Permalink
Browse files

Merge branch 'security/escaper-usage'

Fixes a number of components that were not using Zend\Escaper to escape HTML,
HTML attributes, and/or URLs.
  • Loading branch information...
2 parents 301db6d + 07d847b commit 27131ca9520bdf1d4c774c71459eba32f2b10733 @weierophinney weierophinney committed Sep 20, 2012
@@ -10,6 +10,8 @@
namespace Zend\Debug;
+use Zend\Escaper\Escaper;
+
/**
* Concrete class for generating debug dumps related to the output source.
*
@@ -18,6 +20,10 @@
*/
class Debug
{
+ /**
+ * @var Escaper
+ */
+ protected static $escaper = null;
/**
* @var string
@@ -50,6 +56,31 @@ public static function setSapi($sapi)
self::$sapi = $sapi;
}
+ /**
+ * Set Escaper instance
+ *
+ * @param Escaper $escaper
+ */
+ public static function setEscaper(Escaper $escaper)
+ {
+ static::$escaper = $escaper;
+ }
+
+ /**
+ * Get Escaper instance
+ *
+ * Lazy loads an instance if none provided.
+ *
+ * @return Escaper
+ */
+ public static function getEscaper()
+ {
+ if (null === static::$escaper) {
+ static::setEscaper(new Escaper());
+ }
+ return static::$escaper;
+ }
+
/**
* Debug helper function. This is a wrapper for var_dump() that adds
* the <pre /> tags, cleans up newlines and indents, and runs
@@ -78,7 +109,7 @@ public static function dump($var, $label=null, $echo=true)
. PHP_EOL;
} else {
if (!extension_loaded('xdebug')) {
- $output = htmlspecialchars($output, ENT_QUOTES);
+ $output = static::getEscaper()->escapeHtml($output);
}
$output = '<pre>'
@@ -13,6 +13,10 @@
},
"target-dir": "Zend/Debug",
"require": {
- "php": ">=5.3.3"
+ "php": ">=5.3.3",
+ "zendframework/zend-escaper": "self.version"
+ },
+ "suggest": {
+ "ext/xdebug": "XDebug, for better backtrace output"
}
-}
+}
@@ -10,6 +10,7 @@
namespace Zend\Feed\PubSubHubbub;
+use Zend\Escaper\Escaper;
use Zend\Feed\Reader;
use Zend\Http;
@@ -32,10 +33,15 @@ class PubSubHubbub
const SUBSCRIPTION_NOTVERIFIED = 'not_verified';
const SUBSCRIPTION_TODELETE = 'to_delete';
+ /**
+ * @var Escaper
+ */
+ protected static $escaper;
+
/**
* Singleton instance if required of the HTTP client
*
- * @var \Zend\Http\Client
+ * @var Http\Client
*/
protected static $httpClient = null;
@@ -67,7 +73,7 @@ public static function detectHubs($source)
* Allows the external environment to make Zend_Oauth use a specific
* Client instance.
*
- * @param \Zend\Http\Client $httpClient
+ * @param Http\Client $httpClient
* @return void
*/
public static function setHttpClient(Http\Client $httpClient)
@@ -80,15 +86,15 @@ public static function setHttpClient(Http\Client $httpClient)
* the instance is reset and cleared of previous parameters GET/POST.
* Headers are NOT reset but handled by this component if applicable.
*
- * @return \Zend\Http\Client
+ * @return Http\Client
*/
public static function getHttpClient()
{
- if (!isset(self::$httpClient)):
+ if (!isset(self::$httpClient)) {
self::$httpClient = new Http\Client;
- else:
+ } else {
self::$httpClient->resetParameters();
- endif;
+ }
return self::$httpClient;
}
@@ -103,6 +109,33 @@ public static function clearHttpClient()
self::$httpClient = null;
}
+ /**
+ * Set the Escaper instance
+ *
+ * If null, resets the instance
+ *
+ * @param null|Escaper $escaper
+ */
+ public static function setEscaper(Escaper $escaper = null)
+ {
+ static::$escaper = $escaper;
+ }
+
+ /**
+ * Get the Escaper instance
+ *
+ * If none registered, lazy-loads an instance.
+ *
+ * @return Escaper
+ */
+ public static function getEscaper()
+ {
+ if (null === static::$escaper) {
+ static::setEscaper(new Escaper());
+ }
+ return static::$escaper;
+ }
+
/**
* RFC 3986 safe url encoding method
*
@@ -111,7 +144,8 @@ public static function clearHttpClient()
*/
public static function urlencode($string)
{
- $rawencoded = rawurlencode($string);
+ $escaper = static::getEscaper();
+ $rawencoded = $escaper->escapeUrl($string);
$rfcencoded = str_replace('%7E', '~', $rawencoded);
return $rfcencoded;
}
@@ -14,6 +14,7 @@
"target-dir": "Zend/Feed",
"require": {
"php": ">=5.3.3",
+ "zendframework/zend-escaper": "self.version",
"zendframework/zend-stdlib": "self.version"
},
"suggest": {
@@ -14,6 +14,7 @@
use DOMDocument;
use DOMElement;
use Traversable;
+use Zend\Escaper\Escaper;
use Zend\Stdlib\ArrayUtils;
/**
@@ -38,6 +39,11 @@ class Xml implements FormatterInterface
*/
protected $encoding;
+ /**
+ * @var Escaper instance
+ */
+ protected $escaper;
+
/**
* Format specifier for DateTime objects in event data (default: ISO 8601)
*
@@ -121,6 +127,33 @@ public function setEncoding($value)
return $this;
}
+ /**
+ * Set Escaper instance
+ *
+ * @param Escaper $escaper
+ * @return Xml
+ */
+ public function setEscaper(Escaper $escaper)
+ {
+ $this->escaper = $escaper;
+ return $this;
+ }
+
+ /**
+ * Get Escaper instance
+ *
+ * Lazy-loads an instance with the current encoding if none registered.
+ *
+ * @return Escaper
+ */
+ public function getEscaper()
+ {
+ if (null === $this->escaper) {
+ $this->setEscaper(new Escaper($this->getEncoding()));
+ }
+ return $this->escaper;
+ }
+
/**
* Formats data into a single line to be written by the writer.
*
@@ -142,17 +175,18 @@ public function format($event)
}
}
- $enc = $this->getEncoding();
- $dom = new DOMDocument('1.0', $enc);
- $elt = $dom->appendChild(new DOMElement($this->rootElement));
+ $enc = $this->getEncoding();
+ $escaper = $this->getEscaper();
+ $dom = new DOMDocument('1.0', $enc);
+ $elt = $dom->appendChild(new DOMElement($this->rootElement));
foreach ($dataToInsert as $key => $value) {
if (empty($value)
|| is_scalar($value)
|| (is_object($value) && method_exists($value,'__toString'))
) {
if ($key == "message") {
- $value = htmlspecialchars($value, ENT_COMPAT, $enc);
+ $value = $escaper->escapeHtml($value);
} elseif ($key == "extra" && empty($value)) {
continue;
}
@@ -20,6 +20,7 @@
"suggest": {
"ext-mongo": "*",
"zendframework/zend-db": "Zend\\Db component",
+ "zendframework/zend-escaper": "Zend\\Escaper component, for use in the XML formatter",
"zendframework/zend-mail": "Zend\\Mail component",
"zendframework/zend-validator": "Zend\\Validator component"
}
@@ -10,62 +10,12 @@
namespace Zend\Tag\Cloud\Decorator;
-use Traversable;
-use Zend\Stdlib\ArrayUtils;
-use Zend\Tag\Cloud\Decorator\DecoratorInterface as Decorator;
-
/**
* Abstract class for cloud decorators
*
* @category Zend
* @package Zend_Tag
*/
-abstract class AbstractCloud implements Decorator
+abstract class AbstractCloud extends AbstractDecorator
{
- /**
- * Option keys to skip when calling setOptions()
- *
- * @var array
- */
- protected $skipOptions = array(
- 'options',
- 'config',
- );
-
- /**
- * Create a new cloud decorator with options
- *
- * @param array|Traversable $options
- */
- public function __construct($options = null)
- {
- if ($options instanceof Traversable) {
- $options = ArrayUtils::iteratorToArray($options);
- }
- if (is_array($options)) {
- $this->setOptions($options);
- }
- }
-
- /**
- * Set options from array
- *
- * @param array $options Configuration for the decorator
- * @return AbstractCloud
- */
- public function setOptions(array $options)
- {
- foreach ($options as $key => $value) {
- if (in_array(strtolower($key), $this->skipOptions)) {
- continue;
- }
-
- $method = 'set' . $key;
- if (method_exists($this, $method)) {
- $this->$method($value);
- }
- }
-
- return $this;
- }
}
Oops, something went wrong.

0 comments on commit 27131ca

Please sign in to comment.