/** * @return array<string> list of field names */ public static function getSkipFields() { if (self::$skipFields === NULL) { self::$skipFields = array('widget_code', 'html_message', 'body_html', 'msg_html', 'description', 'intro', 'thankyou_text', 'tf_thankyou_text', 'intro_text', 'page_text', 'body_text', 'footer_text', 'thankyou_footer', 'thankyou_footer_text', 'new_text', 'renewal_text', 'help_pre', 'help_post', 'confirm_title', 'confirm_text', 'confirm_footer_text', 'confirm_email_text', 'event_full_text', 'waitlist_text', 'approval_req_text', 'report_header', 'report_footer', 'cc_id', 'bcc_id', 'premiums_intro_text', 'honor_block_text', 'pay_later_receipt', 'label', 'url', 'details', 'msg_text', 'text_message', 'data', 'sqlQuery', 'pcp_title', 'pcp_intro_text'); } return self::$skipFields; }
/** * Returns 'safe' elements' values * * Unlike getSubmitValues(), this will return only the values * corresponding to the elements present in the form. * * @param mixed Array/string of element names, whose values we want. If not set then return all elements. * @access public * @return array An assoc array of elements' values * @throws HTML_QuickForm_Error */ function exportValues($elementList = null) { $values = array(); if (null === $elementList) { // iterate over all elements, calling their exportValue() methods foreach (array_keys($this->_elements) as $key) { $value = $this->_elements[$key]->exportValue($this->_submitValues, true); $fldName = null; if (isset($this->_elements[$key]->_attributes['name'])) { //filter the value across XSS vulnerability issues. $fldName = $this->_elements[$key]->_attributes['name']; } if (!in_array($this->_elements[$key]->_type, array('text', 'textarea')) or CRM_Core_HTMLInputCoder::isSkippedField($fldName)) { // …don’t filter, otherwise filter (else clause below) } else { //here value might be array or single value. //so we should iterate and get filtered value. CRM_Core_HTMLInputCoder::encodeInput($value); } if (is_array($value)) { // This shit throws a bogus warning in PHP 4.3.x $values = HTML_QuickForm::arrayMerge($values, $value); } } } else { if (!is_array($elementList)) { $elementList = array_map('trim', explode(',', $elementList)); } foreach ($elementList as $elementName) { $value = $this->exportValue($elementName); //filter the value across XSS vulnerability issues. if (!CRM_Core_HTMLInputCoder::isSkippedField($elementName)) { CRM_Core_HTMLInputCoder::encodeInput($value); } if (PEAR::isError($value)) { return $value; } $values[$elementName] = $value; } } return $values; }
function civicrm_api($entity, $action, $params, $extra = NULL) { $apiWrappers = array(CRM_Core_HTMLInputCoder::singleton()); try { require_once 'api/v3/utils.php'; require_once 'api/Exception.php'; if (!is_array($params)) { throw new API_Exception('Input variable `params` is not an array', 2000); } _civicrm_api3_initialize(); $errorScope = CRM_Core_TemporaryErrorScope::useException(); require_once 'CRM/Utils/String.php'; require_once 'CRM/Utils/Array.php'; $apiRequest = array(); $apiRequest['entity'] = CRM_Utils_String::munge($entity); $apiRequest['action'] = CRM_Utils_String::munge($action); $apiRequest['version'] = civicrm_get_api_version($params); $apiRequest['params'] = $params; $apiRequest['extra'] = $extra; // look up function, file, is_generic $apiRequest += _civicrm_api_resolve($apiRequest); if (strtolower($action) == 'create' || strtolower($action) == 'delete') { $apiRequest['is_transactional'] = 1; $tx = new CRM_Core_Transaction(); } $errorFnName = $apiRequest['version'] == 2 ? 'civicrm_create_error' : 'civicrm_api3_create_error'; if ($apiRequest['version'] > 2) { _civicrm_api3_api_check_permission($apiRequest['entity'], $apiRequest['action'], $apiRequest['params']); } // we do this before we _civicrm_api3_swap_out_aliases($apiRequest); if (strtolower($action) != 'getfields') { if (!CRM_Utils_Array::value('id', $params)) { $apiRequest['params'] = array_merge(_civicrm_api3_getdefaults($apiRequest), $apiRequest['params']); } //if 'id' is set then only 'version' will be checked but should still be checked for consistency civicrm_api3_verify_mandatory($apiRequest['params'], NULL, _civicrm_api3_getrequired($apiRequest)); } foreach ($apiWrappers as $apiWrapper) { $apiRequest = $apiWrapper->fromApiInput($apiRequest); } $function = $apiRequest['function']; if ($apiRequest['function'] && $apiRequest['is_generic']) { // Unlike normal API implementations, generic implementations require explicit // knowledge of the entity and action (as well as $params). Bundle up these bits // into a convenient data structure. $result = $function($apiRequest); } elseif ($apiRequest['function'] && !$apiRequest['is_generic']) { _civicrm_api3_validate_fields($apiRequest['entity'], $apiRequest['action'], $apiRequest['params']); $result = isset($extra) ? $function($apiRequest['params'], $extra) : $function($apiRequest['params']); } else { return $errorFnName("API (" . $apiRequest['entity'] . "," . $apiRequest['action'] . ") does not exist (join the API team and implement it!)"); } foreach ($apiWrappers as $apiWrapper) { $result = $apiWrapper->toApiOutput($apiRequest, $result); } if (CRM_Utils_Array::value('format.is_success', $apiRequest['params']) == 1) { if ($result['is_error'] === 0) { return 1; } else { return 0; } } if (CRM_Utils_Array::value('format.only_id', $apiRequest['params']) && isset($result['id'])) { return $result['id']; } if (CRM_Utils_Array::value('is_error', $result, 0) == 0) { _civicrm_api_call_nested_api($apiRequest['params'], $result, $apiRequest['action'], $apiRequest['entity'], $apiRequest['version']); } if (CRM_Utils_Array::value('format.smarty', $apiRequest['params']) || CRM_Utils_Array::value('format_smarty', $apiRequest['params'])) { // return _civicrm_api_parse_result_through_smarty($result,$apiRequest['params']); } if (function_exists('xdebug_time_index') && CRM_Utils_Array::value('debug', $apiRequest['params']) && is_array($result)) { $result['xdebug']['peakMemory'] = xdebug_peak_memory_usage(); $result['xdebug']['memory'] = xdebug_memory_usage(); $result['xdebug']['timeIndex'] = xdebug_time_index(); } return $result; } catch (PEAR_Exception $e) { if (CRM_Utils_Array::value('format.is_success', $apiRequest['params']) == 1) { return 0; } $data = array(); $err = civicrm_api3_create_error($e->getMessage(), $data, $apiRequest); if (CRM_Utils_Array::value('debug', $apiRequest['params'])) { $err['trace'] = $e->getTraceSafe(); } else { $err['tip'] = "add debug=1 to your API call to have more info about the error"; } if (CRM_Utils_Array::value('is_transactional', $apiRequest)) { $tx->rollback(); } return $err; } catch (API_Exception $e) { if (!isset($apiRequest)) { $apiRequest = array(); } if (CRM_Utils_Array::value('format.is_success', CRM_Utils_Array::value('params', $apiRequest)) == 1) { return 0; } $data = $e->getExtraParams(); $err = civicrm_api3_create_error($e->getMessage(), $data, $apiRequest, $e->getCode()); if (CRM_Utils_Array::value('debug', CRM_Utils_Array::value('params', $apiRequest))) { $err['trace'] = $e->getTraceAsString(); } if (CRM_Utils_Array::value('is_transactional', CRM_Utils_Array::value('params', $apiRequest))) { $tx->rollback(); } return $err; } catch (Exception $e) { if (CRM_Utils_Array::value('format.is_success', $apiRequest['params']) == 1) { return 0; } $data = array(); $err = civicrm_api3_create_error($e->getMessage(), $data, $apiRequest, $e->getCode()); if (CRM_Utils_Array::value('debug', $apiRequest['params'])) { $err['trace'] = $e->getTraceAsString(); } if (CRM_Utils_Array::value('is_transactional', $apiRequest)) { $tx->rollback(); } return $err; } }