e544ed6d9a
Comparing changes: https://github.com/smarty-php/smarty/compare/v4.3.1...v4.4.1 It is noticeable that Smarty 4.3.1 does not officially support PHP 8.3. Is only supported with 4.4.0. Remark: During tests with Smarty 4.5.1, it was noticed that the following warning occurs: Deprecated: Using the unregistered function "function_exists" in a template is deprecated and will be removed in a future version. Use Smarty::registerPlugin to explicitly register a custom modifier. As of Smarty 5.X.X, templates must be revised again. The Smarty release 5.0.2 is already officially available. However, integration into FlatPress is not entirely trivial.
190 lines
6.7 KiB
PHP
190 lines
6.7 KiB
PHP
<?php
|
|
/**
|
|
* Smarty plugin
|
|
*
|
|
* @package Smarty
|
|
* @subpackage PluginsModifier
|
|
*/
|
|
/**
|
|
* Smarty escape modifier plugin
|
|
* Type: modifier
|
|
* Name: escape
|
|
* Purpose: escape string for output
|
|
*
|
|
* @link https://www.smarty.net/docs/en/language.modifier.escape
|
|
* @author Monte Ohrt <monte at ohrt dot com>
|
|
*
|
|
* @param string $string input string
|
|
* @param string $esc_type escape type
|
|
* @param string $char_set character set, used for htmlspecialchars() or htmlentities()
|
|
* @param boolean $double_encode encode already encoded entitites again, used for htmlspecialchars() or htmlentities()
|
|
*
|
|
* @return string escaped input string
|
|
*/
|
|
function smarty_modifier_escape($string, $esc_type = 'html', $char_set = null, $double_encode = true)
|
|
{
|
|
static $is_loaded_1 = false;
|
|
static $is_loaded_2 = false;
|
|
if (!$char_set) {
|
|
$char_set = Smarty::$_CHARSET;
|
|
}
|
|
|
|
$string = (string)$string;
|
|
|
|
switch ($esc_type) {
|
|
case 'html':
|
|
return htmlspecialchars($string, ENT_QUOTES, $char_set, $double_encode);
|
|
// no break
|
|
case 'htmlall':
|
|
if (Smarty::$_MBSTRING) {
|
|
$string = mb_convert_encoding($string, 'UTF-8', $char_set);
|
|
return htmlentities($string, ENT_QUOTES, 'UTF-8', $double_encode);
|
|
}
|
|
// no MBString fallback
|
|
return htmlentities($string, ENT_QUOTES, $char_set, $double_encode);
|
|
// no break
|
|
case 'url':
|
|
return rawurlencode($string);
|
|
case 'urlpathinfo':
|
|
return str_replace('%2F', '/', rawurlencode($string));
|
|
case 'quotes':
|
|
// escape unescaped single quotes
|
|
return preg_replace("%(?<!\\\\)'%", "\\'", $string);
|
|
case 'hex':
|
|
// escape every byte into hex
|
|
// Note that the UTF-8 encoded character ä will be represented as %c3%a4
|
|
$return = '';
|
|
$_length = strlen($string);
|
|
for ($x = 0; $x < $_length; $x++) {
|
|
$return .= '%' . bin2hex($string[ $x ]);
|
|
}
|
|
return $return;
|
|
case 'hexentity':
|
|
$return = '';
|
|
if (Smarty::$_MBSTRING) {
|
|
if (!$is_loaded_1) {
|
|
if (!is_callable('smarty_mb_to_unicode')) {
|
|
include_once SMARTY_PLUGINS_DIR . 'shared.mb_unicode.php';
|
|
}
|
|
$is_loaded_1 = true;
|
|
}
|
|
$return = '';
|
|
foreach (smarty_mb_to_unicode($string, Smarty::$_CHARSET) as $unicode) {
|
|
$return .= '&#x' . strtoupper(dechex($unicode)) . ';';
|
|
}
|
|
return $return;
|
|
}
|
|
// no MBString fallback
|
|
$_length = strlen($string);
|
|
for ($x = 0; $x < $_length; $x++) {
|
|
$return .= '&#x' . bin2hex($string[ $x ]) . ';';
|
|
}
|
|
return $return;
|
|
case 'decentity':
|
|
$return = '';
|
|
if (Smarty::$_MBSTRING) {
|
|
if (!$is_loaded_1) {
|
|
if (!is_callable('smarty_mb_to_unicode')) {
|
|
include_once SMARTY_PLUGINS_DIR . 'shared.mb_unicode.php';
|
|
}
|
|
$is_loaded_1 = true;
|
|
}
|
|
$return = '';
|
|
foreach (smarty_mb_to_unicode($string, Smarty::$_CHARSET) as $unicode) {
|
|
$return .= '&#' . $unicode . ';';
|
|
}
|
|
return $return;
|
|
}
|
|
// no MBString fallback
|
|
$_length = strlen($string);
|
|
for ($x = 0; $x < $_length; $x++) {
|
|
$return .= '&#' . ord($string[ $x ]) . ';';
|
|
}
|
|
return $return;
|
|
case 'javascript':
|
|
// escape quotes and backslashes, newlines, etc.
|
|
return strtr(
|
|
$string,
|
|
array(
|
|
'\\' => '\\\\',
|
|
"'" => "\\'",
|
|
'"' => '\\"',
|
|
"\r" => '\\r',
|
|
"\n" => '\\n',
|
|
'</' => '<\/',
|
|
// see https://html.spec.whatwg.org/multipage/scripting.html#restrictions-for-contents-of-script-elements
|
|
'<!--' => '<\!--',
|
|
'<s' => '<\s',
|
|
'<S' => '<\S',
|
|
"`" => "\\\\`",
|
|
"\${" => "\\\\\\$\\{"
|
|
)
|
|
);
|
|
case 'mail':
|
|
if (Smarty::$_MBSTRING) {
|
|
if (!$is_loaded_2) {
|
|
if (!is_callable('smarty_mb_str_replace')) {
|
|
include_once SMARTY_PLUGINS_DIR . 'shared.mb_str_replace.php';
|
|
}
|
|
$is_loaded_2 = true;
|
|
}
|
|
return smarty_mb_str_replace(
|
|
array(
|
|
'@',
|
|
'.'
|
|
),
|
|
array(
|
|
' [AT] ',
|
|
' [DOT] '
|
|
),
|
|
$string
|
|
);
|
|
}
|
|
// no MBString fallback
|
|
return str_replace(
|
|
array(
|
|
'@',
|
|
'.'
|
|
),
|
|
array(
|
|
' [AT] ',
|
|
' [DOT] '
|
|
),
|
|
$string
|
|
);
|
|
case 'nonstd':
|
|
// escape non-standard chars, such as ms document quotes
|
|
$return = '';
|
|
if (Smarty::$_MBSTRING) {
|
|
if (!$is_loaded_1) {
|
|
if (!is_callable('smarty_mb_to_unicode')) {
|
|
include_once SMARTY_PLUGINS_DIR . 'shared.mb_unicode.php';
|
|
}
|
|
$is_loaded_1 = true;
|
|
}
|
|
foreach (smarty_mb_to_unicode($string, Smarty::$_CHARSET) as $unicode) {
|
|
if ($unicode >= 126) {
|
|
$return .= '&#' . $unicode . ';';
|
|
} else {
|
|
$return .= chr($unicode);
|
|
}
|
|
}
|
|
return $return;
|
|
}
|
|
$_length = strlen($string);
|
|
for ($_i = 0; $_i < $_length; $_i++) {
|
|
$_ord = ord(substr($string, $_i, 1));
|
|
// non-standard char, escape it
|
|
if ($_ord >= 126) {
|
|
$return .= '&#' . $_ord . ';';
|
|
} else {
|
|
$return .= substr($string, $_i, 1);
|
|
}
|
|
}
|
|
return $return;
|
|
default:
|
|
trigger_error("escape: unsupported type: $esc_type - returning unmodified string", E_USER_NOTICE);
|
|
return $string;
|
|
}
|
|
}
|