Skip to content
This repository has been archived by the owner on Jan 31, 2020. It is now read-only.

Commit

Permalink
[zendframework/zendframework#1] Remove auto-escaping from PhpRenderer
Browse files Browse the repository at this point in the history 
- Feedback indicates the current solution is incomplete and/or misleading and/or
  confusing to end-users. Removed all auto-escaping from the Variables
  container, and updated helpers to use the Escape helper instead.
  • Loading branch information
@weierophinney
weierophinney committed Feb 28, 2012
19 parents 5691a7f + 3d239f1 + 88488a3 + d50c975 + 4e62a6d + a9d9490 + aed9f65 + b0695b0 + c3a8db3 + 14c7cd8 + 5a55cdf + c9e475e + 1fa3bfc + 3a78ba4 + a774960 + 0a01bcc + 702ec03 + 140c99f + 17f391d commit cdc5669
Show file tree
Hide file tree
Showing 28 changed files with 138 additions and 466 deletions.
5 changes: 3 additions & 2 deletions src/Helper/Fieldset.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -50,20 +50,21 @@ public function __invoke($name = null, $content = null, $attribs = null)
extract($info);

// get legend
$escaper = $this->view->plugin('escape');
$legend = '';
if (isset($attribs['legend'])) {
$legendString = trim($attribs['legend']);
if (!empty($legendString)) {
$legend = '<legend>'
. (($escape) ? $this->view->vars()->escape($legendString) : $legendString)
. (($escape) ? $escaper($legendString) : $legendString)
. '</legend>' . PHP_EOL;
}
unset($attribs['legend']);
}

// get id
if (!empty($id)) {
$id = ' id="' . $this->view->vars()->escape($id) . '"';
$id = ' id="' . $escaper($id) . '"';
} else {
$id = '';
}
Expand Down
3 changes: 2 additions & 1 deletion src/Helper/Form.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -50,7 +50,8 @@ public function __invoke($name = null, $attribs = null, $content = false)
extract($info);

if (!empty($id)) {
$id = ' id="' . $this->view->vars()->escape($id) . '"';
$escaper = $this->view->plugin('escape');
$id = ' id="' . $escaper($id) . '"';
} else {
$id = '';
}
Expand Down
11 changes: 6 additions & 5 deletions src/Helper/FormButton.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -82,16 +82,17 @@ public function __invoke($name = null, $value = null, $attribs = null)
$attribs['disabled'] = 'disabled';
}

$content = ($escape) ? $this->view->vars()->escape($content) : $content;
$escaper = $this->view->plugin('escape');
$content = ($escape) ? $escaper($content) : $content;

$xhtml = '<button'
. ' name="' . $this->view->vars()->escape($name) . '"'
. ' id="' . $this->view->vars()->escape($id) . '"'
. ' type="' . $type . '"';
. ' name="' . $escaper($name) . '"'
. ' id="' . $escaper($id) . '"'
. ' type="' . $type . '"';

// add a value if one is given
if (!empty($value)) {
$xhtml .= ' value="' . $this->view->vars()->escape($value) . '"';
$xhtml .= ' value="' . $escaper($value) . '"';
}

// add attributes and close start tag
Expand Down
9 changes: 5 additions & 4 deletions src/Helper/FormCheckbox.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -86,14 +86,15 @@ public function __invoke($name, $value = null, $attribs = null, array $checkedOp
}

// build the element
$xhtml = '';
$xhtml = '';
$escaper = $this->view->plugin('escape');
if (!$disable && !strstr($name, '[]')) {
$xhtml = $this->_hidden($name, $checkedOptions['uncheckedValue']);
}
$xhtml .= '<input type="checkbox"'
. ' name="' . $this->view->vars()->escape($name) . '"'
. ' id="' . $this->view->vars()->escape($id) . '"'
. ' value="' . $this->view->vars()->escape($checkedOptions['checkedValue']) . '"'
. ' name="' . $escaper($name) . '"'
. ' id="' . $escaper($id) . '"'
. ' value="' . $escaper($checkedOptions['checkedValue']) . '"'
. $checkedOptions['checkedString']
. $disabled
. $this->_htmlAttribs($attribs)
Expand Down
5 changes: 3 additions & 2 deletions src/Helper/FormElement.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -190,9 +190,10 @@ protected function _getInfo($name, $value = null, $attribs = null,
*/
protected function _hidden($name, $value = null, $attribs = null)
{
$escaper = $this->view->plugin('escape');
return '<input type="hidden"'
. ' name="' . $this->view->vars()->escape($name) . '"'
. ' value="' . $this->view->vars()->escape($value) . '"'
. ' name="' . $escaper($name) . '"'
. ' value="' . $escaper($value) . '"'
. $this->_htmlAttribs($attribs) . $this->getClosingBracket();
}
}
3 changes: 2 additions & 1 deletion src/Helper/FormErrors.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -75,8 +75,9 @@ public function __invoke($errors, array $options = null)
}

if ($escape) {
$escaper = $this->view->plugin('escape');
foreach ($errors as $key => $error) {
$errors[$key] = $this->view->vars()->escape($error);
$errors[$key] = $escaper($error);
}
}

Expand Down
13 changes: 7 additions & 6 deletions src/Helper/FormFile.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -67,12 +67,13 @@ public function __invoke($name, $attribs = null)
}

// build the element
$xhtml = '<input type="file"'
. ' name="' . $this->view->vars()->escape($name) . '"'
. ' id="' . $this->view->vars()->escape($id) . '"'
. $disabled
. $this->_htmlAttribs($attribs)
. $endTag;
$escaper = $this->view->plugin('escape');
$xhtml = '<input type="file"'
. ' name="' . $escaper($name) . '"'
. ' id="' . $escaper($id) . '"'
. $disabled
. $this->_htmlAttribs($attribs)
. $endTag;

return $xhtml;
}
Expand Down
11 changes: 6 additions & 5 deletions src/Helper/FormImage.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -56,17 +56,18 @@ public function __invoke($name, $value = null, $attribs = null)
extract($info); // name, value, attribs, options, listsep, disable

// Determine if we should use the value or the src attribute
$escaper = $this->view->plugin('escape');
if (isset($attribs['src'])) {
$src = ' src="' . $this->view->vars()->escape($attribs['src']) . '"';
$src = ' src="' . $escaper($attribs['src']) . '"';
unset($attribs['src']);
} else {
$src = ' src="' . $this->view->vars()->escape($value) . '"';
$src = ' src="' . $escaper($value) . '"';
unset($value);
}

// Do we have a value?
if (isset($value) && !empty($value)) {
$value = ' value="' . $this->view->vars()->escape($value) . '"';
$value = ' value="' . $escaper($value) . '"';
} else {
$value = '';
}
Expand All @@ -85,8 +86,8 @@ public function __invoke($name, $value = null, $attribs = null)

// build the element
$xhtml = '<input type="image"'
. ' name="' . $this->view->vars()->escape($name) . '"'
. ' id="' . $this->view->vars()->escape($id) . '"'
. ' name="' . $escaper($name) . '"'
. ' id="' . $escaper($id) . '"'
. $src
. $value
. $disabled
Expand Down
9 changes: 5 additions & 4 deletions src/Helper/FormLabel.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -55,10 +55,11 @@ public function __invoke($name, $value = null, array $attribs = null)
return '';
}

$value = ($escape) ? $this->view->vars()->escape($value) : $value;
$for = (empty($attribs['disableFor']) || !$attribs['disableFor'])
? ' for="' . $this->view->vars()->escape($id) . '"'
: '';
$escaper = $this->view->plugin('escape');
$value = ($escape) ? $escaper($value) : $value;
$for = (empty($attribs['disableFor']) || !$attribs['disableFor'])
? ' for="' . $escaper($id) . '"'
: '';
if (array_key_exists('disableFor', $attribs)) {
unset($attribs['disableFor']);
}
Expand Down
7 changes: 4 additions & 3 deletions src/Helper/FormPassword.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -65,9 +65,10 @@ public function __invoke($name, $value = null, $attribs = null)

// determine the XHTML value
$valueString = ' value=""';
$escaper = $this->view->plugin('escape');
if (array_key_exists('renderPassword', $attribs)) {
if ($attribs['renderPassword']) {
$valueString = ' value="' . $this->view->vars()->escape($value) . '"';
$valueString = ' value="' . $escaper($value) . '"';
}
unset($attribs['renderPassword']);
}
Expand All @@ -80,8 +81,8 @@ public function __invoke($name, $value = null, $attribs = null)

// render the element
$xhtml = '<input type="password"'
. ' name="' . $this->view->vars()->escape($name) . '"'
. ' id="' . $this->view->vars()->escape($id) . '"'
. ' name="' . $escaper($name) . '"'
. ' id="' . $escaper($id) . '"'
. $valueString
. $disabled
. $this->_htmlAttribs($attribs)
Expand Down
7 changes: 4 additions & 3 deletions src/Helper/FormRadio.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -112,7 +112,8 @@ public function __invoke($name, $value = null, $attribs = null, $options = null,
$list = array();

// should the name affect an array collection?
$name = $this->view->vars()->escape($name);
$escaper = $this->view->plugin('escape');
$name = $escaper($name);
if ($this->_isArray && ('[]' != substr($name, -2))) {
$name .= '[]';
}
Expand All @@ -132,7 +133,7 @@ public function __invoke($name, $value = null, $attribs = null, $options = null,

// Should the label be escaped?
if ($escape) {
$opt_label = $this->view->vars()->escape($opt_label);
$opt_label = $escaper($opt_label);
}

// is it disabled?
Expand All @@ -159,7 +160,7 @@ public function __invoke($name, $value = null, $attribs = null, $options = null,
. '<input type="' . $this->_inputType . '"'
. ' name="' . $name . '"'
. ' id="' . $optId . '"'
. ' value="' . $this->view->vars()->escape($opt_value) . '"'
. ' value="' . $escaper($opt_value) . '"'
. $checked
. $disabled
. $this->_htmlAttribs($attribs)
Expand Down
7 changes: 4 additions & 3 deletions src/Helper/FormReset.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -69,14 +69,15 @@ public function __invoke($name = '', $value = 'Reset', $attribs = null)
}

// Render button
$escaper = $this->view->plugin('escape');
$xhtml = '<input type="reset"'
. ' name="' . $this->view->vars()->escape($name) . '"'
. ' id="' . $this->view->vars()->escape($id) . '"'
. ' name="' . $escaper($name) . '"'
. ' id="' . $escaper($id) . '"'
. $disabled;

// add a value if one is given
if (! empty($value)) {
$xhtml .= ' value="' . $this->view->vars()->escape($value) . '"';
$xhtml .= ' value="' . $escaper($value) . '"';
}

// add attributes, close, and return
Expand Down
14 changes: 8 additions & 6 deletions src/Helper/FormSelect.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -100,9 +100,10 @@ public function __invoke($name, $value = null, $attribs = null, $options = null,
}

// Build the surrounding select element first.
$escaper = $this->view->plugin('escape');
$xhtml = '<select'
. ' name="' . $this->view->vars()->escape($name) . '"'
. ' id="' . $this->view->vars()->escape($id) . '"'
. ' name="' . $escaper($name) . '"'
. ' id="' . $escaper($id) . '"'
. $multiple
. $disabled
. $this->_htmlAttribs($attribs)
Expand All @@ -122,7 +123,7 @@ public function __invoke($name, $value = null, $attribs = null, $options = null,
}
$list[] = '<optgroup'
. $opt_disable
. ' label="' . $this->view->vars()->escape($opt_value) .'">';
. ' label="' . $escaper($opt_value) .'">';
foreach ($opt_label as $val => $lab) {
$list[] = $this->_build($val, $lab, $value, $disable);
}
Expand Down Expand Up @@ -153,9 +154,10 @@ protected function _build($value, $label, $selected, $disable)
$disable = array();
}

$escaper = $this->view->plugin('escape');
$opt = '<option'
. ' value="' . $this->view->vars()->escape($value) . '"'
. ' label="' . $this->view->vars()->escape($label) . '"';
. ' value="' . $escaper($value) . '"'
. ' label="' . $escaper($label) . '"';

// selected?
if (in_array((string) $value, $selected)) {
Expand All @@ -167,7 +169,7 @@ protected function _build($value, $label, $selected, $disable)
$opt .= ' disabled="disabled"';
}

$opt .= '>' . $this->view->vars()->escape($label) . "</option>";
$opt .= '>' . $escaper($label) . "</option>";

return $opt;
}
Expand Down
7 changes: 4 additions & 3 deletions src/Helper/FormSubmit.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -69,10 +69,11 @@ public function __invoke($name, $value = null, $attribs = null)
}

// Render the button.
$escaper = $this->view->plugin('escape');
$xhtml = '<input type="submit"'
. ' name="' . $this->view->vars()->escape($name) . '"'
. ' id="' . $this->view->vars()->escape($id) . '"'
. ' value="' . $this->view->vars()->escape($value) . '"'
. ' name="' . $escaper($name) . '"'
. ' id="' . $escaper($id) . '"'
. ' value="' . $escaper($value) . '"'
. $disabled
. $this->_htmlAttribs($attribs)
. $endTag;
Expand Down
9 changes: 5 additions & 4 deletions src/Helper/FormText.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -84,11 +84,12 @@ public function __invoke($name, $value = null, $attribs = null)
$endTag= '>';
}

$escaper = $this->view->plugin('escape');
$xhtml = '<input'
. ' type="' . $this->view->vars()->escape($inputType) . '"'
. ' name="' . $this->view->vars()->escape($name) . '"'
. ' id="' . $this->view->vars()->escape($id) . '"'
. ' value="' . $this->view->vars()->escape($value) . '"'
. ' type="' . $escaper($inputType) . '"'
. ' name="' . $escaper($name) . '"'
. ' id="' . $escaper($id) . '"'
. ' value="' . $escaper($value) . '"'
. $disabled
. $this->_htmlAttribs($attribs)
. $endTag;
Expand Down
11 changes: 6 additions & 5 deletions src/Helper/FormTextarea.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -91,11 +91,12 @@ public function __invoke($name, $value = null, $attribs = null)
}

// build the element
$xhtml = '<textarea name="' . $this->view->vars()->escape($name) . '"'
. ' id="' . $this->view->vars()->escape($id) . '"'
. $disabled
. $this->_htmlAttribs($attribs) . '>'
. $this->view->vars()->escape($value) . '</textarea>';
$escaper = $this->view->plugin('escape');
$xhtml = '<textarea name="' . $escaper($name) . '"'
. ' id="' . $escaper($id) . '"'
. $disabled
. $this->_htmlAttribs($attribs) . '>'
. $escaper($value) . '</textarea>';

return $xhtml;
}
Expand Down
7 changes: 4 additions & 3 deletions src/Helper/HtmlElement.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -88,9 +88,10 @@ protected function _isXhtml()
*/
protected function _htmlAttribs($attribs)
{
$xhtml = '';
$xhtml = '';
$escaper = $this->view->plugin('escape');
foreach ((array) $attribs as $key => $val) {
$key = $this->view->vars()->escape($key);
$key = $escaper($key);

if (('on' == substr($key, 0, 2)) || ('constraints' == $key)) {
// Don't escape event attributes; _do_ substitute double quotes with singles
Expand All @@ -107,7 +108,7 @@ protected function _htmlAttribs($attribs)
if (is_array($val)) {
$val = implode(' ', $val);
}
$val = $this->view->vars()->escape($val);
$val = $escaper($val);
}

if ('id' == $key) {
Expand Down
3 changes: 2 additions & 1 deletion src/Helper/HtmlList.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -52,7 +52,8 @@ public function __invoke(array $items, $ordered = false, $attribs = false, $esca
foreach ($items as $item) {
if (!is_array($item)) {
if ($escape) {
$item = $this->view->vars()->escape($item);
$escaper = $this->view->plugin('escape');
$item = $escaper($item);
}
$list .= '<li>' . $item . '</li>' . self::EOL;
} else {
Expand Down
4 changes: 3 additions & 1 deletion src/Helper/Navigation/AbstractHelper.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -641,8 +641,10 @@ public function htmlify(AbstractPage $page)
'target' => $page->getTarget()
);

$escaper = $this->view->plugin('escape');

return '<a' . $this->_htmlAttribs($attribs) . '>'
. $this->view->vars()->escape($label)
. $escaper($label)
. '</a>';
}

Expand Down
3 changes: 2 additions & 1 deletion src/Helper/Navigation/Breadcrumbs.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -193,7 +193,8 @@ public function renderStraight(Container $container = null)
if ($this->getUseTranslator() && $t = $this->getTranslator()) {
$html = $t->translate($html);
}
$html = $this->view->vars()->escape($html);
$escaper = $this->view->plugin('escape');
$html = $escaper($html);
}

// walk back to root
Expand Down
3 changes: 2 additions & 1 deletion src/Helper/Navigation/Menu.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -235,8 +235,9 @@ public function htmlify(AbstractPage $page)
$element = 'span';
}

$escaper = $this->view->plugin('escape');
return '<' . $element . $this->_htmlAttribs($attribs) . '>'
. $this->view->vars()->escape($label)
. $escaper($label)
. '</' . $element . '>';
}

Expand Down
Loading

0 comments on commit cdc5669

Please sign in to comment.