/**
* Converts query string (GET) parameters in request into hidden fields.
*
* Useful for forwarding GET parameters when submitting forms with GET method.
*
* It is possible to omit some of the GET parameters, which is useful if
* they are specified in the form being submitted.
*
* sid is always omitted.
*
* @param \phpbb\request\request $request Request object
* @param array $exclude A list of variable names that should not be forwarded
* @return string HTML with hidden fields
*/
function phpbb_build_hidden_fields_for_query_params($request, $exclude = null)
{
$names = $request->variable_names(\phpbb\request\request_interface::GET);
$hidden = '';
foreach ($names as $name) {
// Sessions are dealt with elsewhere, omit sid always
if ($name == 'sid') {
continue;
}
// Omit any additional parameters requested
if (!empty($exclude) && in_array($name, $exclude)) {
continue;
}
$escaped_name = phpbb_quoteattr($name);
// Note: we might retrieve the variable from POST or cookies
// here. To avoid exposing cookies, skip variables that are
// overwritten somewhere other than GET entirely.
$value = $request->variable($name, '', true);
$get_value = $request->variable($name, '', true, \phpbb\request\request_interface::GET);
if ($value === $get_value) {
$escaped_value = phpbb_quoteattr($value);
$hidden .= "<input type='hidden' name={$escaped_name} value={$escaped_value} />";
}
}
return $hidden;
}
/**
* @dataProvider quoteattr_test_data
*/
public function test_quoteattr($input, $entities, $expected)
{
$output = phpbb_quoteattr($input, $entities);
$this->assertEquals($expected, $output);
}
