Permalink
Browse files

Fixes #42. Updated Sanitize::clean() with 'remove_html' option. Updat…

…ed Sanitize::html() to accept new options. Updated test cases.

Signed-off-by: Mark Story <mark@mark-story.com>
  • Loading branch information...
1 parent 5ae0164 commit 61079f63174e21e670b0a9efe6296524c45a52f5 tPl0ch committed with markstory Jan 7, 2010
Showing with 49 additions and 16 deletions.
  1. +28 −9 cake/libs/sanitize.php
  2. +21 −7 cake/tests/cases/libs/sanitize.test.php
View
@@ -79,22 +79,40 @@ function escape($string, $connection = 'default') {
/**
* Returns given string safe for display as HTML. Renders entities.
+ *
+ * strip_tags() is not validating HTML, so it might strip whole passages
+ * with broken HTML.
*
* @param string $string String from where to strip tags
- * @param boolean $remove If true, the string is stripped of all HTML tags
+ * @param array $options
+ *
+ * possible options:
+ *
+ * - remove (boolean) if true strips all HTML tags before encoding
+ * - charset (string) the charset used to encode the string
+ * - quotes (int) see http://php.net/manual/en/function.htmlentities.php
+ *
* @return string Sanitized string
* @access public
* @static
*/
- function html($string, $remove = false) {
- if ($remove) {
+ function html($string, $options = array()) {
+ $default = array(
+ 'remove' => false,
+ 'charset' => 'UTF-8',
+ 'quotes' => ENT_QUOTES
+ );
+
+ $options = array_merge($default, $options);
+
+ if ($options['remove']) {
$string = strip_tags($string);
- } else {
- $patterns = array('&', '%', '<', '>', '"', "'", '(', ')', '+', '-');
- $replacements = array("&amp;", "&#37;", "&lt;", "&gt;", "&quot;", "&#39;", "&#40;", "&#41;", "&#43;", "&#45;");
- $string = str_replace($patterns, $replacements, $string);
}
- return $string;
+ $encoding = Configure::read('App.encoding');
+ if (empty($encoding)) {
+ $encoding = $options['charset'];
+ }
+ return htmlentities($string, $options['quotes'], $encoding);
}
/**
@@ -198,6 +216,7 @@ function clean($data, $options = array()) {
$options = array_merge(array(
'connection' => 'default',
'odd_spaces' => true,
+ 'remove_html' => false,
'encode' => true,
'dollar' => true,
'carriage' => true,
@@ -216,7 +235,7 @@ function clean($data, $options = array()) {
$data = str_replace(chr(0xCA), '', str_replace(' ', ' ', $data));
}
if ($options['encode']) {
- $data = Sanitize::html($data);
+ $data = Sanitize::html($data, array('remove' => $options['remove_html']));
}
if ($options['dollar']) {
$data = str_replace("\\\$", "$", $data);
@@ -145,7 +145,7 @@ function testEscapeAlphaNumeric() {
*/
function testClean() {
$string = 'test & "quote" \'other\' ;.$ symbol.' . "\r" . 'another line';
- $expected = 'test &amp; &quot;quote&quot; &#39;other&#39; ;.$ symbol.another line';
+ $expected = 'test &amp; &quot;quote&quot; &#039;other&#039; ;.$ symbol.another line';
$result = Sanitize::clean($string, array('connection' => 'test_suite'));
$this->assertEqual($result, $expected);
@@ -170,7 +170,7 @@ function testClean() {
$this->assertEqual($result, $expected);
$array = array(array('test & "quote" \'other\' ;.$ symbol.' . "\r" . 'another line'));
- $expected = array(array('test &amp; &quot;quote&quot; &#39;other&#39; ;.$ symbol.another line'));
+ $expected = array(array('test &amp; &quot;quote&quot; &#039;other&#039; ;.$ symbol.another line'));
$result = Sanitize::clean($array, array('connection' => 'test_suite'));
$this->assertEqual($result, $expected);
@@ -179,8 +179,8 @@ function testClean() {
$result = Sanitize::clean($array, array('encode' => false, 'escape' => false, 'connection' => 'test_suite'));
$this->assertEqual($result, $expected);
- $array = array(array('test odd '.chr(0xCA).' spaces'.chr(0xCA)));
- $expected = array(array('test odd '.chr(0xCA).' spaces'.chr(0xCA)));
+ $array = array(array('test odd Ä spacesé'));
+ $expected = array(array('test odd &Auml; spaces&eacute;'));
$result = Sanitize::clean($array, array('odd_spaces' => false, 'escape' => false, 'connection' => 'test_suite'));
$this->assertEqual($result, $expected);
@@ -203,12 +203,26 @@ function testClean() {
*/
function testHtml() {
$string = '<p>This is a <em>test string</em> & so is this</p>';
- $expected = 'This is a test string & so is this';
- $result = Sanitize::html($string, true);
+ $expected = 'This is a test string &amp; so is this';
+ $result = Sanitize::html($string, array('remove' => true));
$this->assertEqual($result, $expected);
$string = 'The "lazy" dog \'jumped\' & flew over the moon. If (1+1) = 2 <em>is</em> true, (2-1) = 1 is also true';
- $expected = 'The &quot;lazy&quot; dog &#39;jumped&#39; &amp; flew over the moon. If &#40;1&#43;1&#41; = 2 &lt;em&gt;is&lt;/em&gt; true, &#40;2&#45;1&#41; = 1 is also true';
+ $expected = 'The &quot;lazy&quot; dog &#039;jumped&#039; &amp; flew over the moon. If (1+1) = 2 &lt;em&gt;is&lt;/em&gt; true, (2-1) = 1 is also true';
+ $result = Sanitize::html($string);
+ $this->assertEqual($result, $expected);
+
+ $string = 'The "lazy" dog \'jumped\'';
+ $expected = 'The &quot;lazy&quot; dog \'jumped\'';
+ $result = Sanitize::html($string, array('quotes' => ENT_COMPAT));
+ $this->assertEqual($result, $expected);
+
+ $string = 'The "lazy" dog \'jumped\'';
+ $result = Sanitize::html($string, array('quotes' => ENT_NOQUOTES));
+ $this->assertEqual($result, $string);
+
+ $string = 'The "lazy" dog \'jumped\' & flew over the moon. If (1+1) = 2 <em>is</em> true, (2-1) = 1 is also true';
+ $expected = 'The &quot;lazy&quot; dog &#039;jumped&#039; &amp; flew over the moon. If (1+1) = 2 &lt;em&gt;is&lt;/em&gt; true, (2-1) = 1 is also true';
$result = Sanitize::html($string);
$this->assertEqual($result, $expected);
}

0 comments on commit 61079f6

Please sign in to comment.