/** * Sets a header. * @param string * @param string|array value or pair email => name * @param bool * @return self */ public function setHeader($name, $value, $append = FALSE) { if (!$name || preg_match('#[^a-z0-9-]#i', $name)) { throw new Nette\InvalidArgumentException("Header name must be non-empty alphanumeric string, '{$name}' given."); } if ($value == NULL) { // intentionally == if (!$append) { unset($this->headers[$name]); } } elseif (is_array($value)) { // email $tmp =& $this->headers[$name]; if (!$append || !is_array($tmp)) { $tmp = array(); } foreach ($value as $email => $recipient) { if ($recipient !== NULL && !Strings::checkEncoding($recipient)) { Nette\Utils\Validators::assert($recipient, 'unicode', "header '{$name}'"); } if (preg_match('#[\\r\\n]#', $recipient)) { throw new Nette\InvalidArgumentException('Name must not contain line separator.'); } Nette\Utils\Validators::assert($email, 'email', "header '{$name}'"); $tmp[$email] = $recipient; } } else { $value = (string) $value; if (!Strings::checkEncoding($value)) { throw new Nette\InvalidArgumentException('Header is not valid UTF-8 string.'); } $this->headers[$name] = preg_replace('#[\\r\\n]+#', ' ', $value); } return $this; }
/** * Process all {macros} and <tags/>. * @param string * @return string */ public function parse($s) { if (!Strings::checkEncoding($s)) { throw new ParseException('Template is not valid UTF-8 stream.'); } $s = str_replace("\r\n", "\n", $s); $this->templateId = Strings::random(); $this->input =& $s; $this->offset = 0; $this->output = ''; $this->htmlNodes = $this->macroNodes = array(); foreach ($this->macroHandlers as $handler) { $handler->initialize($this); } $len = strlen($s); try { while ($this->offset < $len) { $matches = $this->{"context" . $this->context[0]}(); if (!$matches) { // EOF break; } elseif (!empty($matches['comment'])) { // {* *} } elseif (!empty($matches['macro'])) { // {macro} list($macroName, $macroArgs, $macroModifiers) = $this->parseMacro($matches['macro']); $isRightmost = $this->offset >= $len || $this->input[$this->offset] === "\n"; $this->writeMacro($macroName, $macroArgs, $macroModifiers, $isRightmost); } else { // common behaviour $this->output .= $matches[0]; } } } catch (ParseException $e) { if (!$e->sourceLine) { $e->sourceLine = $this->getLine(); } throw $e; } $this->output .= substr($this->input, $this->offset); foreach ($this->htmlNodes as $node) { if (!empty($node->attrs)) { throw new ParseException("Missing end tag </{$node->name}> for macro-attribute " . self::N_PREFIX . implode(' and ' . self::N_PREFIX, array_keys($node->attrs)) . ".", 0, $this->getLine()); } } $prologs = $epilogs = ''; foreach ($this->macroHandlers as $handler) { $res = $handler->finalize(); $prologs .= isset($res[0]) ? "<?php {$res['0']}\n?>" : ''; $epilogs .= isset($res[1]) ? "<?php {$res['1']}\n?>" : ''; } $this->output = ($prologs ? $prologs . "<?php\n//\n// main template\n//\n?>\n" : '') . $this->output . $epilogs; if ($this->macroNodes) { throw new ParseException("There are unclosed macros.", 0, $this->getLine()); } return $this->output; }
/** * Process all {macros} and <tags/>. * @param string * @return string */ public function parse($s) { if (!Strings::checkEncoding($s)) { throw new ParseException('Template is not valid UTF-8 stream.'); } if (!$this->macroRe) { $this->setDelimiters('\\{(?![\\s\'"{}*])', '\\}'); } $this->handler->initialize($this); $s = str_replace("\r\n", "\n", $s); $s = "\n" . $s; $this->input =& $s; $this->offset = 0; $this->output = ''; $this->htmlNodes = $this->macroNodes = array(); $len = strlen($s); while ($this->offset < $len) { $matches = $this->{"context{$this->context}"}(); if (!$matches) { // EOF break; } elseif (!empty($matches['comment'])) { // {* *} } elseif (!empty($matches['macro'])) { // {macro} list($macroName, $macroArgs, $macroModifiers) = $this->parseMacro($matches['macro']); $code = $this->macro($macroName, $macroArgs, $macroModifiers); $nl = isset($matches['newline']) ? "\n" : ''; if ($nl && $matches['indent'] && strncmp($code, '<?php echo ', 11)) { // the only macro on line "without" output $this->output .= "\n" . $code; // preserve new line from 'indent', remove indentation } else { // double newline to avoid newline eating by PHP $this->output .= $matches['indent'] . $code . (substr($code, -2) === '?>' && $this->output !== '' ? $nl : ''); } } else { // common behaviour $this->output .= $matches[0]; } } $this->output .= substr($this->input, $this->offset); foreach ($this->htmlNodes as $node) { if (!$node instanceof MacroNode && !empty($node->attrs)) { throw new ParseException("Missing end tag </{$node->name}> for macro-attribute " . self::HTML_PREFIX . implode(' and ' . self::HTML_PREFIX, array_keys($node->attrs)) . ".", 0, $this->line); } } $this->handler->finalize($this->output); if ($this->macroNodes) { throw new ParseException("There are unclosed macros.", 0, $this->line); } return $this->output; }
/** * @param CurlWrapper $curl * @return string */ public static function convertEncoding(CurlWrapper $curl) { if (Strings::checkEncoding($response = $curl->response)) { return Strings::normalize($response); } if ($charset = static::charsetFromContentType($curl->info['content_type'])) { $response = @iconv($charset, 'UTF-8', $response); } else { if ($contentType = Strings::match($response, '~<(?P<el>meta[^>]+Content-Type[^>]+)>~i')) { foreach (Nette\Utils\Html::el($contentType['el'])->attrs as $attr => $value) { if (strtolower($attr) !== 'content') { continue; } if ($charset = static::charsetFromContentType($value)) { $response = @iconv($charset, 'UTF-8', $response); $response = static::fixContentTypeMeta($response); break; } } } } return Strings::normalize($response); }
/** * Sets a header. * @param string * @param string|array value or pair email => name * @param bool * @return MimePart provides a fluent interface */ public function setHeader($name, $value, $append = FALSE) { if (!$name || preg_match('#[^a-z0-9-]#i', $name)) { throw new Nette\InvalidArgumentException("Header name must be non-empty alphanumeric string, '{$name}' given."); } if ($value == NULL) { // intentionally == if (!$append) { unset($this->headers[$name]); } } elseif (is_array($value)) { // email $tmp =& $this->headers[$name]; if (!$append || !is_array($tmp)) { $tmp = array(); } foreach ($value as $email => $name) { if ($name !== NULL && !Strings::checkEncoding($name)) { throw new Nette\InvalidArgumentException("Name is not valid UTF-8 string."); } if (!preg_match('#^[^@",\\s]+@[^@",\\s]+\\.[a-z]{2,10}$#i', $email)) { throw new Nette\InvalidArgumentException("Email address '{$email}' is not valid."); } if (preg_match('#[\\r\\n]#', $name)) { throw new Nette\InvalidArgumentException("Name must not contain line separator."); } $tmp[$email] = $name; } } else { $value = (string) $value; if (!Strings::checkEncoding($value)) { throw new Nette\InvalidArgumentException("Header is not valid UTF-8 string."); } $this->headers[$name] = preg_replace('#[\\r\\n]+#', ' ', $value); } return $this; }
/** * Process all {macros} and <tags/>. * @param string * @return array */ public function parse($input) { if (substr($input, 0, 3) === "") { // BOM $input = substr($input, 3); } if (!Strings::checkEncoding($input)) { throw new Nette\InvalidArgumentException('Template is not valid UTF-8 stream.'); } $input = str_replace("\r\n", "\n", $input); $this->input = $input; $this->output = array(); $this->offset = 0; $this->setSyntax($this->defaultSyntax); $this->setContext(self::CONTEXT_TEXT); $this->lastHtmlTag = $this->syntaxEndTag = NULL; $this->xmlMode = (bool) preg_match('#^<\\?xml\\s#m', $input); while ($this->offset < strlen($input)) { $matches = $this->{"context" . $this->context[0]}(); if (!$matches) { // EOF break; } elseif (!empty($matches['comment'])) { // {* *} $this->addToken(Token::COMMENT, $matches[0]); } elseif (!empty($matches['macro'])) { // {macro} $token = $this->addToken(Token::MACRO_TAG, $matches[0]); list($token->name, $token->value, $token->modifiers) = $this->parseMacroTag($matches['macro']); } $this->filter(); } if ($this->offset < strlen($input)) { $this->addToken(Token::TEXT, substr($this->input, $this->offset)); } return $this->output; }
/** * Creates current HttpRequest object. * @return Request */ public function createHttpRequest() { // DETECTS URI, base path and script path of the request. $url = new UrlScript(); $url->scheme = !empty($_SERVER['HTTPS']) && strcasecmp($_SERVER['HTTPS'], 'off') ? 'https' : 'http'; $url->user = isset($_SERVER['PHP_AUTH_USER']) ? $_SERVER['PHP_AUTH_USER'] : ''; $url->password = isset($_SERVER['PHP_AUTH_PW']) ? $_SERVER['PHP_AUTH_PW'] : ''; // host & port if ((isset($_SERVER[$tmp = 'HTTP_HOST']) || isset($_SERVER[$tmp = 'SERVER_NAME'])) && preg_match('#^([a-z0-9_.-]+|\\[[a-fA-F0-9:]+\\])(:\\d+)?\\z#', $_SERVER[$tmp], $pair)) { $url->host = strtolower($pair[1]); if (isset($pair[2])) { $url->port = (int) substr($pair[2], 1); } elseif (isset($_SERVER['SERVER_PORT'])) { $url->port = (int) $_SERVER['SERVER_PORT']; } } // path & query if (isset($_SERVER['REQUEST_URI'])) { // Apache, IIS 6.0 $requestUrl = $_SERVER['REQUEST_URI']; } elseif (isset($_SERVER['ORIG_PATH_INFO'])) { // IIS 5.0 (PHP as CGI ?) $requestUrl = $_SERVER['ORIG_PATH_INFO']; if (isset($_SERVER['QUERY_STRING']) && $_SERVER['QUERY_STRING'] != '') { $requestUrl .= '?' . $_SERVER['QUERY_STRING']; } } else { $requestUrl = ''; } $requestUrl = Strings::replace($requestUrl, $this->urlFilters['url']); $tmp = explode('?', $requestUrl, 2); $url->path = Strings::replace($tmp[0], $this->urlFilters['path']); $url->query = isset($tmp[1]) ? $tmp[1] : ''; // normalized url $url->canonicalize(); $url->path = Strings::fixEncoding($url->path); // detect script path if (isset($_SERVER['SCRIPT_NAME'])) { $script = $_SERVER['SCRIPT_NAME']; } elseif (isset($_SERVER['DOCUMENT_ROOT'], $_SERVER['SCRIPT_FILENAME']) && strncmp($_SERVER['DOCUMENT_ROOT'], $_SERVER['SCRIPT_FILENAME'], strlen($_SERVER['DOCUMENT_ROOT'])) === 0) { $script = '/' . ltrim(strtr(substr($_SERVER['SCRIPT_FILENAME'], strlen($_SERVER['DOCUMENT_ROOT'])), '\\', '/'), '/'); } else { $script = '/'; } $path = strtolower($url->path) . '/'; $script = strtolower($script) . '/'; $max = min(strlen($path), strlen($script)); for ($i = 0; $i < $max; $i++) { if ($path[$i] !== $script[$i]) { break; } elseif ($path[$i] === '/') { $url->scriptPath = substr($url->path, 0, $i + 1); } } // GET, POST, COOKIE $useFilter = !in_array(ini_get('filter.default'), array('', 'unsafe_raw')) || ini_get('filter.default_flags'); parse_str($url->query, $query); if (!$query) { $query = $useFilter ? filter_input_array(INPUT_GET, FILTER_UNSAFE_RAW) : (empty($_GET) ? array() : $_GET); } $post = $useFilter ? filter_input_array(INPUT_POST, FILTER_UNSAFE_RAW) : (empty($_POST) ? array() : $_POST); $cookies = $useFilter ? filter_input_array(INPUT_COOKIE, FILTER_UNSAFE_RAW) : (empty($_COOKIE) ? array() : $_COOKIE); $gpc = (bool) get_magic_quotes_gpc(); $old = error_reporting(error_reporting() ^ E_NOTICE); // remove f*****g quotes and check (and optionally convert) encoding if ($gpc || $this->encoding) { $utf = strcasecmp($this->encoding, 'UTF-8') === 0; $list = array(&$query, &$post, &$cookies); while (list($key, $val) = each($list)) { foreach ($val as $k => $v) { unset($list[$key][$k]); if ($gpc) { $k = stripslashes($k); } if ($this->encoding && is_string($k) && (preg_match(self::NONCHARS, $k) || preg_last_error())) { // invalid key -> ignore } elseif (is_array($v)) { $list[$key][$k] = $v; $list[] =& $list[$key][$k]; } else { if ($gpc && !$useFilter) { $v = stripSlashes($v); } if ($this->encoding) { if ($utf) { $v = Strings::fixEncoding($v); } else { if (!Strings::checkEncoding($v)) { $v = iconv($this->encoding, 'UTF-8//IGNORE', $v); } $v = html_entity_decode($v, ENT_QUOTES, 'UTF-8'); } $v = preg_replace(self::NONCHARS, '', $v); } $list[$key][$k] = $v; } } } unset($list, $key, $val, $k, $v); } // FILES and create FileUpload objects $files = array(); $list = array(); if (!empty($_FILES)) { foreach ($_FILES as $k => $v) { if ($this->encoding && is_string($k) && (preg_match(self::NONCHARS, $k) || preg_last_error())) { continue; } $v['@'] =& $files[$k]; $list[] = $v; } } while (list(, $v) = each($list)) { if (!isset($v['name'])) { continue; } elseif (!is_array($v['name'])) { if ($gpc) { $v['name'] = stripSlashes($v['name']); } if ($this->encoding) { $v['name'] = preg_replace(self::NONCHARS, '', Strings::fixEncoding($v['name'])); } $v['@'] = new FileUpload($v); continue; } foreach ($v['name'] as $k => $foo) { if ($this->encoding && is_string($k) && (preg_match(self::NONCHARS, $k) || preg_last_error())) { continue; } $list[] = array('name' => $v['name'][$k], 'type' => $v['type'][$k], 'size' => $v['size'][$k], 'tmp_name' => $v['tmp_name'][$k], 'error' => $v['error'][$k], '@' => &$v['@'][$k]); } } error_reporting($old); // HEADERS if (function_exists('apache_request_headers')) { $headers = array_change_key_case(apache_request_headers(), CASE_LOWER); } else { $headers = array(); foreach ($_SERVER as $k => $v) { if (strncmp($k, 'HTTP_', 5) == 0) { $k = substr($k, 5); } elseif (strncmp($k, 'CONTENT_', 8)) { continue; } $headers[strtr(strtolower($k), '_', '-')] = $v; } } return new Request($url, $query, $post, $files, $cookies, $headers, isset($_SERVER['REQUEST_METHOD']) ? $_SERVER['REQUEST_METHOD'] : NULL, isset($_SERVER['REMOTE_ADDR']) ? $_SERVER['REMOTE_ADDR'] : NULL, isset($_SERVER['REMOTE_HOST']) ? $_SERVER['REMOTE_HOST'] : NULL); }
private static function containsXss(NHtml $script) { if (!NStrings::checkEncoding($script->getHtml())) { return true; } if (!($dom = self::createDomFromHtml($script))) { return true; } $scripts = $dom->getElementsByTagName('script'); if ($scripts->length > 1) { return true; } $filteredContent = $scripts->item(0)->textContent; if ($script->getHtml() !== $filteredContent) { return true; } return false; }
// control characters checker $checker->tasks[] = function (CodeChecker $checker, $s) { if (!Strings::match($s, '#^[^\\x00-\\x08\\x0B\\x0C\\x0E-\\x1F]*+$#')) { $checker->error('Contains control characters'); } }; // BOM remover $checker->tasks[] = function (CodeChecker $checker, $s) { if (substr($s, 0, 3) === "") { $checker->fix('contains BOM'); return substr($s, 3); } }; // UTF-8 checker $checker->tasks[] = function (CodeChecker $checker, $s) { if (!Strings::checkEncoding($s)) { $checker->error('Is not valid UTF-8 file'); } }; // invalid phpDoc checker $checker->tasks[] = function (CodeChecker $checker, $s) { if ($checker->is('php,phpt')) { foreach (token_get_all($s) as $token) { if ($token[0] === T_COMMENT && Strings::match($token[1], '#/\\*\\s.*@[a-z]#isA')) { $checker->warning('Missing /** in phpDoc comment', $token[2]); } } } }; // short PHP 5.4 arrays if (isset($options['--short-arrays'])) {