/** * Retrieves the plain-text content from the current raw content. */ protected function getTextContent() { if (!isset($this->plainTextContent)) { $this->plainTextContent = Xss::filter($this->getRawContent(), array()); } return $this->plainTextContent; }
/** * Tests the integration. */ public function testIntegration() { // Remove the watchdog entries added by the potential batch process. $this->container->get('database')->truncate('watchdog')->execute(); $entries = array(); // Setup a watchdog entry without tokens. $entries[] = array('message' => $this->randomMachineName(), 'variables' => array('link' => \Drupal::l('Link', new Url('<front>')))); // Setup a watchdog entry with one token. $entries[] = array('message' => '@token1', 'variables' => array('@token1' => $this->randomMachineName(), 'link' => \Drupal::l('Link', new Url('<front>')))); // Setup a watchdog entry with two tokens. $entries[] = array('message' => '@token1 !token2', 'variables' => array('@token1' => $this->randomMachineName(), '!token2' => $this->randomMachineName(), 'link' => \Drupal::l(SafeMarkup::set('<object>Link</object>'), new Url('<front>')))); $logger_factory = $this->container->get('logger.factory'); foreach ($entries as $entry) { $entry += array('type' => 'test-views', 'severity' => RfcLogLevel::NOTICE); $logger_factory->get($entry['type'])->log($entry['severity'], $entry['message'], $entry['variables']); } $view = Views::getView('test_dblog'); $this->executeView($view); $view->initStyle(); foreach ($entries as $index => $entry) { $this->assertEqual($view->style_plugin->getField($index, 'message'), SafeMarkup::format($entry['message'], $entry['variables'])); $this->assertEqual($view->style_plugin->getField($index, 'link'), Xss::filterAdmin($entry['variables']['link'])); } // Disable replacing variables and check that the tokens aren't replaced. $view->destroy(); $view->storage->invalidateCaches(); $view->initHandlers(); $this->executeView($view); $view->initStyle(); $view->field['message']->options['replace_variables'] = FALSE; foreach ($entries as $index => $entry) { $this->assertEqual($view->style_plugin->getField($index, 'message'), $entry['message']); } }
/** * Redirects on 403 Access Denied kernel exceptions. * * @param \Symfony\Component\HttpKernel\Event\GetResponseEvent $event * The Event to process. */ public function onKernelException(GetResponseEvent $event) { $exception = $event->getException(); if (!$exception instanceof AccessDeniedHttpException) { return; } $config = $this->configFactory->get('r4032login.settings'); $options = array(); $options['query'] = $this->redirectDestination->getAsArray(); $options['absolute'] = TRUE; $code = $config->get('default_redirect_code'); if ($this->currentUser->isAnonymous()) { // Show custom access denied message if set. if ($config->get('display_denied_message')) { $message = $config->get('access_denied_message'); $message_type = $config->get('access_denied_message_type'); drupal_set_message(Xss::filterAdmin($message), $message_type); } // Handle redirection to the login form. $login_route = $config->get('user_login_route'); $url = Url::fromRoute($login_route, array(), $options)->toString(); $response = new RedirectResponse($url, $code); $event->setResponse($response); } else { // Check to see if we are to redirect the user. $redirect = $config->get('redirect_authenticated_users_to'); if ($redirect) { // Custom access denied page for logged in users. $url = Url::fromUserInput($redirect, $options)->toString(); $response = new RedirectResponse($url, $code); $event->setResponse($response); } } }
/** * Overrides \Drupal\views\Plugin\views\style\StylePluginBase\StylePluginBase::render(). */ public function render() { if (!empty($this->view->live_preview)) { return parent::render(); } // Group the rows according to the grouping field, if specified. $sets = $this->renderGrouping($this->view->result, $this->options['grouping']); // Grab the alias of the 'id' field added by // entity_reference_plugin_display. $id_field_alias = $this->view->storage->get('base_field'); // @todo We don't display grouping info for now. Could be useful for select // widget, though. $results = array(); $this->view->row_index = 0; foreach ($sets as $records) { foreach ($records as $values) { // Sanitize HTML, remove line breaks and extra whitespace. $output = $this->view->rowPlugin->render($values); $output = drupal_render($output); $results[$values->{$id_field_alias}] = Xss::filterAdmin(preg_replace('/\\s\\s+/', ' ', str_replace("\n", '', $output))); $this->view->row_index++; } } unset($this->view->row_index); return $results; }
/** * Tests the integration. */ public function testIntegration() { // Remove the watchdog entries added by the potential batch process. $this->container->get('database')->truncate('watchdog')->execute(); $entries = array(); // Setup a watchdog entry without tokens. $entries[] = array('message' => $this->randomMachineName(), 'variables' => array(), 'link' => l('Link', 'node/1')); // Setup a watchdog entry with one token. $entries[] = array('message' => '@token1', 'variables' => array('@token1' => $this->randomMachineName()), 'link' => l('Link', 'node/2')); // Setup a watchdog entry with two tokens. $entries[] = array('message' => '@token1 !token2', 'variables' => array('@token1' => $this->randomMachineName(), '!token2' => $this->randomMachineName()), 'link' => l('<object>Link</object>', 'node/2', array('html' => TRUE))); foreach ($entries as $entry) { $entry += array('type' => 'test-views', 'severity' => WATCHDOG_NOTICE); watchdog($entry['type'], $entry['message'], $entry['variables'], $entry['severity'], $entry['link']); } $view = Views::getView('test_dblog'); $this->executeView($view); $view->initStyle(); foreach ($entries as $index => $entry) { $this->assertEqual($view->style_plugin->getField($index, 'message'), String::format($entry['message'], $entry['variables'])); $this->assertEqual($view->style_plugin->getField($index, 'link'), Xss::filterAdmin($entry['link'])); } // Disable replacing variables and check that the tokens aren't replaced. $view->destroy(); $view->initHandlers(); $this->executeView($view); $view->initStyle(); $view->field['message']->options['replace_variables'] = FALSE; foreach ($entries as $index => $entry) { $this->assertEqual($view->style_plugin->getField($index, 'message'), $entry['message']); } }
/** * {@inheritdoc} */ public function completeSale($order, $login = FALSE) { // Empty that cart... $this->emptyCart(); // Force the order to load from the DB instead of the entity cache. // @todo Remove this once uc_payment_enter() can modify order objects? // @todo Should we be overwriting $order with this newly-loaded db_order? $db_order = $this->entityManager()->getStorage('uc_order')->loadUnchanged($order->id()); $order->data = $db_order->data; // Ensure that user creation and triggers are only run once. if (empty($order->data->complete_sale)) { $this->completeSaleAccount($order); // Move an order's status from "In checkout" to "Pending". if ($order->getStateId() == 'in_checkout') { $order->setStatusId(uc_order_state_default('post_checkout')); } $order->save(); // Invoke the checkout complete trigger and hook. $account = $order->getUser(); $this->moduleHandler()->invokeAll('uc_checkout_complete', array($order, $account)); // rules_invoke_event('uc_checkout_complete', $order); } $type = $order->data->complete_sale; // Log in new users, if requested. if ($type == 'new_user' && $login && $this->currentUser()->isAnonymous()) { $type = 'new_user_logged_in'; user_login_finalize($order->getUser()); } $message = $this->config('uc_cart.messages')->get($type); $message = \Drupal::token()->replace($message, array('uc_order' => $order)); $variables['!new_username'] = isset($order->data->new_user_name) ? $order->data->new_user_name : ''; $variables['!new_password'] = isset($order->password) ? $order->password : t('Your password'); $message = strtr($message, $variables); return array('#theme' => 'uc_cart_complete_sale', '#message' => Xss::filterAdmin($message), '#order' => $order); }
/** * Determines if a string of text is considered "simple". * * @param string $string * The string of text to check "simple" criteria on. * @param int|FALSE $length * The length of characters used to determine whether or not $string is * considered "simple". Set explicitly to FALSE to disable this criteria. * @param array|FALSE $allowed_tags * An array of allowed tag elements. Set explicitly to FALSE to disable this * criteria. * @param bool $html * A variable, passed by reference, that indicates whether or not the * string contains HTML. * * @return bool * Returns TRUE if the $string is considered "simple", FALSE otherwise. */ public static function isSimple($string, $length = 250, $allowed_tags = NULL, &$html = FALSE) { // Typecast to a string (if an object). $string_clone = (string) $string; // Use the advanced drupal_static() pattern. static $drupal_static_fast; if (!isset($drupal_static_fast)) { $drupal_static_fast['strings'] =& drupal_static(__METHOD__); } $strings =& $drupal_static_fast['strings']; if (!isset($strings[$string_clone])) { $plain_string = strip_tags($string_clone); $simple = TRUE; if ($allowed_tags !== FALSE) { $filtered_string = Xss::filter($string_clone, $allowed_tags); $html = $filtered_string !== $plain_string; $simple = $simple && $string_clone === $filtered_string; } if ($length !== FALSE) { $simple = $simple && strlen($plain_string) <= intval($length); } $strings[$string_clone] = $simple; } return $strings[$string_clone]; }
/** * {@inheritdoc} */ public function build() { $this->view->display_handler->preBlockBuild($this); // We ask ViewExecutable::buildRenderable() to avoid creating a render cache // entry for the view output by passing FALSE, because we're going to cache // the whole block instead. if ($output = $this->view->buildRenderable($this->displayID, [], FALSE)) { // Override the label to the dynamic title configured in the view. if (empty($this->configuration['views_label']) && $this->view->getTitle()) { $output['#title'] = ['#markup' => $this->view->getTitle(), '#allowed_tags' => Xss::getHtmlTagList()]; } // Before returning the block output, convert it to a renderable array // with contextual links. $this->addContextualLinks($output); // Block module expects to get a final render array, without another // top-level #pre_render callback. So, here we make sure that Views' // #pre_render callback has already been applied. $output = View::preRenderViewElement($output); // When view_build is empty, the actual render array output for this View // is going to be empty. In that case, return just #cache, so that the // render system knows the reasons (cache contexts & tags) why this Views // block is empty, and can cache it accordingly. if (empty($output['view_build'])) { $output = ['#cache' => $output['#cache']]; } return $output; } return array(); }
/** * {@inheritdoc} */ public function buildRow(EntityInterface $entity) { $row = array(); $row['title'] = array('data' => $this->getLabel($entity), 'class' => array('menu-label')); $row['description'] = Xss::filterAdmin($entity->description); return $row + parent::buildRow($entity); }
/** * {@inheritdoc} */ public function process($text, $langcode) { $allowed_tags = array_filter($this->settings['restrictions']['allowed'], function ($value) { return is_array($value) || (bool) $value !== FALSE; }); return new FilterProcessResult(Xss::filter($text, array_keys($allowed_tags))); }
/** * {@inheritdoc} */ public function execute($entity = NULL) { if (empty($this->configuration['node'])) { $this->configuration['node'] = $entity; } $message = $this->token->replace(Xss::filterAdmin($this->configuration['message']), $this->configuration); drupal_set_message($message); }
/** * Returns the array of recipient handler labels. * @todo documentation */ public function getOptions() { $handlers = $this->getDefinitions(); $allowed_values = array(); foreach ($handlers as $handler => $settings) { $allowed_values[$handler] = Xss::filter($settings['title']); } return $allowed_values; }
/** * Retrieves the plain-text content from the current raw content. */ protected function getTextContent() { if (!isset($this->plainTextContent)) { $raw_content = $this->getRawContent(); // Strip everything between the HEAD tags. $raw_content = preg_replace('@<head>(.+?)</head>@si', '', $raw_content); $this->plainTextContent = Xss::filter($raw_content, array()); } return $this->plainTextContent; }
/** * Tests execution order of hook_form_alter() and hook_form_FORM_ID_alter(). */ function testExecutionOrder() { $this->drupalGet('form-test/alter'); // Ensure that the order is first by module, then for a given module, the // id-specific one after the generic one. $expected = array('block_form_form_test_alter_form_alter() executed.', 'form_test_form_alter() executed.', 'form_test_form_form_test_alter_form_alter() executed.', 'system_form_form_test_alter_form_alter() executed.'); $content = preg_replace('/\\s+/', ' ', Xss::filter($this->content, array())); $this->assert(strpos($content, implode(' ', $expected)) !== FALSE, 'Form alter hooks executed in the expected order.'); }
/** * Ensure that custom field content is XSS filtered. */ public function testCustomFieldXss() { $view = Views::getView('test_view'); $view->setDisplay(); // Alter the text of the field to include XSS. $text = '<script>alert("kittens")</script>'; $view->displayHandlers->get('default')->overrideOption('fields', array('name' => array('id' => 'name', 'table' => 'views_test_data', 'field' => 'name', 'relationship' => 'none', 'alter' => array('text' => $text)))); $this->executeView($view); $this->assertEqual(Xss::filter($text), $view->style_plugin->getField(0, 'name')); }
function at_core_submit_custom_css($values, $generated_files_path) { $custom_css = ''; if (!empty($values['settings_custom_css'])) { // sanitize user entered data $custom_css = Xss::filter($values['settings_custom_css']); } $file_name = 'custom-css.css'; $filepath = $generated_files_path . '/' . $file_name; file_unmanaged_save_data($custom_css, $filepath, FILE_EXISTS_REPLACE); }
/** * {@inheritdoc} */ public function view(OrderInterface $order, array $form, FormStateInterface $form_state) { $contents['#description'] = Xss::filterAdmin(\Drupal::config('uc_quote.settings')->get('pane_description')); $contents['#attached']['library'][] = 'uc_quote/uc_quote.styles'; $contents['uid'] = array('#type' => 'hidden', '#value' => \Drupal::currentUser()->id()); $contents['quote_button'] = array('#type' => 'submit', '#value' => t('Click to calculate shipping'), '#submit' => [[$this, 'paneSubmit']], '#weight' => 0, '#ajax' => array('effect' => 'slide', 'progress' => array('type' => 'bar', 'message' => t('Receiving quotes...'))), '#limit_validation_errors' => array()); $contents['quotes'] = array('#tree' => TRUE, '#prefix' => '<div id="quote">', '#suffix' => '</div>', '#weight' => 1); $contents['quotes'] += $order->quote_form; $form_state->set(['uc_ajax', 'uc_quote', 'panes][quotes][quote_button'], array('payment-pane' => 'uc_ajax_replace_checkout_pane', 'quotes-pane' => 'uc_ajax_replace_checkout_pane')); $form_state->set(['uc_ajax', 'uc_quote', 'panes][quotes][quotes][quote_option'], array('payment-pane' => 'uc_ajax_replace_checkout_pane')); return $contents; }
/** * {@inheritdoc} */ public function process($text, $langcode) { $restrictions = $this->getHtmlRestrictions(); // Split the work into two parts. For filtering HTML tags out of the content // we rely on the well-tested Xss::filter() code. Since there is no '*' tag // that needs to be removed from the list. unset($restrictions['allowed']['*']); $text = Xss::filter($text, array_keys($restrictions['allowed'])); // After we've done tag filtering, we do attribute and attribute value // filtering as the second part. return new FilterProcessResult($this->filterAttributes($text)); }
/** * Pre-processes variables for the "bootstrap_panel" theme hook. * * See template for list of available variables. * * @see bootstrap-panel.html.twig * * @ingroup theme_preprocess */ function bootstrap_preprocess_bootstrap_panel(&$variables) { $element = $variables['element']; Element::setAttributes($element, array('id')); Element\RenderElement::setAttributes($element); $variables['attributes'] = $element['#attributes']; $variables['prefix'] = isset($element['#field_prefix']) ? $element['#field_prefix'] : NULL; $variables['suffix'] = isset($element['#field_suffix']) ? $element['#field_suffix'] : NULL; $variables['title_display'] = isset($element['#title_display']) ? $element['#title_display'] : NULL; $variables['children'] = $element['#children']; $variables['required'] = !empty($element['#required']) ? $element['#required'] : NULL; $variables['legend']['title'] = !empty($element['#title']) ? Xss::filterAdmin($element['#title']) : ''; $variables['legend']['attributes'] = new Attribute(); $variables['legend_span']['attributes'] = new Attribute(); if (!empty($element['#description'])) { $description_id = $element['#attributes']['id'] . '--description'; $description_attributes['id'] = $description_id; $variables['description']['attributes'] = new Attribute($description_attributes); $variables['description']['content'] = $element['#description']; // Add the description's id to the fieldset aria attributes. $variables['attributes']['aria-describedby'] = $description_id; } $variables['collapsible'] = FALSE; if (isset($element['#collapsible'])) { $variables['collapsible'] = $element['#collapsible']; $variables['attributes']['class'][] = 'collapsible'; } $variables['collapsed'] = FALSE; if (isset($element['#collapsed'])) { $variables['collapsed'] = $element['#collapsed']; } // Force grouped fieldsets to not be collapsible (for vertical tabs). if (!empty($element['#group'])) { $variables['collapsible'] = FALSE; $variables['collapsed'] = FALSE; } if (!isset($element['#id']) && $variables['collapsible']) { $element['#id'] = \Drupal\Component\Utility\Html::getUniqueId('bootstrap-panel'); } $variables['target'] = NULL; if (isset($element['#id'])) { if (!isset($variables['attributes']['id'])) { $variables['attributes']['id'] = $element['#id']; } $variables['target'] = '#' . $element['#id'] . ' > .collapse'; } // Iterate over optional variables. $keys = array('description', 'prefix', 'suffix', 'title', 'value'); foreach ($keys as $key) { $variables[$key] = !empty($element["#{$key}"]) ? $element["#{$key}"] : FALSE; } }
/** * Filters an HTML string to prevent XSS vulnerabilities. * * Like \Drupal\Component\Utility\Xss::filterAdmin(), but with a shorter list * of allowed tags. * * Used for items entered by administrators, like field descriptions, allowed * values, where some (mainly inline) mark-up may be desired (so * \Drupal\Component\Utility\SafeMarkup::checkPlain() is not acceptable). * * @param string $string * The string with raw HTML in it. * * @return \Drupal\Component\Utility\SafeMarkup * An XSS safe version of $string, or an empty string if $string is not * valid UTF-8. */ public function fieldFilterXss($string) { // All known XSS vectors are filtered out by // \Drupal\Component\Utility\Xss::filter(), all tags in the markup are // allowed intentionally by the trait, and no danger is added in by // \Drupal\Component\Utility\HTML::normalize(). Since the normalized value // is essentially the same markup, designate this string as safe as well. // This method is an internal part of field sanitization, so the resultant, // sanitized string should be printable as is. // // @todo Free this memory in https://www.drupal.org/node/2505963. return SafeMarkup::set(Html::normalize(Xss::filter($string, $this->allowedTags()))); }
/** * {@inheritdoc} */ public function zen() { $principles = $this->principleManager->getAllPrinciples(); $title = t('My mind is empty.'); if (count($principles) > 0) { // Get a random item from the array of principles $k = array_rand($principles); $principle = $principles[$k]; $title = Xss::filter($principle->title); } $build = array('#type' => 'markup', '#markup' => $title); return new Response(\Drupal::service('renderer')->renderRoot($build)); }
/** * {@inheritdoc} */ public function checkoutInfo(JobInterface $job) { $tuid = $job->getSetting('translator'); if ($tuid && ($translator = User::load($tuid))) { $form['job_status'] = array('#type' => 'item', '#title' => t('Job status'), '#markup' => t('Translation job is assigned to %name.', array('%name' => $translator->getUsername()))); } else { $form['job_status'] = array('#type' => 'item', '#title' => t('Job status'), '#markup' => t('Translation job is not assigned to any user.')); } if ($job->getSetting('job_comment')) { $form['job_comment'] = array('#type' => 'item', '#title' => t('Job comment'), '#markup' => Xss::filter($job->getSetting('job_comment'))); } return $form; }
/** * {@inheritdoc} */ public function render(ResultRow $values) { $value = $this->getValue($values); if (!empty($this->options['not'])) { $value = !$value; } if ($this->options['type'] == 'custom') { return $value ? UtilityXss::filterAdmin($this->options['type_custom_true']) : UtilityXss::filterAdmin($this->options['type_custom_false']); } elseif (isset($this->formats[$this->options['type']])) { return $value ? $this->formats[$this->options['type']][0] : $this->formats[$this->options['type']][1]; } else { return $value ? $this->formats['yes-no'][0] : $this->formats['yes-no'][1]; } }
/** * {@inheritdoc} */ public function buildRow(EntityInterface $entity) { /** @var \Drupal\eform\Entity\EFormType $entity */ $row['title'] = array( 'data' => $entity->getSubmitLink(), 'class' => array('menu-label'), ); // @todo add getDescription to eform_type $row['description'] = Xss::filterAdmin($entity->getDescription()); $url = Url::fromRoute('entity.eform_type.submissions', ['eform_type' => $entity->id()]); $row += parent::buildRow($entity); // @todo Is there a better way to get the l function here? $row['submissions'] = \Drupal::l('Submissions', $url); return $row; }
/** * {@inheritdoc} */ public function build() { $this->view->display_handler->preBlockBuild($this); if ($output = $this->view->executeDisplay($this->displayID)) { // Override the label to the dynamic title configured in the view. if (empty($this->configuration['views_label']) && $this->view->getTitle()) { $output['#title'] = Xss::filterAdmin($this->view->getTitle()); } // Before returning the block output, convert it to a renderable array // with contextual links. $this->addContextualLinks($output); return $output; } return array(); }
/** * Displays a list of product classes. */ public function classOverview() { $classes = \Drupal::entityManager()->getStorage('node_type')->loadByProperties(array('third_party_settings.uc_product.product' => TRUE)); $header = array($this->t('Class ID'), $this->t('Name'), $this->t('Description'), $this->t('Operations')); $rows = []; foreach ($classes as $class) { $links = []; $links['edit'] = array('title' => $this->t('Edit'), 'url' => Url::fromRoute('entity.node_type.edit_form', ['node_type' => $class->id()]), 'query' => array('destination' => 'admin/store/products/classes')); if (!$class->isLocked()) { $links['delete'] = array('title' => $this->t('Delete'), 'url' => Url::fromRoute('entity.node_type.delete_form', ['node_type' => $class->id()]), 'query' => array('destination' => 'admin/store/products/classes')); } $rows[] = array(SafeMarkup::checkPlain($class->id()), SafeMarkup::checkPlain($class->label()), Xss::filterAdmin($class->getDescription()), array('data' => array('#type' => 'operations', '#links' => $links))); } return array('#theme' => 'table', '#header' => $header, '#rows' => $rows, '#empty' => $this->t('No product classes have been defined yet.')); }
/** * {@inheritdoc} */ public function build() { $this->view->display_handler->preBlockBuild($this); if ($output = $this->view->buildRenderable($this->displayID, [], FALSE)) { // Override the label to the dynamic title configured in the view. if (empty($this->configuration['views_label']) && $this->view->getTitle()) { $output['#title'] = ['#markup' => $this->view->getTitle(), '#allowed_tags' => Xss::getHtmlTagList()]; } // Before returning the block output, convert it to a renderable array // with contextual links. $this->addContextualLinks($output); return $output; } return array(); }
/** * {@inheritdoc} */ public function render(ResultRow $values) { $value = $this->getValue($values); if (!empty($this->options['not'])) { $value = !$value; } if ($this->options['type'] == 'custom') { $custom_value = $value ? $this->options['type_custom_true'] : $this->options['type_custom_false']; return ViewsRenderPipelineMarkup::create(UtilityXss::filterAdmin($custom_value)); } elseif (isset($this->formats[$this->options['type']])) { return $value ? $this->formats[$this->options['type']][0] : $this->formats[$this->options['type']][1]; } else { return $value ? $this->formats['yes-no'][0] : $this->formats['yes-no'][1]; } }
/** * {@inheritdoc} */ public function build() { $this->view->display_handler->preBlockBuild($this); if ($output = $this->view->buildRenderable($this->displayID, [], FALSE)) { // Override the label to the dynamic title configured in the view. if (empty($this->configuration['views_label']) && $this->view->getTitle()) { // @todo https://www.drupal.org/node/2527360 remove call to SafeMarkup. $output['#title'] = SafeMarkup::xssFilter($this->view->getTitle(), Xss::getAdminTagList()); } // Before returning the block output, convert it to a renderable array // with contextual links. $this->addContextualLinks($output); return $output; } return array(); }
/** * Overrides \Drupal\views\Plugin\views\display\PathPluginBase::execute(). */ public function execute() { parent::execute(); // Let the world know that this is the page view we're using. views_set_page_view($this->view); // And now render the view. $render = $this->view->render(); // First execute the view so it's possible to get tokens for the title. // And the title, which is much easier. // @todo Figure out how to support custom response objects. Maybe for pages // it should be dropped. if (is_array($render)) { $render += array('#title' => Xss::filterAdmin($this->view->getTitle())); } return $render; }