public function escapeURLComponent($string) { if (is_object($string) == true) { if (method_exists($string, '__toString') == false) { throw EscapeException::fromBadObject($string); } $string = (string) $string; } if (is_array($string) == true) { throw EscapeException::fromBadArray(); } return $this->zendEscape->escapeUrl($string); }
/** * Escapes strings based on context * @param string $string The string to escape * @param int $context The context to escape in * @return string The escaped string * @throws \InvalidArgumentException If the context is invalid */ public function escape($string, $context = self::HTML_BODY) { $type = gettype($string); if (in_array($type, array('boolean', 'integer', 'double', 'NULL'), true)) { return $string; } if (in_array($type, array('object', 'resource', 'unknown type'), true)) { throw new \InvalidArgumentException("Unable to escape variable of type {$type}."); } if ($context === self::HTML_STRING) { return parent::escapeHtml($string); } if ($context === self::HTML_ATTR) { return parent::escapeHtmlAttr($string); } if ($context === self::CSS) { return parent::escapeCss($string); } if ($context === self::JS_STRING) { return parent::escapeJs($string); } if ($context === self::URL_PARAM) { return parent::escapeUrl($string); } throw new \InvalidArgumentException('Invalid context.'); }
/** * @return \Zend\View\Model\ViewModel */ public function postAction() { $this->getView()->setTemplate('application/news/post'); $escaper = new Escaper('utf-8'); $post = (string) $escaper->escapeUrl($this->getParam('post')); $query = $this->getTable('SD\\Admin\\Model\\ContentTable'); $new = $query->queryBuilder()->select(['c.title, c.text, c.date, c.preview'])->from('SD\\Admin\\Entity\\Content', 'c')->where('c.type = 1 AND c.menu = 0 AND c.language = :language AND c.titleLink = :titleLink')->setParameter(':language', (int) $this->language())->setParameter(':titleLink', (string) $post)->orderBy('c.date', 'DESC')->getQuery()->getResult(); if ($new) { $this->getView()->setVariable('new', $new[0]); $this->initMetaTags($new[0]); return $this->getView(); } return $this->setErrorCode(404); }
/** * Append record id as a hash to the last search URL. * This way the previus window scroll position gets restored * when the user returns to search results from a record page. * * @return void */ protected function modifyLastSearchURL() { $memory = $this->getServiceLocator()->get('VuFind\\Search\\Memory'); if ($last = $memory->retrieve()) { $parts = parse_url($last); // Do not overwrite existing hash if (!isset($parts['fragment'])) { $escaper = new Escaper('utf-8'); $id = $this->driver->getUniqueId(); $id = $escaper->escapeUrl($id); $last .= "#{$id}"; $memory->rememberSearch($last); } } }
/** * Escapes strings to make them safe for use * within HTML templates. Used by the auto-escaping * functionality in setVar() and available to * use within your views. * * Uses ZendFramework's Escaper to handle the actual escaping, * based on context. Valid contexts are: * - html * - htmlAttr * - js * - css * - url * * References: * - https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet * - http://framework.zend.com/manual/current/en/modules/zend.escaper.introduction.html * * @param $data * @param $context * @param escaper // An instance of ZF's Escaper to avoid repeated class instantiation. * * @return string */ function esc($data, $context = 'html', $escaper = null) { if (is_array($data)) { foreach ($data as $key => &$value) { $value = esc($value, $context); } } $context = strtolower($context); if (!is_object($escaper)) { $escaper = new Escaper(config_item('charset')); } // Valid context? if (!in_array($context, ['html', 'htmlattr', 'js', 'css', 'url'])) { throw new \InvalidArgumentException('Invalid Context type: ' . $context); } if (!is_string($data)) { return $data; } switch ($context) { case 'html': $data = $escaper->escapeHtml($data); break; case 'htmlattr': $data = $escaper->escapeHtmlAttr($data); break; case 'js': $data = $escaper->escapeJs($data); break; case 'css': $data = $escaper->escapeCss($data); break; case 'url': $data = $escaper->escapeUrl($data); break; default: break; } return $data; }
/** * {@inheritdoc} */ public function escapeUrl($string) { return $this->escaper->escapeUrl($string); }
/** * Builds menu HTML. * * @method getMenus * * @param int $parent * @param array $menu * * @return string generated html code */ private function getMenus($parent = 0, array $menu = []) { $output = ''; if (isset($menu['submenus'][$parent])) { $escaper = new Escaper('utf-8'); foreach ($menu['submenus'][$parent] as $id) { $output .= "<ul class='table-row'>"; $output .= "<li class='table-cell flex-2'>" . $menu['menus'][$id]->getCaption() . '</li>'; $output .= "<li class='table-cell flex-b'><a title='" . $this->translate('DETAILS') . "' hreflang='" . $this->language('languageName') . "' itemprop='url' href='/admin/menu/detail/" . $escaper->escapeUrl($menu['menus'][$id]->getId()) . "' class='btn btn-sm blue'><i class='fa fa-info'></i></a></li>"; $output .= "<li class='table-cell flex-b'><a title='" . $this->translate('EDIT') . "' hreflang='" . $this->language('languageName') . "' itemprop='url' href='/admin/menu/edit/" . $escaper->escapeUrl($menu['menus'][$id]->getId()) . "' class='btn btn-sm orange'><i class='fa fa-pencil'></i></a></li>"; if (0 === $menu['menus'][$id]->isActive()) { $output .= "<li class='table-cell flex-b'><a title='" . $this->translate('DEACTIVATED') . "' hreflang='" . $this->language('languageName') . "' itemprop='url' href='/admin/menu/activate/" . $escaper->escapeUrl($menu['menus'][$id]->getId()) . "' class='btn btn-sm deactivated'><i class='fa fa-minus-square-o'></i></a></li>"; } else { $output .= "<li class='table-cell flex-b'><a title='" . $this->translate('ACTIVE') . "' hreflang='" . $this->language('languageName') . "' itemprop='url' href='/admin/menu/deactivate/" . $escaper->escapeUrl($menu['menus'][$id]->getId()) . "' class='btn btn-sm active'><i class='fa fa fa-check-square-o'></i></a></li>"; } $output .= "\n <li class='table-cell flex-b'>\n <button role='button' aria-pressed='false' aria-label='" . $this->translate('DELETE') . "' id='" . $menu['menus'][$id]->getId() . "' type='button' class='btn btn-sm delete dialog_delete' title='" . $this->translate('DELETE') . "'><i class='fa fa-trash-o'></i></button>\n <div role='alertdialog' aria-labelledby='dialog" . $menu['menus'][$id]->getId() . "Title' class='delete_" . $menu['menus'][$id]->getId() . " dialog_hide'>\n <p id='dialog" . $menu['menus'][$id]->getId() . "Title'>" . $this->translate('DELETE_CONFIRM_TEXT') . ' «' . $menu['menus'][$id]->getCaption() . "»</p>\n <ul>\n <li>\n <a class='btn delete' href='/admin/menu/delete/" . $escaper->escapeUrl($menu['menus'][$id]->getId()) . "'><i class='fa fa-trash-o'></i> " . $this->translate('DELETE') . "</a>\n </li>\n <li>\n <button role='button' aria-pressed='false' aria-label='" . $this->translate('CANCEL') . "' class='btn btn-default cancel'><i class='fa fa-times'></i> " . $this->translate('CANCEL') . '</button> </li> </ul> </div> </li>'; $output .= '</ul>'; $output .= $this->getMenus($id, $menu); } } return $output; }
/** * @param mixed $input * @return mixed */ public static function escapeUrl($input) { self::init(); return self::$escaper->escapeUrl($input); }