Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow safe tags in escapeHtml #3998

Closed
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 8 additions & 1 deletion module/VuFind/src/VuFind/RecordDriver/DefaultRecord.php
Original file line number Diff line number Diff line change
Expand Up @@ -1211,7 +1211,14 @@ public function getSeries()
*/
public function getShortTitle()
{
return $this->fields['title_short'] ?? '';
// Faking an example of HTML that would not be escaped
$title = $this->fields['title_short'] ?? '';
$words = explode(' ', $title);
if (count($words) > 3) {
$words[2] = '<em>' . $words[2] . '</em>';
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just so the effect is easily demoed, on any record with a reasonably long title.

}
$title = implode(' ', $words);
return $title;
}

/**
Expand Down
76 changes: 76 additions & 0 deletions module/VuFind/src/VuFind/View/Helper/Root/EscapeHtml.php
Original file line number Diff line number Diff line change
@@ -0,0 +1,76 @@
<?php

/**
* Escape view helper
*
* PHP version 8
*
* Copyright (C) Villanova University 2010.
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2,
* as published by the Free Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
*
* @category VuFind
* @package View_Helpers
* @author Maccabee Levine <msl321@lehigh.edu>
* @license http://opensource.org/licenses/gpl-2.0.php GNU General Public License
* @link https://vufind.org/wiki/development Wiki
*/

namespace VuFind\View\Helper\Root;

use Laminas\View\Helper\EscapeHtml as LaminasEscapeHtml;

/**
* Escape view helper
*
* @category VuFind
* @package View_Helpers
* @author Maccabee Levine <msl321@lehigh.edu>
* @license http://opensource.org/licenses/gpl-2.0.php GNU General Public License
* @link https://vufind.org/wiki/development Wiki
*/
class EscapeHtml extends \Laminas\View\Helper\AbstractHelper
{
protected $laminasEscapeHtml;

/**
* Constructor
*/
public function __construct()
{
$this->laminasEscapeHtml = new LaminasEscapeHtml();
}

/**
* This helper calls Laminas escapeHtml, but allows safe styling characters
*
* @param string $str The string to escape
* @param array $except Array of tag names to leave as is. Only simple tags
* (no attributes).
*
* @return string The partially escaped string
*/
public function __invoke($str, $except = ['em', 'i', 'b'])
{
$escaped = $this->laminasEscapeHtml->__invoke($str);

// Revert ok chars
foreach ($except as $tag) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It might be more efficient to create arrays of searches and replacements and then do a single str_replace call, instead of doing multiple str_replace calls in a loop.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

...but if @EreMaijala's solution is the best way forward, it's a moot point. :-)

$escaped = str_replace("&lt;{$tag}&gt;", "<{$tag}>", $escaped);
$escaped = str_replace("&lt;/{$tag}&gt;", "</{$tag}>", $escaped);
}

return $escaped;
}
}
Original file line number Diff line number Diff line change
Expand Up @@ -453,7 +453,7 @@ public function testGetCallNumber()
*/
public function testGetBreadcrumb()
{
$breadcrumb = 'La congiura dei Principi Napoletani 1701 :';
$breadcrumb = 'La congiura <em>dei</em> Principi Napoletani 1701 :';
$this->assertEquals($breadcrumb, $this->getDriver()->getBreadcrumb());
}

Expand Down
2 changes: 2 additions & 0 deletions themes/root/theme.config.php
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,7 @@
'VuFind\View\Helper\Root\DateTime' => 'VuFind\View\Helper\Root\DateTimeFactory',
'VuFind\View\Helper\Root\DisplayLanguageOption' => 'VuFind\View\Helper\Root\DisplayLanguageOptionFactory',
'VuFind\View\Helper\Root\Doi' => 'VuFind\View\Helper\Root\DoiFactory',
'VuFind\View\Helper\Root\EscapeHtml' => 'Laminas\ServiceManager\Factory\InvokableFactory',
'VuFind\View\Helper\Root\ExplainElement' => 'Laminas\ServiceManager\Factory\InvokableFactory',
'VuFind\View\Helper\Root\Export' => 'VuFind\View\Helper\Root\ExportFactory',
'VuFind\View\Helper\Root\Feedback' => 'VuFind\View\Helper\Root\FeedbackFactory',
Expand Down Expand Up @@ -126,6 +127,7 @@
'dateTime' => 'VuFind\View\Helper\Root\DateTime',
'displayLanguageOption' => 'VuFind\View\Helper\Root\DisplayLanguageOption',
'doi' => 'VuFind\View\Helper\Root\Doi',
'escapeHtml' => 'VuFind\View\Helper\Root\EscapeHtml',
'explainElement' => 'VuFind\View\Helper\Root\ExplainElement',
'export' => 'VuFind\View\Helper\Root\Export',
'feedback' => 'VuFind\View\Helper\Root\Feedback',
Expand Down
Loading