/**
* Process the response as JSON with some extra information about the
* (success status of the form) so that jQuery knows what to do with the result.
*/
protected function process_ajax()
{
if ($this->request->method() == HTTP_Request::POST) {
// Allow for override. Set the form saved true for ajax request, if no errors
if (empty($this->_errors)) {
$this->SetFormSaved(TRUE);
} else {
$this->SetFormSaved(FALSE);
}
if ($this->_response_format === 'application/json') {
$this->SetJson('Body', FALSE);
}
} else {
if ($this->_response_format === 'application/json') {
$this->SetJson('Body', base64_encode($this->response->body()));
}
}
if ($this->_response_format === 'application/json') {
if ($this->request->query('draw') !== NULL) {
return;
}
$scripts = Assets::js(FALSE, NULL, NULL, FALSE, NULL, Assets::FORMAT_AJAX);
$styles = Assets::css(FALSE, NULL, NULL, FALSE, Assets::FORMAT_AJAX);
$this->SetJson('FormSaved', $this->_formsaved);
$this->SetJson('messages', Message::get(NULL, NULL, TRUE));
$this->SetJson('errors', $this->_errors);
$this->SetJson('redirect', Request::$redirect_url);
$this->SetJson('title', $this->title);
$this->SetJson('subtitle', $this->subtitle);
$this->SetJson('css', $styles);
$this->SetJson('js', $scripts);
if (!Valid::utf8($this->_json['Body'])) {
$this->_json['Body'] = utf8_encode($this->_json['Body']);
}
$this->_json['Data'] = JSON::encode($this->_json);
}
}
/**
* Generates a random string of a given type and length
*
* Example:
* ~~~
* // 8 character random string
* $str = Text::random();
* ~~~
*
* The following types are supported:
* * alnum: Upper and lower case a-z, 0-9 (default)
* * alpha: Upper and lower case a-z
* * hexdec: Hexadecimal characters a-f, 0-9
* * distinct: Uppercase characters and numbers that cannot be confused
*
* You can also create a custom type by providing the "pool" of characters
* as the type.
*
* @param string $type A type of pool, or a string of characters to use as the pool [Optional]
* @param integer $length Length of string to return [Optional]
*
* @return string
*
* @uses UTF8::split
* @uses Valid::utf8
*/
public static function random($type = NULL, $length = 8)
{
if ($type === NULL) {
// Default is to generate an alphanumeric string
$type = 'alnum';
}
$utf8 = FALSE;
switch ($type) {
case 'alnum':
$pool = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ';
break;
case 'alpha':
$pool = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ';
break;
case 'hexdec':
$pool = '0123456789abcdef';
break;
case 'numeric':
$pool = '0123456789';
break;
case 'nozero':
$pool = '123456789';
break;
case 'distinct':
$pool = '2345679ACDEFHJKLMNPRSTUVWXYZ';
break;
default:
$pool = (string) $type;
$utf8 = Valid::utf8($pool);
break;
}
// Split the pool into an array of characters
$pool = $utf8 === TRUE ? UTF8::str_split($pool, 1) : str_split($pool, 1);
// Largest pool key
$max = count($pool) - 1;
$str = '';
for ($i = 0; $i < $length; $i++) {
// Select a random character from the pool and add it to the string
$str .= $pool[mt_rand(0, $max)];
}
// Make sure alnum strings contain at least one letter and one digit
if ($type === 'alnum' and $length > 1) {
if (ctype_alpha($str)) {
// Add a random digit
$str[mt_rand(0, $length - 1)] = chr(mt_rand(48, 57));
} elseif (ctype_digit($str)) {
// Add a random letter
$str[mt_rand(0, $length - 1)] = chr(mt_rand(65, 90));
}
}
return $str;
}
/**
* Filters an HTML string to prevent cross-site-scripting (XSS) vulnerabilities
*
* Returns an XSS safe version of $string, or an empty string if $string is not valid UTF-8.
*
* This code does four things:
* - Removes characters and constructs that can trick browsers
* - Makes sure all HTML entities are well-formed
* - Makes sure all HTML tags and attributes are well-formed
* - Makes sure no HTML tags contain URLs with a disallowed protocol (e.g. javascript:)
*
* Based on [kses](http://sourceforge.net/projects/kses) by Ulf Harnhammar.
* For examples of various XSS attacks, see: http://ha.ckers.org/xss.html.
*
* @param string $string Input string
*
* @return string
*
* @uses Valid::utf8
*/
public function filter_xss($string)
{
// Only operate on valid UTF-8 strings. This is necessary to prevent cross
// site scripting issues on Internet Explorer 6.
if (!Valid::utf8($string)) {
return '';
}
// Remove NULL characters (ignored by some browsers)
$string = str_replace(chr(0), '', $string);
// Remove Netscape 4 JS entities
$string = preg_replace('%&\\s*\\{[^}]*(\\}\\s*;?|$)%', '', $string);
// Defuse all HTML entities
$string = str_replace('&', '&', $string);
// Change back only well-formed entities in our whitelist
// Decimal numeric entities
$string = preg_replace('/&#([0-9]+;)/', '&#\\1', $string);
// Hexadecimal numeric entities
$string = preg_replace('/&#[Xx]0*((?:[0-9A-Fa-f]{2})+;)/', '&#x\\1', $string);
// Named entities
$string = preg_replace('/&([A-Za-z][A-Za-z0-9]*;)/', '&\\1', $string);
return preg_replace_callback('%(
<(?=[^a-zA-Z!/]) # a lone <
| <!--.*?--> # a comment
| <[^>]*(>|$) # a string that starts with a <, up until the > or the end of the string
| > # just a >
)%x', array($this, 'xss_split'), $string);
}
