||||||
return $val;
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -71,7 +74,7 @@ class Convert {
|
|||||||
foreach($val as $k => $v) $val[$k] = self::raw2xml($v);
|
foreach($val as $k => $v) $val[$k] = self::raw2xml($v);
|
||||||
return $val;
|
return $val;
|
||||||
} else {
|
} else {
|
||||||
return str_replace(array('&','<','>',"\n",'"',"'"), array('&','<','>','<br />','"','''), $val);
|
return htmlspecialchars($val, ENT_QUOTES, 'UTF-8');
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -132,10 +135,7 @@ class Convert {
|
|||||||
} else {
|
} else {
|
||||||
// More complex text needs to use html2raw instead
|
// More complex text needs to use html2raw instead
|
||||||
if(strpos($val,'<') !== false) return self::html2raw($val);
|
if(strpos($val,'<') !== false) return self::html2raw($val);
|
||||||
|
else return html_entity_decode($val, ENT_QUOTES, 'UTF-8');
|
||||||
$converted = str_replace(array('&','<','>','"',''', '''), array('&','<','>','"',"'", "'"), $val);
|
|
||||||
$converted = ereg_replace('&#[0-9]+;', '', $converted);
|
|
||||||
return $converted;
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -22,10 +22,10 @@ class ConvertTest extends SapphireTest {
|
|||||||
*/
|
*/
|
||||||
function testRaw2HtmlAtt() {
|
function testRaw2HtmlAtt() {
|
||||||
$val1 = '<input type="text">';
|
$val1 = '<input type="text">';
|
||||||
$this->assertEquals('ltinputtypequottextquotgt', Convert::raw2htmlatt($val1), 'Special characters are escaped');
|
$this->assertEquals('<input type="text">', Convert::raw2htmlatt($val1), 'Special characters are escaped');
|
||||||
|
|
||||||
$val2 = 'This is some normal text.';
|
$val2 = 'This is some normal text.';
|
||||||
$this->assertEquals('Thisissomenormaltext', Convert::raw2htmlatt($val2), 'Normal text is not escaped');
|
$this->assertEquals('This is some normal text.', Convert::raw2htmlatt($val2), 'Normal text is not escaped');
|
||||||
}
|
}
|
||||||
|
|
||||||
function testHtml2raw() {
|
function testHtml2raw() {
|
||||||
@ -37,8 +37,6 @@ class ConvertTest extends SapphireTest {
|
|||||||
|
|
||||||
$val2 = 'This has a <strong class="test" style="font-weight: bold">strong tag with attributes</STRONG>.';
|
$val2 = 'This has a <strong class="test" style="font-weight: bold">strong tag with attributes</STRONG>.';
|
||||||
$this->assertEquals('This has a *strong tag with attributes*.', Convert::xml2raw($val2), 'Strong tags with attributes are replaced with asterisks');
|
$this->assertEquals('This has a *strong tag with attributes*.', Convert::xml2raw($val2), 'Strong tags with attributes are replaced with asterisks');
|
||||||
|
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
@ -50,6 +48,14 @@ class ConvertTest extends SapphireTest {
|
|||||||
|
|
||||||
$val2 = 'This is some normal text.';
|
$val2 = 'This is some normal text.';
|
||||||
$this->assertEquals('This is some normal text.', Convert::raw2xml($val2), 'Normal text is not escaped');
|
$this->assertEquals('This is some normal text.', Convert::raw2xml($val2), 'Normal text is not escaped');
|
||||||
|
|
||||||
|
$val3 = "This is test\nNow on a new line.";
|
||||||
|
$this->assertEquals("This is test\nNow on a new line.", Convert::raw2xml($val3), 'Newlines are retained. They should not be replaced with <br /> as it is not XML valid');
|
||||||
|
}
|
||||||
|
|
||||||
|
function testRaw2HtmlName() {
|
||||||
|
$val1 = 'test test 123';
|
||||||
|
$this->assertEquals('testtest123', Convert::raw2htmlname($val1));
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
@ -54,7 +54,7 @@ class TextTest extends SapphireTest {
|
|||||||
function testLimitWordCountXML() {
|
function testLimitWordCountXML() {
|
||||||
$cases = array(
|
$cases = array(
|
||||||
'<p>Stuff & stuff</p>' => 'Stuff &...',
|
'<p>Stuff & stuff</p>' => 'Stuff &...',
|
||||||
"Stuff\nBlah Blah Blah" => "Stuff<br />Blah Blah...",
|
"Stuff\nBlah Blah Blah" => "Stuff\nBlah Blah...",
|
||||||
"Stuff<Blah Blah" => "Stuff<Blah Blah",
|
"Stuff<Blah Blah" => "Stuff<Blah Blah",
|
||||||
"Stuff>Blah Blah" => "Stuff>Blah Blah"
|
"Stuff>Blah Blah" => "Stuff>Blah Blah"
|
||||||
);
|
);
|
||||||
|
Loading…
Reference in New Issue
Block a user