417 lines
14 KiB
PHP
417 lines
14 KiB
PHP
<?php
|
|
|
|
/*
|
|
* This file is part of Twig.
|
|
*
|
|
* (c) Fabien Potencier
|
|
*
|
|
* For the full copyright and license information, please view the LICENSE
|
|
* file that was distributed with this source code.
|
|
*/
|
|
|
|
namespace Twig\Extension {
|
|
use Twig\FileExtensionEscapingStrategy;
|
|
use Twig\NodeVisitor\EscaperNodeVisitor;
|
|
use Twig\TokenParser\AutoEscapeTokenParser;
|
|
use Twig\TwigFilter;
|
|
|
|
final class EscaperExtension extends AbstractExtension
|
|
{
|
|
private $defaultStrategy;
|
|
private $escapers = [];
|
|
|
|
/** @internal */
|
|
public $safeClasses = [];
|
|
|
|
/** @internal */
|
|
public $safeLookup = [];
|
|
|
|
/**
|
|
* @param string|false|callable $defaultStrategy An escaping strategy
|
|
*
|
|
* @see setDefaultStrategy()
|
|
*/
|
|
public function __construct($defaultStrategy = 'html')
|
|
{
|
|
$this->setDefaultStrategy($defaultStrategy);
|
|
}
|
|
|
|
public function getTokenParsers(): array
|
|
{
|
|
return [new AutoEscapeTokenParser()];
|
|
}
|
|
|
|
public function getNodeVisitors(): array
|
|
{
|
|
return [new EscaperNodeVisitor()];
|
|
}
|
|
|
|
public function getFilters(): array
|
|
{
|
|
return [
|
|
new TwigFilter('escape', 'twig_escape_filter', ['needs_environment' => true, 'is_safe_callback' => 'twig_escape_filter_is_safe']),
|
|
new TwigFilter('e', 'twig_escape_filter', ['needs_environment' => true, 'is_safe_callback' => 'twig_escape_filter_is_safe']),
|
|
new TwigFilter('raw', 'twig_raw_filter', ['is_safe' => ['all']]),
|
|
];
|
|
}
|
|
|
|
/**
|
|
* Sets the default strategy to use when not defined by the user.
|
|
*
|
|
* The strategy can be a valid PHP callback that takes the template
|
|
* name as an argument and returns the strategy to use.
|
|
*
|
|
* @param string|false|callable $defaultStrategy An escaping strategy
|
|
*/
|
|
public function setDefaultStrategy($defaultStrategy): void
|
|
{
|
|
if ('name' === $defaultStrategy) {
|
|
$defaultStrategy = [FileExtensionEscapingStrategy::class, 'guess'];
|
|
}
|
|
|
|
$this->defaultStrategy = $defaultStrategy;
|
|
}
|
|
|
|
/**
|
|
* Gets the default strategy to use when not defined by the user.
|
|
*
|
|
* @param string $name The template name
|
|
*
|
|
* @return string|false The default strategy to use for the template
|
|
*/
|
|
public function getDefaultStrategy(string $name)
|
|
{
|
|
// disable string callables to avoid calling a function named html or js,
|
|
// or any other upcoming escaping strategy
|
|
if (!\is_string($this->defaultStrategy) && false !== $this->defaultStrategy) {
|
|
return \call_user_func($this->defaultStrategy, $name);
|
|
}
|
|
|
|
return $this->defaultStrategy;
|
|
}
|
|
|
|
/**
|
|
* Defines a new escaper to be used via the escape filter.
|
|
*
|
|
* @param string $strategy The strategy name that should be used as a strategy in the escape call
|
|
* @param callable $callable A valid PHP callable
|
|
*/
|
|
public function setEscaper($strategy, callable $callable)
|
|
{
|
|
$this->escapers[$strategy] = $callable;
|
|
}
|
|
|
|
/**
|
|
* Gets all defined escapers.
|
|
*
|
|
* @return callable[] An array of escapers
|
|
*/
|
|
public function getEscapers()
|
|
{
|
|
return $this->escapers;
|
|
}
|
|
|
|
public function setSafeClasses(array $safeClasses = [])
|
|
{
|
|
$this->safeClasses = [];
|
|
$this->safeLookup = [];
|
|
foreach ($safeClasses as $class => $strategies) {
|
|
$this->addSafeClass($class, $strategies);
|
|
}
|
|
}
|
|
|
|
public function addSafeClass(string $class, array $strategies)
|
|
{
|
|
$class = ltrim($class, '\\');
|
|
if (!isset($this->safeClasses[$class])) {
|
|
$this->safeClasses[$class] = [];
|
|
}
|
|
$this->safeClasses[$class] = array_merge($this->safeClasses[$class], $strategies);
|
|
|
|
foreach ($strategies as $strategy) {
|
|
$this->safeLookup[$strategy][$class] = true;
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
namespace {
|
|
use Twig\Environment;
|
|
use Twig\Error\RuntimeError;
|
|
use Twig\Extension\EscaperExtension;
|
|
use Twig\Markup;
|
|
use Twig\Node\Expression\ConstantExpression;
|
|
use Twig\Node\Node;
|
|
|
|
/**
|
|
* Marks a variable as being safe.
|
|
*
|
|
* @param string $string A PHP variable
|
|
*/
|
|
function twig_raw_filter($string)
|
|
{
|
|
return $string;
|
|
}
|
|
|
|
/**
|
|
* Escapes a string.
|
|
*
|
|
* @param mixed $string The value to be escaped
|
|
* @param string $strategy The escaping strategy
|
|
* @param string $charset The charset
|
|
* @param bool $autoescape Whether the function is called by the auto-escaping feature (true) or by the developer (false)
|
|
*
|
|
* @return string
|
|
*/
|
|
function twig_escape_filter(Environment $env, $string, $strategy = 'html', $charset = null, $autoescape = false)
|
|
{
|
|
if ($autoescape && $string instanceof Markup) {
|
|
return $string;
|
|
}
|
|
|
|
if (!\is_string($string)) {
|
|
if (\is_object($string) && method_exists($string, '__toString')) {
|
|
if ($autoescape) {
|
|
$c = \get_class($string);
|
|
$ext = $env->getExtension(EscaperExtension::class);
|
|
if (!isset($ext->safeClasses[$c])) {
|
|
$ext->safeClasses[$c] = [];
|
|
foreach (class_parents($string) + class_implements($string) as $class) {
|
|
if (isset($ext->safeClasses[$class])) {
|
|
$ext->safeClasses[$c] = array_unique(array_merge($ext->safeClasses[$c], $ext->safeClasses[$class]));
|
|
foreach ($ext->safeClasses[$class] as $s) {
|
|
$ext->safeLookup[$s][$c] = true;
|
|
}
|
|
}
|
|
}
|
|
}
|
|
if (isset($ext->safeLookup[$strategy][$c]) || isset($ext->safeLookup['all'][$c])) {
|
|
return (string) $string;
|
|
}
|
|
}
|
|
|
|
$string = (string) $string;
|
|
} elseif (\in_array($strategy, ['html', 'js', 'css', 'html_attr', 'url'])) {
|
|
return $string;
|
|
}
|
|
}
|
|
|
|
if ('' === $string) {
|
|
return '';
|
|
}
|
|
|
|
if (null === $charset) {
|
|
$charset = $env->getCharset();
|
|
}
|
|
|
|
switch ($strategy) {
|
|
case 'html':
|
|
// see https://www.php.net/htmlspecialchars
|
|
|
|
// Using a static variable to avoid initializing the array
|
|
// each time the function is called. Moving the declaration on the
|
|
// top of the function slow downs other escaping strategies.
|
|
static $htmlspecialcharsCharsets = [
|
|
'ISO-8859-1' => true, 'ISO8859-1' => true,
|
|
'ISO-8859-15' => true, 'ISO8859-15' => true,
|
|
'utf-8' => true, 'UTF-8' => true,
|
|
'CP866' => true, 'IBM866' => true, '866' => true,
|
|
'CP1251' => true, 'WINDOWS-1251' => true, 'WIN-1251' => true,
|
|
'1251' => true,
|
|
'CP1252' => true, 'WINDOWS-1252' => true, '1252' => true,
|
|
'KOI8-R' => true, 'KOI8-RU' => true, 'KOI8R' => true,
|
|
'BIG5' => true, '950' => true,
|
|
'GB2312' => true, '936' => true,
|
|
'BIG5-HKSCS' => true,
|
|
'SHIFT_JIS' => true, 'SJIS' => true, '932' => true,
|
|
'EUC-JP' => true, 'EUCJP' => true,
|
|
'ISO8859-5' => true, 'ISO-8859-5' => true, 'MACROMAN' => true,
|
|
];
|
|
|
|
if (isset($htmlspecialcharsCharsets[$charset])) {
|
|
return htmlspecialchars($string, \ENT_QUOTES | \ENT_SUBSTITUTE, $charset);
|
|
}
|
|
|
|
if (isset($htmlspecialcharsCharsets[strtoupper($charset)])) {
|
|
// cache the lowercase variant for future iterations
|
|
$htmlspecialcharsCharsets[$charset] = true;
|
|
|
|
return htmlspecialchars($string, \ENT_QUOTES | \ENT_SUBSTITUTE, $charset);
|
|
}
|
|
|
|
$string = twig_convert_encoding($string, 'UTF-8', $charset);
|
|
$string = htmlspecialchars($string, \ENT_QUOTES | \ENT_SUBSTITUTE, 'UTF-8');
|
|
|
|
return iconv('UTF-8', $charset, $string);
|
|
|
|
case 'js':
|
|
// escape all non-alphanumeric characters
|
|
// into their \x or \uHHHH representations
|
|
if ('UTF-8' !== $charset) {
|
|
$string = twig_convert_encoding($string, 'UTF-8', $charset);
|
|
}
|
|
|
|
if (!preg_match('//u', $string)) {
|
|
throw new RuntimeError('The string to escape is not a valid UTF-8 string.');
|
|
}
|
|
|
|
$string = preg_replace_callback('#[^a-zA-Z0-9,\._]#Su', function ($matches) {
|
|
$char = $matches[0];
|
|
|
|
/*
|
|
* A few characters have short escape sequences in JSON and JavaScript.
|
|
* Escape sequences supported only by JavaScript, not JSON, are omitted.
|
|
* \" is also supported but omitted, because the resulting string is not HTML safe.
|
|
*/
|
|
static $shortMap = [
|
|
'\\' => '\\\\',
|
|
'/' => '\\/',
|
|
"\x08" => '\b',
|
|
"\x0C" => '\f',
|
|
"\x0A" => '\n',
|
|
"\x0D" => '\r',
|
|
"\x09" => '\t',
|
|
];
|
|
|
|
if (isset($shortMap[$char])) {
|
|
return $shortMap[$char];
|
|
}
|
|
|
|
$codepoint = mb_ord($char, 'UTF-8');
|
|
if (0x10000 > $codepoint) {
|
|
return sprintf('\u%04X', $codepoint);
|
|
}
|
|
|
|
// Split characters outside the BMP into surrogate pairs
|
|
// https://tools.ietf.org/html/rfc2781.html#section-2.1
|
|
$u = $codepoint - 0x10000;
|
|
$high = 0xD800 | ($u >> 10);
|
|
$low = 0xDC00 | ($u & 0x3FF);
|
|
|
|
return sprintf('\u%04X\u%04X', $high, $low);
|
|
}, $string);
|
|
|
|
if ('UTF-8' !== $charset) {
|
|
$string = iconv('UTF-8', $charset, $string);
|
|
}
|
|
|
|
return $string;
|
|
|
|
case 'css':
|
|
if ('UTF-8' !== $charset) {
|
|
$string = twig_convert_encoding($string, 'UTF-8', $charset);
|
|
}
|
|
|
|
if (!preg_match('//u', $string)) {
|
|
throw new RuntimeError('The string to escape is not a valid UTF-8 string.');
|
|
}
|
|
|
|
$string = preg_replace_callback('#[^a-zA-Z0-9]#Su', function ($matches) {
|
|
$char = $matches[0];
|
|
|
|
return sprintf('\\%X ', 1 === \strlen($char) ? \ord($char) : mb_ord($char, 'UTF-8'));
|
|
}, $string);
|
|
|
|
if ('UTF-8' !== $charset) {
|
|
$string = iconv('UTF-8', $charset, $string);
|
|
}
|
|
|
|
return $string;
|
|
|
|
case 'html_attr':
|
|
if ('UTF-8' !== $charset) {
|
|
$string = twig_convert_encoding($string, 'UTF-8', $charset);
|
|
}
|
|
|
|
if (!preg_match('//u', $string)) {
|
|
throw new RuntimeError('The string to escape is not a valid UTF-8 string.');
|
|
}
|
|
|
|
$string = preg_replace_callback('#[^a-zA-Z0-9,\.\-_]#Su', function ($matches) {
|
|
/**
|
|
* This function is adapted from code coming from Zend Framework.
|
|
*
|
|
* @copyright Copyright (c) 2005-2012 Zend Technologies USA Inc. (https://www.zend.com)
|
|
* @license https://framework.zend.com/license/new-bsd New BSD License
|
|
*/
|
|
$chr = $matches[0];
|
|
$ord = \ord($chr);
|
|
|
|
/*
|
|
* The following replaces characters undefined in HTML with the
|
|
* hex entity for the Unicode replacement character.
|
|
*/
|
|
if (($ord <= 0x1f && "\t" != $chr && "\n" != $chr && "\r" != $chr) || ($ord >= 0x7f && $ord <= 0x9f)) {
|
|
return '�';
|
|
}
|
|
|
|
/*
|
|
* Check if the current character to escape has a name entity we should
|
|
* replace it with while grabbing the hex value of the character.
|
|
*/
|
|
if (1 === \strlen($chr)) {
|
|
/*
|
|
* While HTML supports far more named entities, the lowest common denominator
|
|
* has become HTML5's XML Serialisation which is restricted to the those named
|
|
* entities that XML supports. Using HTML entities would result in this error:
|
|
* XML Parsing Error: undefined entity
|
|
*/
|
|
static $entityMap = [
|
|
34 => '"', /* quotation mark */
|
|
38 => '&', /* ampersand */
|
|
60 => '<', /* less-than sign */
|
|
62 => '>', /* greater-than sign */
|
|
];
|
|
|
|
if (isset($entityMap[$ord])) {
|
|
return $entityMap[$ord];
|
|
}
|
|
|
|
return sprintf('&#x%02X;', $ord);
|
|
}
|
|
|
|
/*
|
|
* Per OWASP recommendations, we'll use hex entities for any other
|
|
* characters where a named entity does not exist.
|
|
*/
|
|
return sprintf('&#x%04X;', mb_ord($chr, 'UTF-8'));
|
|
}, $string);
|
|
|
|
if ('UTF-8' !== $charset) {
|
|
$string = iconv('UTF-8', $charset, $string);
|
|
}
|
|
|
|
return $string;
|
|
|
|
case 'url':
|
|
return rawurlencode($string);
|
|
|
|
default:
|
|
$escapers = $env->getExtension(EscaperExtension::class)->getEscapers();
|
|
if (array_key_exists($strategy, $escapers)) {
|
|
return $escapers[$strategy]($env, $string, $charset);
|
|
}
|
|
|
|
$validStrategies = implode(', ', array_merge(['html', 'js', 'url', 'css', 'html_attr'], array_keys($escapers)));
|
|
|
|
throw new RuntimeError(sprintf('Invalid escaping strategy "%s" (valid ones: %s).', $strategy, $validStrategies));
|
|
}
|
|
}
|
|
|
|
/**
|
|
* @internal
|
|
*/
|
|
function twig_escape_filter_is_safe(Node $filterArgs)
|
|
{
|
|
foreach ($filterArgs as $arg) {
|
|
if ($arg instanceof ConstantExpression) {
|
|
return [$arg->getAttribute('value')];
|
|
}
|
|
|
|
return [];
|
|
}
|
|
|
|
return ['html'];
|
|
}
|
|
}
|