/** * Tests for locale_string_is_safe(). */ public function testLocaleStringIsSafe() { // Check a translatable string without HTML. $string = 'Hello world!'; $result = locale_string_is_safe($string); $this->assertTrue($result); // Check a translatable string which includes trustable HTML. $string = 'Hello <strong>world</strong>!'; $result = locale_string_is_safe($string); $this->assertTrue($result); // Check an untranslatable string which includes untrustable HTML (according // to the locale_string_is_safe() function definition). $string = 'Hello <img src="world.png" alt="world" />!'; $result = locale_string_is_safe($string); $this->assertFalse($result); // Check a translatable string which includes a token in an href attribute. $string = 'Hi <a href="[current-user:url]">user</a>'; $result = locale_string_is_safe($string); $this->assertTrue($result); }
/** * Imports one string into the database. * * @param \Drupal\Component\Gettext\PoItem $item * The item being imported. * * @return int * The string ID of the existing string modified or the new string added. */ private function importString(PoItem $item) { // Initialize overwrite options if not set. $this->options['overwrite_options'] += array('not_customized' => FALSE, 'customized' => FALSE); $overwrite_options = $this->options['overwrite_options']; $customized = $this->options['customized']; $context = $item->getContext(); $source = $item->getSource(); $translation = $item->getTranslation(); // Look up the source string and any existing translation. $strings = \Drupal::service('locale.storage')->getTranslations(array('language' => $this->langcode, 'source' => $source, 'context' => $context)); $string = reset($strings); if (!empty($translation)) { // Skip this string unless it passes a check for dangerous code. if (!locale_string_is_safe($translation)) { \Drupal::logger('locale')->error('Import of string "%string" was skipped because of disallowed or malformed HTML.', array('%string' => $translation)); $this->report['skips']++; return 0; } elseif ($string) { $string->setString($translation); if ($string->isNew()) { // No translation in this language. $string->setValues(array('language' => $this->langcode, 'customized' => $customized)); $string->save(); $this->report['additions']++; } elseif ($overwrite_options[$string->customized ? 'customized' : 'not_customized']) { // Translation exists, only overwrite if instructed. $string->customized = $customized; $string->save(); $this->report['updates']++; } $this->report['strings'][] = $string->getId(); return $string->lid; } else { // No such source string in the database yet. $string = \Drupal::service('locale.storage')->createString(array('source' => $source, 'context' => $context))->save(); \Drupal::service('locale.storage')->createTranslation(array('lid' => $string->getId(), 'language' => $this->langcode, 'translation' => $translation, 'customized' => $customized))->save(); $this->report['additions']++; $this->report['strings'][] = $string->getId(); return $string->lid; } } elseif ($string && !$string->isNew() && $overwrite_options[$string->customized ? 'customized' : 'not_customized']) { // Empty translation, remove existing if instructed. $string->delete(); $this->report['deletes']++; $this->report['strings'][] = $string->lid; return $string->lid; } }
/** * {@inheritdoc} */ public function validateForm(array &$form, FormStateInterface $form_state) { $langcode = $form_state->getValue('langcode'); foreach ($form_state->getValue('strings') as $lid => $translations) { foreach ($translations['translations'] as $key => $value) { if (!locale_string_is_safe($value)) { $form_state->setErrorByName("strings][{$lid}][translations][{$key}", $this->t('The submitted string contains disallowed HTML: %string', array('%string' => $value))); $form_state->setErrorByName("translations][{$langcode}][{$key}", $this->t('The submitted string contains disallowed HTML: %string', array('%string' => $value))); $this->logger('locale')->warning('Attempted submission of a translation string with disallowed HTML: %string', array('%string' => $value)); } } } }
/** * {@inheritdoc} */ public function validateForm(array &$form, array &$form_state) { $langcode = $form_state['values']['langcode']; foreach ($form_state['values']['strings'] as $lid => $translations) { foreach ($translations['translations'] as $key => $value) { if (!locale_string_is_safe($value)) { $this->setFormError("strings][{$lid}][translations][{$key}", $form_state, $this->t('The submitted string contains disallowed HTML: %string', array('%string' => $value))); $this->setFormError("translations][{$langcode}][{$key}", $form_state, $this->t('The submitted string contains disallowed HTML: %string', array('%string' => $value))); watchdog('locale', 'Attempted submission of a translation string with disallowed HTML: %string', array('%string' => $value), WATCHDOG_WARNING); } } } }