Commit 31497208d4a962b792c1acac6933ab3fe747ecf1 to bergie's midcom

bergie / midcom

Description:	Midgard Components Framework 3rd generation
Homepage:	http://www.midgard-project.org
Clone URL:	git://github.com/bergie/midcom.git Give this clone URL to anyone. `git clone git://github.com/bergie/midcom.git`

Rename and document the XSS prevention helpers

bergie (author)

Thu Apr 10 07:18:17 -0700 2008

commit 31497208d4a962b792c1acac6933ab3fe747ecf1
tree b670a9a6e864230aa87badf6907246400c214827
parent a46b14706efa0991a0a3835a9ec250a752fc13f8

midcom_helper_datamanager/widget/select.php
midcom_helper_datamanager/widget/text.php
midcom_helper_datamanager/widget/textarea.php
midcom_helper_xsspreventer/helper.php

midcom_helper_datamanager/widget/select.php

0
@@ -83,7 +83,7 @@ class midcom_helper_datamanager_widget_select extends midcom_helper_datamanager_
0
         $options = $this->type->list_all();
0
         foreach ($options as $value => $label)
0
         {
0
-            $output .= "        <option value=" . midcom_helper_xsspreventer_helper::value($value) . '>' . midcom_helper_xsspreventer_helper::option($label) . "</option>\n"; 
0
+            $output .= "        <option value=" . midcom_helper_xsspreventer_helper::escape_attribute($value) . '>' . midcom_helper_xsspreventer_helper::escape_element('option', $label) . "</option>\n"; 
0
         }
0
 
0
         $output .= "    </select>\n";
0
@@ -99,7 +99,7 @@ class midcom_helper_datamanager_widget_select extends midcom_helper_datamanager_
0
             {
0
                 $output .= ' disabled="disabled"';
0
             }
0
-            $output .= ' value=' . midcom_helper_xsspreventer_helper::value($othervalue) . " />\n";
0
+            $output .= ' value=' . midcom_helper_xsspreventer_helper::escape_attribute($othervalue) . " />\n";
0
             $output .= "</label>\n";
0
         }
0

midcom_helper_datamanager/widget/text.php

0
@@ -94,7 +94,7 @@ class midcom_helper_datamanager_widget_text extends midcom_helper_datamanager_wi
0
      */
0
     public function render_html()
0
     {
0
-        $output =  "<label for=\"{$this->namespace}_{$this->main_input_name}\"><span>{$this->field['title']}</span>\n";
0
+        $output =  "<label class=\"text\" for=\"{$this->namespace}_{$this->main_input_name}\"><span>{$this->field['title']}</span>\n";
0
         $output .= "    <input id=\"{$this->namespace}_{$this->main_input_name}\" name=\"{$this->namespace}_{$this->main_input_name}\" size=\"{$this->size}\"";
0
         if ($this->maxlenght > 0)
0
         {
0
@@ -104,7 +104,7 @@ class midcom_helper_datamanager_widget_text extends midcom_helper_datamanager_wi
0
         {
0
             $output .= ' disabled="disabled"';
0
         }
0
-        $output .= ' value=' . midcom_helper_xsspreventer_helper::value($this->type->value) . " />\n";
0
+        $output .= ' value=' . midcom_helper_xsspreventer_helper::escape_attribute($this->type->value) . " />\n";
0
         $output .= "</label>\n";
0
         return $output;
0
     }

midcom_helper_datamanager/widget/textarea.php

0
@@ -132,7 +132,7 @@ class midcom_helper_datamanager_widget_textarea extends midcom_helper_datamanage
0
         {
0
             $output .= ' disabled="disabled"';
0
         }
0
-        $output .= '>' . midcom_helper_xsspreventer_helper::textarea($this->type->value) . "</textarea>\n";
0
+        $output .= '>' . midcom_helper_xsspreventer_helper::escape_element('textarea', $this->type->value) . "</textarea>\n";
0
         $output .= "</label>\n";
0
         return $output;
0
     }

midcom_helper_xsspreventer/helper.php

0
@@ -1,29 +1,42 @@
0
 <?php
0
+/**
0
+ * @package midcom_helper_xsspreventer
0
+ * @author The Midgard Project, http://www.midgard-project.org
0
+ * @copyright The Midgard Project, http://www.midgard-project.org
0
+ * @license http://www.gnu.org/licenses/lgpl.html GNU Lesser General Public License
0
+ */
0
 
0
+/**
0
+ * Static helper functions for the Cross-Site Scripting (XSS) preventer.
0
+ *
0
+ * @package midcom_helper_xsspreventer
0
+ */
0
 class midcom_helper_xsspreventer_helper
0
 {
0
-    static public function value($input)
0
+    /**
0
+     * Escape value of an XML attribute
0
+     *
0
+     * @param string $input Attribute value to escape
0
+     */
0
+    static public function escape_attribute($input)
0
     {
0
         $output = str_replace('"', '&quot;', $input);
0
         return '"' . $output . '"';
0
     }
0
 
0
-    static public function textarea($input)
0
-    {
0
-        return midcom_helper_xsspreventer_helper::escape_tag_close('textarea', $input);
0
-    }
0
-
0
-    static public function option($input)
0
-    {
0
-        return midcom_helper_xsspreventer_helper::escape_tag_close('option', $input);
0
-    }
0
-
0
-    static public function escape_tag_close($tagname, $input)
0
+    /**
0
+     * Escape contents of an XML element
0
+     *
0
+     * @param string $element XML element to close
0
+     * @param string $input Element content to escape
0
+     */
0
+    static public function escape_element($element, $input)
0
     {
0
         return preg_replace_callback
0
         (
0
-        	"%(<\s*)+(/\s*)+{$tagname}%i", 
0
-            create_function(
0
+        	"%(<\s*)+(/\s*)+{$element}%i", 
0
+            create_function
0
+            (
0
               '$matches',
0
               'return htmlentities($matches[0]);'
0
             ),

Comments

No one has commented yet.