Skip to content
This repository has been archived by the owner on Jan 8, 2020. It is now read-only.

Commit

Permalink
Browse files Browse the repository at this point in the history
Merge branch 'security/escaper-usage'
Fixes a number of components that were not using Zend\Escaper to escape HTML,
HTML attributes, and/or URLs.
  • Loading branch information
weierophinney committed Sep 20, 2012
2 parents 301db6d + 07d847b commit 27131ca
Show file tree
Hide file tree
Showing 22 changed files with 579 additions and 275 deletions.
33 changes: 32 additions & 1 deletion library/Zend/Debug/Debug.php
Expand Up @@ -10,6 +10,8 @@

namespace Zend\Debug;

use Zend\Escaper\Escaper;

/**
* Concrete class for generating debug dumps related to the output source.
*
Expand All @@ -18,6 +20,10 @@
*/
class Debug
{
/**
* @var Escaper
*/
protected static $escaper = null;

/**
* @var string
Expand Down Expand Up @@ -50,6 +56,31 @@ public static function setSapi($sapi)
self::$sapi = $sapi;
}

/**
* Set Escaper instance
*
* @param Escaper $escaper
*/
public static function setEscaper(Escaper $escaper)
{
static::$escaper = $escaper;
}

/**
* Get Escaper instance
*
* Lazy loads an instance if none provided.
*
* @return Escaper
*/
public static function getEscaper()
{
if (null === static::$escaper) {
static::setEscaper(new Escaper());
}
return static::$escaper;
}

/**
* Debug helper function. This is a wrapper for var_dump() that adds
* the <pre /> tags, cleans up newlines and indents, and runs
Expand Down Expand Up @@ -78,7 +109,7 @@ public static function dump($var, $label=null, $echo=true)
. PHP_EOL;
} else {
if (!extension_loaded('xdebug')) {
$output = htmlspecialchars($output, ENT_QUOTES);
$output = static::getEscaper()->escapeHtml($output);
}

$output = '<pre>'
Expand Down
8 changes: 6 additions & 2 deletions library/Zend/Debug/composer.json
Expand Up @@ -13,6 +13,10 @@
},
"target-dir": "Zend/Debug",
"require": {
"php": ">=5.3.3"
"php": ">=5.3.3",
"zendframework/zend-escaper": "self.version"
},
"suggest": {
"ext/xdebug": "XDebug, for better backtrace output"
}
}
}
48 changes: 41 additions & 7 deletions library/Zend/Feed/PubSubHubbub/PubSubHubbub.php
Expand Up @@ -10,6 +10,7 @@

namespace Zend\Feed\PubSubHubbub;

use Zend\Escaper\Escaper;
use Zend\Feed\Reader;
use Zend\Http;

Expand All @@ -32,10 +33,15 @@ class PubSubHubbub
const SUBSCRIPTION_NOTVERIFIED = 'not_verified';
const SUBSCRIPTION_TODELETE = 'to_delete';

/**
* @var Escaper
*/
protected static $escaper;

/**
* Singleton instance if required of the HTTP client
*
* @var \Zend\Http\Client
* @var Http\Client
*/
protected static $httpClient = null;

Expand Down Expand Up @@ -67,7 +73,7 @@ public static function detectHubs($source)
* Allows the external environment to make Zend_Oauth use a specific
* Client instance.
*
* @param \Zend\Http\Client $httpClient
* @param Http\Client $httpClient
* @return void
*/
public static function setHttpClient(Http\Client $httpClient)
Expand All @@ -80,15 +86,15 @@ public static function setHttpClient(Http\Client $httpClient)
* the instance is reset and cleared of previous parameters GET/POST.
* Headers are NOT reset but handled by this component if applicable.
*
* @return \Zend\Http\Client
* @return Http\Client
*/
public static function getHttpClient()
{
if (!isset(self::$httpClient)):
if (!isset(self::$httpClient)) {
self::$httpClient = new Http\Client;
else:
} else {
self::$httpClient->resetParameters();
endif;
}
return self::$httpClient;
}

Expand All @@ -103,6 +109,33 @@ public static function clearHttpClient()
self::$httpClient = null;
}

/**
* Set the Escaper instance
*
* If null, resets the instance
*
* @param null|Escaper $escaper
*/
public static function setEscaper(Escaper $escaper = null)
{
static::$escaper = $escaper;
}

/**
* Get the Escaper instance
*
* If none registered, lazy-loads an instance.
*
* @return Escaper
*/
public static function getEscaper()
{
if (null === static::$escaper) {
static::setEscaper(new Escaper());
}
return static::$escaper;
}

/**
* RFC 3986 safe url encoding method
*
Expand All @@ -111,7 +144,8 @@ public static function clearHttpClient()
*/
public static function urlencode($string)
{
$rawencoded = rawurlencode($string);
$escaper = static::getEscaper();
$rawencoded = $escaper->escapeUrl($string);
$rfcencoded = str_replace('%7E', '~', $rawencoded);
return $rfcencoded;
}
Expand Down
1 change: 1 addition & 0 deletions library/Zend/Feed/composer.json
Expand Up @@ -14,6 +14,7 @@
"target-dir": "Zend/Feed",
"require": {
"php": ">=5.3.3",
"zendframework/zend-escaper": "self.version",
"zendframework/zend-stdlib": "self.version"
},
"suggest": {
Expand Down
42 changes: 38 additions & 4 deletions library/Zend/Log/Formatter/Xml.php
Expand Up @@ -14,6 +14,7 @@
use DOMDocument;
use DOMElement;
use Traversable;
use Zend\Escaper\Escaper;
use Zend\Stdlib\ArrayUtils;

/**
Expand All @@ -38,6 +39,11 @@ class Xml implements FormatterInterface
*/
protected $encoding;

/**
* @var Escaper instance
*/
protected $escaper;

/**
* Format specifier for DateTime objects in event data (default: ISO 8601)
*
Expand Down Expand Up @@ -121,6 +127,33 @@ public function setEncoding($value)
return $this;
}

/**
* Set Escaper instance
*
* @param Escaper $escaper
* @return Xml
*/
public function setEscaper(Escaper $escaper)
{
$this->escaper = $escaper;
return $this;
}

/**
* Get Escaper instance
*
* Lazy-loads an instance with the current encoding if none registered.
*
* @return Escaper
*/
public function getEscaper()
{
if (null === $this->escaper) {
$this->setEscaper(new Escaper($this->getEncoding()));
}
return $this->escaper;
}

/**
* Formats data into a single line to be written by the writer.
*
Expand All @@ -142,17 +175,18 @@ public function format($event)
}
}

$enc = $this->getEncoding();
$dom = new DOMDocument('1.0', $enc);
$elt = $dom->appendChild(new DOMElement($this->rootElement));
$enc = $this->getEncoding();
$escaper = $this->getEscaper();
$dom = new DOMDocument('1.0', $enc);
$elt = $dom->appendChild(new DOMElement($this->rootElement));

foreach ($dataToInsert as $key => $value) {
if (empty($value)
|| is_scalar($value)
|| (is_object($value) && method_exists($value,'__toString'))
) {
if ($key == "message") {
$value = htmlspecialchars($value, ENT_COMPAT, $enc);
$value = $escaper->escapeHtml($value);
} elseif ($key == "extra" && empty($value)) {
continue;
}
Expand Down
1 change: 1 addition & 0 deletions library/Zend/Log/composer.json
Expand Up @@ -20,6 +20,7 @@
"suggest": {
"ext-mongo": "*",
"zendframework/zend-db": "Zend\\Db component",
"zendframework/zend-escaper": "Zend\\Escaper component, for use in the XML formatter",
"zendframework/zend-mail": "Zend\\Mail component",
"zendframework/zend-validator": "Zend\\Validator component"
}
Expand Down
52 changes: 1 addition & 51 deletions library/Zend/Tag/Cloud/Decorator/AbstractCloud.php
Expand Up @@ -10,62 +10,12 @@

namespace Zend\Tag\Cloud\Decorator;

use Traversable;
use Zend\Stdlib\ArrayUtils;
use Zend\Tag\Cloud\Decorator\DecoratorInterface as Decorator;

/**
* Abstract class for cloud decorators
*
* @category Zend
* @package Zend_Tag
*/
abstract class AbstractCloud implements Decorator
abstract class AbstractCloud extends AbstractDecorator
{
/**
* Option keys to skip when calling setOptions()
*
* @var array
*/
protected $skipOptions = array(
'options',
'config',
);

/**
* Create a new cloud decorator with options
*
* @param array|Traversable $options
*/
public function __construct($options = null)
{
if ($options instanceof Traversable) {
$options = ArrayUtils::iteratorToArray($options);
}
if (is_array($options)) {
$this->setOptions($options);
}
}

/**
* Set options from array
*
* @param array $options Configuration for the decorator
* @return AbstractCloud
*/
public function setOptions(array $options)
{
foreach ($options as $key => $value) {
if (in_array(strtolower($key), $this->skipOptions)) {
continue;
}

$method = 'set' . $key;
if (method_exists($this, $method)) {
$this->$method($value);
}
}

return $this;
}
}

0 comments on commit 27131ca

Please sign in to comment.