|
1
|
|
|
<?php |
|
2
|
|
|
/** |
|
3
|
|
|
* TSafeHtml class file |
|
4
|
|
|
* |
|
5
|
|
|
* @author Wei Zhuo <weizhuo[at]gmail[dot]com> |
|
6
|
|
|
* @link https://github.com/pradosoft/prado4 |
|
7
|
|
|
* @copyright Copyright © 2005-2016 The PRADO Group |
|
8
|
|
|
* @license https://github.com/pradosoft/prado4/blob/master/LICENSE |
|
9
|
|
|
* @package Prado\Web\UI\WebControls |
|
10
|
|
|
*/ |
|
11
|
|
|
|
|
12
|
|
|
namespace Prado\Web\UI\WebControls; |
|
13
|
|
|
use Prado\IO\TTextWriter; |
|
14
|
|
|
use Prado\Prado; |
|
15
|
|
|
use Prado\TPropertyValue; |
|
16
|
|
|
|
|
17
|
|
|
/** |
|
18
|
|
|
* TSafeHtml class |
|
19
|
|
|
* |
|
20
|
|
|
* TSafeHtml is a control that strips down all potentially dangerous HTML content. |
|
21
|
|
|
* It is mainly a wrapper of {@link http://htmlpurifier.org/ HTMLPurifier} project. |
|
22
|
|
|
* |
|
23
|
|
|
* To use TSafeHtml, simply enclose the content to be secured within |
|
24
|
|
|
* the body of TSafeHtml in a template. |
|
25
|
|
|
* |
|
26
|
|
|
* You can specify a custom configuration for HTMLPurifier using the |
|
27
|
|
|
* {@link setConfig Config} property. Please refer to the |
|
28
|
|
|
* {@link http://htmlpurifier.org/docs HTMLPurifier documentation} for the |
|
29
|
|
|
* possibile configuration parameters. |
|
30
|
|
|
* |
|
31
|
|
|
* @author Wei Zhuo <weizhuo[at]gmail[dot]com> |
|
32
|
|
|
* @package Prado\Web\UI\WebControls |
|
33
|
|
|
* @since 3.0 |
|
34
|
|
|
*/ |
|
35
|
|
|
class TSafeHtml extends \Prado\Web\UI\TControl |
|
36
|
|
|
{ |
|
37
|
|
|
/** |
|
38
|
|
|
* Sets a custom configuration for HTMLPurifier. |
|
39
|
|
|
* @param \HTMLPurifier_Config custom configuration |
|
40
|
|
|
*/ |
|
41
|
|
|
public function setConfig(\HTMLPurifier_Config $value) |
|
42
|
|
|
{ |
|
43
|
|
|
$this->setViewState('Config', $value, null); |
|
44
|
|
|
} |
|
45
|
|
|
|
|
46
|
|
|
/** |
|
47
|
|
|
* @return \HTMLPurifier_Config Configuration for HTMLPurifier. |
|
48
|
|
|
*/ |
|
49
|
|
|
public function getConfig() |
|
50
|
|
|
{ |
|
51
|
|
|
$config = $this->getViewState('Config', null); |
|
52
|
|
|
return ($config === null) ? \HTMLPurifier_Config::createDefault() : $config; |
|
53
|
|
|
} |
|
54
|
|
|
|
|
55
|
|
|
/** |
|
56
|
|
|
* Renders body content. |
|
57
|
|
|
* This method overrides parent implementation by removing malicious code from the body content |
|
58
|
|
|
* @param THtmlWriter writer |
|
59
|
|
|
*/ |
|
60
|
|
|
public function render($writer) |
|
61
|
|
|
{ |
|
62
|
|
|
$htmlWriter = Prado::createComponent($this->GetResponse()->getHtmlWriterType(), new TTextWriter()); |
|
63
|
|
|
parent::render($htmlWriter); |
|
64
|
|
|
$writer->write($this->parseSafeHtml($htmlWriter->flush())); |
|
65
|
|
|
} |
|
66
|
|
|
|
|
67
|
|
|
/** |
|
68
|
|
|
* Use HTMLPurifier to remove malicous content from HTML. |
|
69
|
|
|
* @param string HTML content |
|
70
|
|
|
* @return string safer HTML content |
|
71
|
|
|
*/ |
|
72
|
|
|
protected function parseSafeHtml($text) |
|
73
|
|
|
{ |
|
74
|
|
|
$purifier = new \HTMLPurifier($this->getConfig()); |
|
75
|
|
|
return $purifier->purify($text); |
|
76
|
|
|
} |
|
77
|
|
|
} |
|
78
|
|
|
|
|
79
|
|
|
|
pradosoft /
prado
