/** * Replaces all occurrences of the search string with the replacement string. * * Functions identically to str_replace(), but marks the returned output as * safe if all the inputs and the subject have also been marked as safe. * * @param string|array $search * The value being searched for. An array may be used to designate multiple * values to search for. * @param string|array $replace * The replacement value that replaces found search values. An array may be * used to designate multiple replacements. * @param string $subject * The string or array being searched and replaced on. * * @return string * The passed subject with replaced values. */ public static function replace($search, $replace, $subject) { $output = str_replace($search, $replace, $subject); // If any replacement is unsafe, then the output is also unsafe, so just // return the output. if (!is_array($replace)) { if (!SafeMarkup::isSafe($replace)) { return $output; } } else { foreach ($replace as $replacement) { if (!SafeMarkup::isSafe($replacement)) { return $output; } } } // If the subject is unsafe, then the output is as well, so return it. if (!SafeMarkup::isSafe($subject)) { return $output; } else { // If we have reached this point, then all replacements were safe. If the // subject was also safe, then mark the entire output as safe. return SafeMarkup::set($output); } }
/** * Formats a string for HTML display by replacing variable placeholders. * * This function replaces variable placeholders in a string with the requested * values and escapes the values so they can be safely displayed as HTML. It * should be used on any unknown text that is intended to be printed to an * HTML page (especially text that may have come from untrusted users, since * in that case it prevents cross-site scripting and other security problems). * * In most cases, you should use t() rather than calling this function * directly, since it will translate the text (on non-English-only sites) in * addition to formatting it. * * @param string $string * A string containing placeholders. The string itself is not escaped, any * unsafe content must be in $args and inserted via placeholders. * @param array $args * An associative array of replacements to make. Occurrences in $string of * any key in $args are replaced with the corresponding value, after * optional sanitization and formatting. The type of sanitization and * formatting depends on the first character of the key: * - @variable: Escaped to HTML using self::escape(). Use this as the * default choice for anything displayed on a page on the site. * - %variable: Escaped to HTML wrapped in <em> tags, which makes the * following HTML code: * @code * <em class="placeholder">text output here.</em> * @endcode * - !variable: Inserted as is, with no sanitization or formatting. Only * use this when the resulting string is being generated for one of: * - Non-HTML usage, such as a plain-text email. * - Non-direct HTML output, such as a plain-text variable that will be * printed as an HTML attribute value and therefore formatted with * self::checkPlain() as part of that. * - Some other special reason for suppressing sanitization. * * @return string * The formatted string, which is marked as safe unless sanitization of an * unsafe argument was suppressed (see above). * * @ingroup sanitization * * @see t() */ public static function format($string, array $args) { $safe = TRUE; // Transform arguments before inserting them. foreach ($args as $key => $value) { switch ($key[0]) { case '@': // Escaped only. if (!SafeMarkup::isSafe($value)) { $args[$key] = Html::escape($value); } break; case '%': default: // Escaped and placeholder. if (!SafeMarkup::isSafe($value)) { $value = Html::escape($value); } $args[$key] = '<em class="placeholder">' . $value . '</em>'; break; case '!': // Pass-through. if (!static::isSafe($value)) { $safe = FALSE; } } } $output = strtr($string, $args); if ($safe) { static::$safeStrings[$output]['html'] = TRUE; } return $output; }