public function postrender() { if (!$this->used) { return ''; } // Go through all the inline scripts and sanitize $sanitized_scripts = array(); if ($this->script_infos) { foreach ($this->script_infos as $script_info) { if (isset($script_info['inline'])) { $sanitized_scripts[] = array('inline' => self::sanitize_code($script_info['inline'], $this->appid)); } else { if (isset($script_info['src'])) { // FBOPEN:NOTE - if js sources are fetched from outside, these will // have to be fetched, cached, sanitized, and stored. Requests then // would need to be directed to your cached version. The open source // code at this point does not support such caching. // $sanitized_scripts[] = array('src' => FBJSUrlRef::get_url($script_info['src'], $this->appid, 'js')); } } } } // If this is our first postrender build some bootstrapping code $bootstrap = false; if (!$this->postrendered) { $bootstrap = 'var app=new fbjs_sandbox(' . $this->appid . ');'; $profile = $this->fbml->get_env('profile', false, 0); $validation_vars = get_fb_validation_vars(array('user' => $this->user), $this->appid, $profile ? array('profile' => $profile) : array()); $bootstrap .= 'app.validation_vars=' . json_encode($validation_vars) . ';'; $context = $this->fbml->add_context(); $bootstrap .= 'app.context=\'' . escape_js_quotes($context) . '\';'; $bootstrap .= 'app.contextd=\'' . escape_js_quotes($this->fbml->_contexts[$context]) . '\';'; $bootstrap .= 'app.data=' . json_encode(array('user' => $this->user, 'installed' => $this->user ? is_platform_app_installed($this->appid, $this->user) : false, 'loggedin' => $this->user ? (bool) api_get_valid_session_key($this->user, $this->appid) : false)) . ';'; } // Render all inline scripts $html = ''; if ($this->fbml->_flavor->allows('script_onload')) { if (!$this->postrendered) { $bootstrap .= 'app.bootstrap();'; } foreach ($sanitized_scripts as $script) { if (isset($script['inline'])) { $html .= render_js_inline($script['inline']) . "\n"; } else { $script_include = '<script src="' . $script['src'] . '"></script>'; $html .= $script_include; } } } else { foreach ($sanitized_scripts as $script) { if (isset($script['inline'])) { $bootstrap .= 'app.pending_bootstraps.push(\'' . escape_js_quotes($script['inline']) . '\');'; } else { // We don't support script include for this flavor at this time. throw new FBMLJSParseError('Cannot allow external script'); } } } $this->used = false; $this->postrendered = true; return render_js_inline($bootstrap) . $html; }
} else { if (is_array($value)) { render_fbjs_ajax_fbml_recursive($impl, $array[$key]); } } } } $data = null; try { $impl = fbml_mock_ajax_get_impl($post_fb_mockajax_context, $post_fb_mockajax_context_hash); $post_vars = array('user' => $user); $others = array('is_ajax' => 1); if ($profile = $impl->get_env('profile', false, 0)) { $others['profile'] = $profile; } $post_vars = get_fb_validation_vars($post_vars, $app_id, $others, array(), $post_require_login); try { $response = http_post($post_url, array_merge($post_query, $post_vars)); } catch (HTTPNoDataException $e) { $response = ''; } catch (HTTPException $e) { // We die so that onerror will be called in JS on the user's browser die(''); } $fbml_env = array('user' => $user, 'app_id' => $app_id, 'unfiltered_css' => false, 'user_triggered' => true); switch ($post_type) { case $FBJS_TYPES['RAW']: $data = $response; break; case $FBJS_TYPES['JSON']: // We need `loose' decoding which accepts unquoted keys, etc. json_decode doesn't provide this,
public function open_form($node) { $hidden_inputs = array(); $flavor_codes = fbml_flavors_get_codes(); $page = 0; if (($profile = $this->get_env('profile', false)) != null) { $hidden_inputs['profile'] = $profile; $page = obj_is_fbpage($profile) ? $profile : 0; } if ($this->_fbml_impl->_flavor->get_flavor_code() == $flavor_codes['CANVAS_PAGE']) { $page = $this->get_env('fb_page_id', false); } $who = array('user' => $this->get_env('user')); if ($page) { $hidden_inputs += api_canvas_parameters_other_fbpage($page, $this->get_env('user')); $who['page'] = $page; } $require_login = $node->attr_bool('requirelogin', true) && !$this->get_env('loggedout', false); $hidden_inputs = get_fb_validation_vars($who, $this->get_env('app_id'), $hidden_inputs, array(), $require_login); $attributes = $this->node_get_safe_attrs($node); if (isset($attributes['name'])) { unset($attributes['name']); } if (isset($attributes['action'])) { $allow_rel = $this->allows('relative_urls'); $attributes['action'] = $this->validate_url($attributes['action'], true, $allow_rel, false); } if ($require_login) { // check for a valid session $session_key = api_get_valid_session_key($this->get_env('user'), $this->get_env('app_id')); if (!$session_key && $this->_fbml_impl->_flavor->allows('script')) { $onsubmit = 'var form = this; '; $onsubmit .= 'FBML.requireLogin(' . $this->get_env('app_id') . ', function() { FBML.addHiddenInputs(form); form.submit(); });'; $onsubmit .= 'return false;'; $attributes['onsubmit'] = $onsubmit; } } $html = $this->render_html_open_tag('form', $attributes); foreach ($hidden_inputs as $name => $val) { $html .= $this->render_hidden_input($name, $val); } return $html; }
} else { $in_post_tuples = php_input_raw_post_vars(); $post_tuples = array(); foreach ($in_post_tuples as $param_val) { $post_tuples[] = $param_val; } } list($others, $post_vars) = api_get_valid_fb_params($in_post_vars, $app_info['secret']); // If we took POST tuples that we want to pass along raw, then we // won't use the vars we got from $_POST if ($post_tuples !== null) { $post_vars = array(); } $others += api_canvas_parameters(); $data_params = api_canvas_parameters_other($app_id, $user); $post_vars += get_fb_validation_vars($user, $app_id, $others, $data_params); $path_str = '/' . $url_suffix; if (($char_pos = strpos($path_str, '?', 0)) !== false) { $path_str = substr($path_str, 0, $char_pos); } $char_pos = strrpos($path_str, '/', 0); if ($char_pos > 0) { $path_str = substr($path_str, 0, $char_pos + 1); } try { try { $fbml_from_callback = http_post($url, $post_vars, array('post_tuples' => $post_tuples)); } catch (HTTPErrorException $e) { print "got http exception: " . $e->getCode(); exit; header('HTTP/1.x ' . $e->getCode());