Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
Added replaceSession() to placeholder parsing. Currently only availab…
…le where we allow "unsafe" replacements, like in pre-filters, where there is no chance of parsing user input and reflecting it back to the browser.
  • Loading branch information
cheesegrits committed Oct 11, 2016
1 parent 01afb2c commit fbebe5c
Show file tree
Hide file tree
Showing 3 changed files with 65 additions and 2 deletions.
61 changes: 61 additions & 0 deletions components/com_fabrik/helpers/parent.php
Expand Up @@ -768,6 +768,7 @@ public function parseMessageForPlaceHolder($msg, $searchData = null, $keepPlaceh
if (!$unsafe)
{
$msg = self::replaceWithUnsafe($msg);
$msg = self::replaceWithSession($msg);
}

$msg = preg_replace("/{}/", "", $msg);
Expand Down Expand Up @@ -913,6 +914,66 @@ public static function replaceWithUnsafe($msg)
return $msg;
}

/**
* Called from parseMessageForPlaceHolder to iterate through string to replace
* {placeholder} with session data
*
* @param string $msg Message to parse
*
* @return string parsed message
*/
public static function replaceWithSession($msg)
{
if (strstr($msg, '{$session->'))
{
$session = JFactory::getSession();
$sessionData = array(
'id' => $session->getId(),
'token' => $session->get('session.token'),
'formtoken' => JSession::getFormToken()
);

foreach ($sessionData as $key => $value)
{
$msg = str_replace('{$session->' . $key . '}', $value, $msg);
}

$msg = preg_replace_callback(
'/{\$session-\>(.*?)}/',
function($matches) use ($session) {
$bits = explode(':', $matches[1]);

if (count($bits) > 1)
{
$sessionKey = $bits[1];
$nameSpace = $bits[0];
}
else
{
$sessionKey = $bits[0];
$nameSpace = 'default';
}

$val = $session->get($sessionKey, '', $nameSpace);

if (is_string($val))
{
return $val;
}
else if (is_numeric($val))
{
return (string) $val;
}

return '';
},
$msg
);
}

return $msg;
}

/**
* Get an associative array of replacements for 'unsafe' value, like $jConfig_secret, which we
* only want to use for stricty internal use that won't ever get shown to the user
Expand Down
4 changes: 3 additions & 1 deletion components/com_fabrik/models/list.php
Expand Up @@ -5227,7 +5227,9 @@ public function &getFilterArray()
// $$ hugh - testing allowing {QS} replacements in pre-filter values
$w->replaceRequest($value);
$value = $this->prefilterParse($value);
$value = $w->parseMessageForPlaceHolder($value);

// add false for 'safe' so we include things like session data
$value = $w->parseMessageForPlaceHolder($value, null, true, false, null, false);

if (!is_a($elementModel, 'PlgFabrik_Element'))
{
Expand Down
2 changes: 1 addition & 1 deletion plugins/fabrik_form/logs/logs.php
Expand Up @@ -304,7 +304,7 @@ protected function log($messageType)
$labtyp = array_combine($clabels, $ctypes);

$w = new FabrikWorker;
$custom_msg = $w->parseMessageForPlaceHolder($custom_msg);
$custom_msg = $w->parseMessageForPlaceHolder($custom_msg, null, true, false, null, false);
$regex = '/((?!("[^"]*))([ |\w|+|.])+(?=[^"]*"\b)|(?!\b"[^"]*)( +)+(?=([^"]*)$)|(?=\b"[^"]*)( +)+(?=[^"]*"\b))/';
$excl_cdata = preg_replace($regex, '', $custom_msg);
$cdata = preg_split('/["]{1,}/', $excl_cdata);
Expand Down

0 comments on commit fbebe5c

Please sign in to comment.