Skip to content
This repository has been archived by the owner on Jan 31, 2020. It is now read-only.

Commit

Permalink
Merge branch 'security/escaper-usage'
Browse files Browse the repository at this point in the history
Fixes a number of components that were not using Zend\Escaper to escape HTML,
HTML attributes, and/or URLs.
  • Loading branch information
Show file tree
Hide file tree
Showing 3 changed files with 44 additions and 20 deletions.
3 changes: 2 additions & 1 deletion src/Helper/HeadStyle.php
Original file line number Diff line number Diff line change
Expand Up @@ -311,6 +311,7 @@ public function itemToString(stdClass $item, $indent)
) {
$enc = $this->view->getEncoding();
}
$escaper = $this->getEscaper($enc);
foreach ($item->attributes as $key => $value) {
if (!in_array($key, $this->optionalAttributes)) {
continue;
Expand All @@ -333,7 +334,7 @@ public function itemToString(stdClass $item, $indent)
$value = substr($value, 0, -1);
}
}
$attrString .= sprintf(' %s="%s"', $key, htmlspecialchars($value, ENT_COMPAT, $enc));
$attrString .= sprintf(' %s="%s"', $key, $escaper->escapeHtmlAttr($value));
}
}

Expand Down
10 changes: 2 additions & 8 deletions src/Helper/Navigation/Sitemap.php
Original file line number Diff line number Diff line change
Expand Up @@ -242,14 +242,8 @@ public function getServerUrl()
*/
protected function xmlEscape($string)
{
$enc = 'UTF-8';
if ($this->view instanceof View\Renderer\RendererInterface
&& method_exists($this->view, 'getEncoding')
) {
$enc = $this->view->getEncoding();
}

return htmlspecialchars($string, ENT_QUOTES, $enc, false);
$escaper = $this->view->plugin('escapeHtml');
return $escaper($string);
}

// Public methods:
Expand Down
51 changes: 40 additions & 11 deletions src/Helper/Placeholder/Container/AbstractStandalone.php
Original file line number Diff line number Diff line change
Expand Up @@ -10,8 +10,10 @@

namespace Zend\View\Helper\Placeholder\Container;

use Zend\Escaper\Escaper;
use Zend\View\Exception;
use Zend\View\Helper\Placeholder\Registry;
use Zend\View\Renderer\RendererInterface;

/**
* Base class for targeted placeholder helpers
Expand All @@ -28,6 +30,11 @@ abstract class AbstractStandalone
*/
protected $container;

/**
* @var Escaper[]
*/
protected $escapers = array();

/**
* @var \Zend\View\Helper\Placeholder\Registry
*/
Expand Down Expand Up @@ -78,6 +85,35 @@ public function setRegistry(Registry $registry)
return $this;
}

/**
* Set Escaper instance
*
* @param Escaper $escaper
* @return AbstractStandalone
*/
public function setEscaper(Escaper $escaper)
{
$encoding = $escaper->getEncoding();
$this->escapers[$encoding] = $escaper;
return $this;
}

/**
* Get Escaper instance
*
* Lazy-loads one if none available
*
* @return mixed
*/
public function getEscaper($enc = 'UTF-8')
{
$enc = strtolower($enc);
if (!isset($this->escapers[$enc])) {
$this->setEscaper(new Escaper($enc));
}
return $this->escapers[$enc];
}

/**
* Set whether or not auto escaping should be used
*
Expand Down Expand Up @@ -108,23 +144,16 @@ public function getAutoEscape()
*/
protected function escape($string)
{
$enc = 'UTF-8';
if ($this->view instanceof \Zend\View\Renderer\RendererInterface
if ($this->view instanceof RendererInterface
&& method_exists($this->view, 'getEncoding')
) {
$enc = $this->view->getEncoding();
$enc = $this->view->getEncoding();
$escaper = $this->view->plugin('escapeHtml');
return $escaper((string) $string);
}
/**
* bump this out to a protected method to kill the instance penalty!
*/
$escaper = new \Zend\Escaper\Escaper($enc);

$escaper = $this->getEscaper();
return $escaper->escapeHtml((string) $string);
/**
* Replaced to ensure consistent escaping
*/
//return htmlspecialchars((string) $string, ENT_COMPAT, $enc);
}

/**
Expand Down

0 comments on commit e12fe2d

Please sign in to comment.