Skip to content
This repository has been archived by the owner on Jan 30, 2020. It is now read-only.

Commit

Permalink
Merge branch 'security/escaper-usage'
Browse files Browse the repository at this point in the history 
Fixes a number of components that were not using Zend\Escaper to escape HTML,
HTML attributes, and/or URLs.
  • Loading branch information
@weierophinney
weierophinney committed Sep 20, 2012
53 parents 8af24aa + 1a9df55 + 2c85c99 + 5557fac + fe78a35 + f6430c3 + 6041a1e + 86b9031 + 674bd75 + 67a1bfb + 4d4dd8b + c655082 + dbb18b2 + 97a9134 + 80367df + 98d5255 + 7946c9f + ea67c13 + 44df0b2 + 38e090d + 7af74e7 + 8b311b1 + e2c2b94 + 51601cb + dcc1eaf + 6f4b805 + a30a64f + ee7347d + 8b04bfe + b487f00 + ecdfdf6 + d8cde75 + b7a33bb + 65ecb58 + 571d938 + 625a786 + 6fe4efc + f94838d + 76607e3 + 492076c + 17b56b8 + c5509fe + e0fa433 + 7d74e99 + 309136e + f1dd38a + 7be533f + 6a618c2 + 3a454e3 + f66ca80 + f1bebf2 + 848ea69 + cfb05aa commit 850249d
Showing 1 changed file with 38 additions and 4 deletions.
42 changes: 38 additions & 4 deletions src/Formatter/Xml.php
View file
Expand Up @@ -14,6 +14,7 @@
use DOMDocument;
use DOMElement;
use Traversable;
use Zend\Escaper\Escaper;
use Zend\Stdlib\ArrayUtils;

/**
Expand All @@ -38,6 +39,11 @@ class Xml implements FormatterInterface
*/
protected $encoding;

/**
* @var Escaper instance
*/
protected $escaper;

/**
* Format specifier for DateTime objects in event data (default: ISO 8601)
*
Expand Down Expand Up @@ -121,6 +127,33 @@ public function setEncoding($value)
return $this;
}

/**
* Set Escaper instance
*
* @param Escaper $escaper
* @return Xml
*/
public function setEscaper(Escaper $escaper)
{
$this->escaper = $escaper;
return $this;
}

/**
* Get Escaper instance
*
* Lazy-loads an instance with the current encoding if none registered.
*
* @return Escaper
*/
public function getEscaper()
{
if (null === $this->escaper) {
$this->setEscaper(new Escaper($this->getEncoding()));
}
return $this->escaper;
}

/**
* Formats data into a single line to be written by the writer.
*
Expand All @@ -142,17 +175,18 @@ public function format($event)
}
}

$enc = $this->getEncoding();
$dom = new DOMDocument('1.0', $enc);
$elt = $dom->appendChild(new DOMElement($this->rootElement));
$enc = $this->getEncoding();
$escaper = $this->getEscaper();
$dom = new DOMDocument('1.0', $enc);
$elt = $dom->appendChild(new DOMElement($this->rootElement));

foreach ($dataToInsert as $key => $value) {
if (empty($value)
|| is_scalar($value)
|| (is_object($value) && method_exists($value,'__toString'))
) {
if ($key == "message") {
$value = htmlspecialchars($value, ENT_COMPAT, $enc);
$value = $escaper->escapeHtml($value);
} elseif ($key == "extra" && empty($value)) {
continue;
}
Expand Down

0 comments on commit 850249d

Please sign in to comment.