public function escapeURLComponent($string)
{
if (is_object($string) == true) {
if (method_exists($string, '__toString') == false) {
throw EscapeException::fromBadObject($string);
}
$string = (string) $string;
}
if (is_array($string) == true) {
throw EscapeException::fromBadArray();
}
return $this->zendEscape->escapeUrl($string);
}
/**
* Escapes strings based on context
* @param string $string The string to escape
* @param int $context The context to escape in
* @return string The escaped string
* @throws \InvalidArgumentException If the context is invalid
*/
public function escape($string, $context = self::HTML_BODY)
{
$type = gettype($string);
if (in_array($type, array('boolean', 'integer', 'double', 'NULL'), true)) {
return $string;
}
if (in_array($type, array('object', 'resource', 'unknown type'), true)) {
throw new \InvalidArgumentException("Unable to escape variable of type {$type}.");
}
if ($context === self::HTML_STRING) {
return parent::escapeHtml($string);
}
if ($context === self::HTML_ATTR) {
return parent::escapeHtmlAttr($string);
}
if ($context === self::CSS) {
return parent::escapeCss($string);
}
if ($context === self::JS_STRING) {
return parent::escapeJs($string);
}
if ($context === self::URL_PARAM) {
return parent::escapeUrl($string);
}
throw new \InvalidArgumentException('Invalid context.');
}
/**
* @return \Zend\View\Model\ViewModel
*/
public function postAction()
{
$this->getView()->setTemplate('application/news/post');
$escaper = new Escaper('utf-8');
$post = (string) $escaper->escapeUrl($this->getParam('post'));
$query = $this->getTable('SD\\Admin\\Model\\ContentTable');
$new = $query->queryBuilder()->select(['c.title, c.text, c.date, c.preview'])->from('SD\\Admin\\Entity\\Content', 'c')->where('c.type = 1 AND c.menu = 0 AND c.language = :language AND c.titleLink = :titleLink')->setParameter(':language', (int) $this->language())->setParameter(':titleLink', (string) $post)->orderBy('c.date', 'DESC')->getQuery()->getResult();
if ($new) {
$this->getView()->setVariable('new', $new[0]);
$this->initMetaTags($new[0]);
return $this->getView();
}
return $this->setErrorCode(404);
}
/**
* Append record id as a hash to the last search URL.
* This way the previus window scroll position gets restored
* when the user returns to search results from a record page.
*
* @return void
*/
protected function modifyLastSearchURL()
{
$memory = $this->getServiceLocator()->get('VuFind\\Search\\Memory');
if ($last = $memory->retrieve()) {
$parts = parse_url($last);
// Do not overwrite existing hash
if (!isset($parts['fragment'])) {
$escaper = new Escaper('utf-8');
$id = $this->driver->getUniqueId();
$id = $escaper->escapeUrl($id);
$last .= "#{$id}";
$memory->rememberSearch($last);
}
}
}
/**
* Escapes strings to make them safe for use
* within HTML templates. Used by the auto-escaping
* functionality in setVar() and available to
* use within your views.
*
* Uses ZendFramework's Escaper to handle the actual escaping,
* based on context. Valid contexts are:
* - html
* - htmlAttr
* - js
* - css
* - url
*
* References:
* - https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
* - http://framework.zend.com/manual/current/en/modules/zend.escaper.introduction.html
*
* @param $data
* @param $context
* @param escaper // An instance of ZF's Escaper to avoid repeated class instantiation.
*
* @return string
*/
function esc($data, $context = 'html', $escaper = null)
{
if (is_array($data)) {
foreach ($data as $key => &$value) {
$value = esc($value, $context);
}
}
$context = strtolower($context);
if (!is_object($escaper)) {
$escaper = new Escaper(config_item('charset'));
}
// Valid context?
if (!in_array($context, ['html', 'htmlattr', 'js', 'css', 'url'])) {
throw new \InvalidArgumentException('Invalid Context type: ' . $context);
}
if (!is_string($data)) {
return $data;
}
switch ($context) {
case 'html':
$data = $escaper->escapeHtml($data);
break;
case 'htmlattr':
$data = $escaper->escapeHtmlAttr($data);
break;
case 'js':
$data = $escaper->escapeJs($data);
break;
case 'css':
$data = $escaper->escapeCss($data);
break;
case 'url':
$data = $escaper->escapeUrl($data);
break;
default:
break;
}
return $data;
}
/**
* {@inheritdoc}
*/
public function escapeUrl($string)
{
return $this->escaper->escapeUrl($string);
}
/**
* Builds menu HTML.
*
* @method getMenus
*
* @param int $parent
* @param array $menu
*
* @return string generated html code
*/
private function getMenus($parent = 0, array $menu = [])
{
$output = '';
if (isset($menu['submenus'][$parent])) {
$escaper = new Escaper('utf-8');
foreach ($menu['submenus'][$parent] as $id) {
$output .= "<ul class='table-row'>";
$output .= "<li class='table-cell flex-2'>" . $menu['menus'][$id]->getCaption() . '</li>';
$output .= "<li class='table-cell flex-b'><a title='" . $this->translate('DETAILS') . "' hreflang='" . $this->language('languageName') . "' itemprop='url' href='/admin/menu/detail/" . $escaper->escapeUrl($menu['menus'][$id]->getId()) . "' class='btn btn-sm blue'><i class='fa fa-info'></i></a></li>";
$output .= "<li class='table-cell flex-b'><a title='" . $this->translate('EDIT') . "' hreflang='" . $this->language('languageName') . "' itemprop='url' href='/admin/menu/edit/" . $escaper->escapeUrl($menu['menus'][$id]->getId()) . "' class='btn btn-sm orange'><i class='fa fa-pencil'></i></a></li>";
if (0 === $menu['menus'][$id]->isActive()) {
$output .= "<li class='table-cell flex-b'><a title='" . $this->translate('DEACTIVATED') . "' hreflang='" . $this->language('languageName') . "' itemprop='url' href='/admin/menu/activate/" . $escaper->escapeUrl($menu['menus'][$id]->getId()) . "' class='btn btn-sm deactivated'><i class='fa fa-minus-square-o'></i></a></li>";
} else {
$output .= "<li class='table-cell flex-b'><a title='" . $this->translate('ACTIVE') . "' hreflang='" . $this->language('languageName') . "' itemprop='url' href='/admin/menu/deactivate/" . $escaper->escapeUrl($menu['menus'][$id]->getId()) . "' class='btn btn-sm active'><i class='fa fa fa-check-square-o'></i></a></li>";
}
$output .= "\n <li class='table-cell flex-b'>\n <button role='button' aria-pressed='false' aria-label='" . $this->translate('DELETE') . "' id='" . $menu['menus'][$id]->getId() . "' type='button' class='btn btn-sm delete dialog_delete' title='" . $this->translate('DELETE') . "'><i class='fa fa-trash-o'></i></button>\n <div role='alertdialog' aria-labelledby='dialog" . $menu['menus'][$id]->getId() . "Title' class='delete_" . $menu['menus'][$id]->getId() . " dialog_hide'>\n <p id='dialog" . $menu['menus'][$id]->getId() . "Title'>" . $this->translate('DELETE_CONFIRM_TEXT') . ' «' . $menu['menus'][$id]->getCaption() . "»</p>\n <ul>\n <li>\n <a class='btn delete' href='/admin/menu/delete/" . $escaper->escapeUrl($menu['menus'][$id]->getId()) . "'><i class='fa fa-trash-o'></i> " . $this->translate('DELETE') . "</a>\n </li>\n <li>\n <button role='button' aria-pressed='false' aria-label='" . $this->translate('CANCEL') . "' class='btn btn-default cancel'><i class='fa fa-times'></i> " . $this->translate('CANCEL') . '</button>
</li>
</ul>
</div>
</li>';
$output .= '</ul>';
$output .= $this->getMenus($id, $menu);
}
}
return $output;
}
/**
* @param mixed $input
* @return mixed
*/
public static function escapeUrl($input)
{
self::init();
return self::$escaper->escapeUrl($input);
}
