Matthias Andreas Benkard | 12a5735 | 2021-12-28 18:02:04 +0100 | [diff] [blame^] | 1 | <?php |
| 2 | |
| 3 | /* |
| 4 | * This file is part of Twig. |
| 5 | * |
| 6 | * (c) Fabien Potencier |
| 7 | * |
| 8 | * For the full copyright and license information, please view the LICENSE |
| 9 | * file that was distributed with this source code. |
| 10 | */ |
| 11 | |
| 12 | namespace Twig\Extension { |
| 13 | use Twig\FileExtensionEscapingStrategy; |
| 14 | use Twig\NodeVisitor\EscaperNodeVisitor; |
| 15 | use Twig\TokenParser\AutoEscapeTokenParser; |
| 16 | use Twig\TwigFilter; |
| 17 | |
| 18 | final class EscaperExtension extends AbstractExtension |
| 19 | { |
| 20 | private $defaultStrategy; |
| 21 | private $escapers = []; |
| 22 | |
| 23 | /** @internal */ |
| 24 | public $safeClasses = []; |
| 25 | |
| 26 | /** @internal */ |
| 27 | public $safeLookup = []; |
| 28 | |
| 29 | /** |
| 30 | * @param string|false|callable $defaultStrategy An escaping strategy |
| 31 | * |
| 32 | * @see setDefaultStrategy() |
| 33 | */ |
| 34 | public function __construct($defaultStrategy = 'html') |
| 35 | { |
| 36 | $this->setDefaultStrategy($defaultStrategy); |
| 37 | } |
| 38 | |
| 39 | public function getTokenParsers(): array |
| 40 | { |
| 41 | return [new AutoEscapeTokenParser()]; |
| 42 | } |
| 43 | |
| 44 | public function getNodeVisitors(): array |
| 45 | { |
| 46 | return [new EscaperNodeVisitor()]; |
| 47 | } |
| 48 | |
| 49 | public function getFilters(): array |
| 50 | { |
| 51 | return [ |
| 52 | new TwigFilter('escape', 'twig_escape_filter', ['needs_environment' => true, 'is_safe_callback' => 'twig_escape_filter_is_safe']), |
| 53 | new TwigFilter('e', 'twig_escape_filter', ['needs_environment' => true, 'is_safe_callback' => 'twig_escape_filter_is_safe']), |
| 54 | new TwigFilter('raw', 'twig_raw_filter', ['is_safe' => ['all']]), |
| 55 | ]; |
| 56 | } |
| 57 | |
| 58 | /** |
| 59 | * Sets the default strategy to use when not defined by the user. |
| 60 | * |
| 61 | * The strategy can be a valid PHP callback that takes the template |
| 62 | * name as an argument and returns the strategy to use. |
| 63 | * |
| 64 | * @param string|false|callable $defaultStrategy An escaping strategy |
| 65 | */ |
| 66 | public function setDefaultStrategy($defaultStrategy): void |
| 67 | { |
| 68 | if ('name' === $defaultStrategy) { |
| 69 | $defaultStrategy = [FileExtensionEscapingStrategy::class, 'guess']; |
| 70 | } |
| 71 | |
| 72 | $this->defaultStrategy = $defaultStrategy; |
| 73 | } |
| 74 | |
| 75 | /** |
| 76 | * Gets the default strategy to use when not defined by the user. |
| 77 | * |
| 78 | * @param string $name The template name |
| 79 | * |
| 80 | * @return string|false The default strategy to use for the template |
| 81 | */ |
| 82 | public function getDefaultStrategy(string $name) |
| 83 | { |
| 84 | // disable string callables to avoid calling a function named html or js, |
| 85 | // or any other upcoming escaping strategy |
| 86 | if (!\is_string($this->defaultStrategy) && false !== $this->defaultStrategy) { |
| 87 | return \call_user_func($this->defaultStrategy, $name); |
| 88 | } |
| 89 | |
| 90 | return $this->defaultStrategy; |
| 91 | } |
| 92 | |
| 93 | /** |
| 94 | * Defines a new escaper to be used via the escape filter. |
| 95 | * |
| 96 | * @param string $strategy The strategy name that should be used as a strategy in the escape call |
| 97 | * @param callable $callable A valid PHP callable |
| 98 | */ |
| 99 | public function setEscaper($strategy, callable $callable) |
| 100 | { |
| 101 | $this->escapers[$strategy] = $callable; |
| 102 | } |
| 103 | |
| 104 | /** |
| 105 | * Gets all defined escapers. |
| 106 | * |
| 107 | * @return callable[] An array of escapers |
| 108 | */ |
| 109 | public function getEscapers() |
| 110 | { |
| 111 | return $this->escapers; |
| 112 | } |
| 113 | |
| 114 | public function setSafeClasses(array $safeClasses = []) |
| 115 | { |
| 116 | $this->safeClasses = []; |
| 117 | $this->safeLookup = []; |
| 118 | foreach ($safeClasses as $class => $strategies) { |
| 119 | $this->addSafeClass($class, $strategies); |
| 120 | } |
| 121 | } |
| 122 | |
| 123 | public function addSafeClass(string $class, array $strategies) |
| 124 | { |
| 125 | $class = ltrim($class, '\\'); |
| 126 | if (!isset($this->safeClasses[$class])) { |
| 127 | $this->safeClasses[$class] = []; |
| 128 | } |
| 129 | $this->safeClasses[$class] = array_merge($this->safeClasses[$class], $strategies); |
| 130 | |
| 131 | foreach ($strategies as $strategy) { |
| 132 | $this->safeLookup[$strategy][$class] = true; |
| 133 | } |
| 134 | } |
| 135 | } |
| 136 | } |
| 137 | |
| 138 | namespace { |
| 139 | use Twig\Environment; |
| 140 | use Twig\Error\RuntimeError; |
| 141 | use Twig\Extension\EscaperExtension; |
| 142 | use Twig\Markup; |
| 143 | use Twig\Node\Expression\ConstantExpression; |
| 144 | use Twig\Node\Node; |
| 145 | |
| 146 | /** |
| 147 | * Marks a variable as being safe. |
| 148 | * |
| 149 | * @param string $string A PHP variable |
| 150 | */ |
| 151 | function twig_raw_filter($string) |
| 152 | { |
| 153 | return $string; |
| 154 | } |
| 155 | |
| 156 | /** |
| 157 | * Escapes a string. |
| 158 | * |
| 159 | * @param mixed $string The value to be escaped |
| 160 | * @param string $strategy The escaping strategy |
| 161 | * @param string $charset The charset |
| 162 | * @param bool $autoescape Whether the function is called by the auto-escaping feature (true) or by the developer (false) |
| 163 | * |
| 164 | * @return string |
| 165 | */ |
| 166 | function twig_escape_filter(Environment $env, $string, $strategy = 'html', $charset = null, $autoescape = false) |
| 167 | { |
| 168 | if ($autoescape && $string instanceof Markup) { |
| 169 | return $string; |
| 170 | } |
| 171 | |
| 172 | if (!\is_string($string)) { |
| 173 | if (\is_object($string) && method_exists($string, '__toString')) { |
| 174 | if ($autoescape) { |
| 175 | $c = \get_class($string); |
| 176 | $ext = $env->getExtension(EscaperExtension::class); |
| 177 | if (!isset($ext->safeClasses[$c])) { |
| 178 | $ext->safeClasses[$c] = []; |
| 179 | foreach (class_parents($string) + class_implements($string) as $class) { |
| 180 | if (isset($ext->safeClasses[$class])) { |
| 181 | $ext->safeClasses[$c] = array_unique(array_merge($ext->safeClasses[$c], $ext->safeClasses[$class])); |
| 182 | foreach ($ext->safeClasses[$class] as $s) { |
| 183 | $ext->safeLookup[$s][$c] = true; |
| 184 | } |
| 185 | } |
| 186 | } |
| 187 | } |
| 188 | if (isset($ext->safeLookup[$strategy][$c]) || isset($ext->safeLookup['all'][$c])) { |
| 189 | return (string) $string; |
| 190 | } |
| 191 | } |
| 192 | |
| 193 | $string = (string) $string; |
| 194 | } elseif (\in_array($strategy, ['html', 'js', 'css', 'html_attr', 'url'])) { |
| 195 | return $string; |
| 196 | } |
| 197 | } |
| 198 | |
| 199 | if ('' === $string) { |
| 200 | return ''; |
| 201 | } |
| 202 | |
| 203 | if (null === $charset) { |
| 204 | $charset = $env->getCharset(); |
| 205 | } |
| 206 | |
| 207 | switch ($strategy) { |
| 208 | case 'html': |
| 209 | // see https://secure.php.net/htmlspecialchars |
| 210 | |
| 211 | // Using a static variable to avoid initializing the array |
| 212 | // each time the function is called. Moving the declaration on the |
| 213 | // top of the function slow downs other escaping strategies. |
| 214 | static $htmlspecialcharsCharsets = [ |
| 215 | 'ISO-8859-1' => true, 'ISO8859-1' => true, |
| 216 | 'ISO-8859-15' => true, 'ISO8859-15' => true, |
| 217 | 'utf-8' => true, 'UTF-8' => true, |
| 218 | 'CP866' => true, 'IBM866' => true, '866' => true, |
| 219 | 'CP1251' => true, 'WINDOWS-1251' => true, 'WIN-1251' => true, |
| 220 | '1251' => true, |
| 221 | 'CP1252' => true, 'WINDOWS-1252' => true, '1252' => true, |
| 222 | 'KOI8-R' => true, 'KOI8-RU' => true, 'KOI8R' => true, |
| 223 | 'BIG5' => true, '950' => true, |
| 224 | 'GB2312' => true, '936' => true, |
| 225 | 'BIG5-HKSCS' => true, |
| 226 | 'SHIFT_JIS' => true, 'SJIS' => true, '932' => true, |
| 227 | 'EUC-JP' => true, 'EUCJP' => true, |
| 228 | 'ISO8859-5' => true, 'ISO-8859-5' => true, 'MACROMAN' => true, |
| 229 | ]; |
| 230 | |
| 231 | if (isset($htmlspecialcharsCharsets[$charset])) { |
| 232 | return htmlspecialchars($string, \ENT_QUOTES | \ENT_SUBSTITUTE, $charset); |
| 233 | } |
| 234 | |
| 235 | if (isset($htmlspecialcharsCharsets[strtoupper($charset)])) { |
| 236 | // cache the lowercase variant for future iterations |
| 237 | $htmlspecialcharsCharsets[$charset] = true; |
| 238 | |
| 239 | return htmlspecialchars($string, \ENT_QUOTES | \ENT_SUBSTITUTE, $charset); |
| 240 | } |
| 241 | |
| 242 | $string = twig_convert_encoding($string, 'UTF-8', $charset); |
| 243 | $string = htmlspecialchars($string, \ENT_QUOTES | \ENT_SUBSTITUTE, 'UTF-8'); |
| 244 | |
| 245 | return iconv('UTF-8', $charset, $string); |
| 246 | |
| 247 | case 'js': |
| 248 | // escape all non-alphanumeric characters |
| 249 | // into their \x or \uHHHH representations |
| 250 | if ('UTF-8' !== $charset) { |
| 251 | $string = twig_convert_encoding($string, 'UTF-8', $charset); |
| 252 | } |
| 253 | |
| 254 | if (!preg_match('//u', $string)) { |
| 255 | throw new RuntimeError('The string to escape is not a valid UTF-8 string.'); |
| 256 | } |
| 257 | |
| 258 | $string = preg_replace_callback('#[^a-zA-Z0-9,\._]#Su', function ($matches) { |
| 259 | $char = $matches[0]; |
| 260 | |
| 261 | /* |
| 262 | * A few characters have short escape sequences in JSON and JavaScript. |
| 263 | * Escape sequences supported only by JavaScript, not JSON, are omitted. |
| 264 | * \" is also supported but omitted, because the resulting string is not HTML safe. |
| 265 | */ |
| 266 | static $shortMap = [ |
| 267 | '\\' => '\\\\', |
| 268 | '/' => '\\/', |
| 269 | "\x08" => '\b', |
| 270 | "\x0C" => '\f', |
| 271 | "\x0A" => '\n', |
| 272 | "\x0D" => '\r', |
| 273 | "\x09" => '\t', |
| 274 | ]; |
| 275 | |
| 276 | if (isset($shortMap[$char])) { |
| 277 | return $shortMap[$char]; |
| 278 | } |
| 279 | |
| 280 | $codepoint = mb_ord($char); |
| 281 | if (0x10000 > $codepoint) { |
| 282 | return sprintf('\u%04X', $codepoint); |
| 283 | } |
| 284 | |
| 285 | // Split characters outside the BMP into surrogate pairs |
| 286 | // https://tools.ietf.org/html/rfc2781.html#section-2.1 |
| 287 | $u = $codepoint - 0x10000; |
| 288 | $high = 0xD800 | ($u >> 10); |
| 289 | $low = 0xDC00 | ($u & 0x3FF); |
| 290 | |
| 291 | return sprintf('\u%04X\u%04X', $high, $low); |
| 292 | }, $string); |
| 293 | |
| 294 | if ('UTF-8' !== $charset) { |
| 295 | $string = iconv('UTF-8', $charset, $string); |
| 296 | } |
| 297 | |
| 298 | return $string; |
| 299 | |
| 300 | case 'css': |
| 301 | if ('UTF-8' !== $charset) { |
| 302 | $string = twig_convert_encoding($string, 'UTF-8', $charset); |
| 303 | } |
| 304 | |
| 305 | if (!preg_match('//u', $string)) { |
| 306 | throw new RuntimeError('The string to escape is not a valid UTF-8 string.'); |
| 307 | } |
| 308 | |
| 309 | $string = preg_replace_callback('#[^a-zA-Z0-9]#Su', function ($matches) { |
| 310 | $char = $matches[0]; |
| 311 | |
| 312 | return sprintf('\\%X ', 1 === \strlen($char) ? \ord($char) : mb_ord($char, 'UTF-8')); |
| 313 | }, $string); |
| 314 | |
| 315 | if ('UTF-8' !== $charset) { |
| 316 | $string = iconv('UTF-8', $charset, $string); |
| 317 | } |
| 318 | |
| 319 | return $string; |
| 320 | |
| 321 | case 'html_attr': |
| 322 | if ('UTF-8' !== $charset) { |
| 323 | $string = twig_convert_encoding($string, 'UTF-8', $charset); |
| 324 | } |
| 325 | |
| 326 | if (!preg_match('//u', $string)) { |
| 327 | throw new RuntimeError('The string to escape is not a valid UTF-8 string.'); |
| 328 | } |
| 329 | |
| 330 | $string = preg_replace_callback('#[^a-zA-Z0-9,\.\-_]#Su', function ($matches) { |
| 331 | /** |
| 332 | * This function is adapted from code coming from Zend Framework. |
| 333 | * |
| 334 | * @copyright Copyright (c) 2005-2012 Zend Technologies USA Inc. (https://www.zend.com) |
| 335 | * @license https://framework.zend.com/license/new-bsd New BSD License |
| 336 | */ |
| 337 | $chr = $matches[0]; |
| 338 | $ord = \ord($chr); |
| 339 | |
| 340 | /* |
| 341 | * The following replaces characters undefined in HTML with the |
| 342 | * hex entity for the Unicode replacement character. |
| 343 | */ |
| 344 | if (($ord <= 0x1f && "\t" != $chr && "\n" != $chr && "\r" != $chr) || ($ord >= 0x7f && $ord <= 0x9f)) { |
| 345 | return '�'; |
| 346 | } |
| 347 | |
| 348 | /* |
| 349 | * Check if the current character to escape has a name entity we should |
| 350 | * replace it with while grabbing the hex value of the character. |
| 351 | */ |
| 352 | if (1 === \strlen($chr)) { |
| 353 | /* |
| 354 | * While HTML supports far more named entities, the lowest common denominator |
| 355 | * has become HTML5's XML Serialisation which is restricted to the those named |
| 356 | * entities that XML supports. Using HTML entities would result in this error: |
| 357 | * XML Parsing Error: undefined entity |
| 358 | */ |
| 359 | static $entityMap = [ |
| 360 | 34 => '"', /* quotation mark */ |
| 361 | 38 => '&', /* ampersand */ |
| 362 | 60 => '<', /* less-than sign */ |
| 363 | 62 => '>', /* greater-than sign */ |
| 364 | ]; |
| 365 | |
| 366 | if (isset($entityMap[$ord])) { |
| 367 | return $entityMap[$ord]; |
| 368 | } |
| 369 | |
| 370 | return sprintf('&#x%02X;', $ord); |
| 371 | } |
| 372 | |
| 373 | /* |
| 374 | * Per OWASP recommendations, we'll use hex entities for any other |
| 375 | * characters where a named entity does not exist. |
| 376 | */ |
| 377 | return sprintf('&#x%04X;', mb_ord($chr, 'UTF-8')); |
| 378 | }, $string); |
| 379 | |
| 380 | if ('UTF-8' !== $charset) { |
| 381 | $string = iconv('UTF-8', $charset, $string); |
| 382 | } |
| 383 | |
| 384 | return $string; |
| 385 | |
| 386 | case 'url': |
| 387 | return rawurlencode($string); |
| 388 | |
| 389 | default: |
| 390 | static $escapers; |
| 391 | |
| 392 | if (null === $escapers) { |
| 393 | $escapers = $env->getExtension(EscaperExtension::class)->getEscapers(); |
| 394 | } |
| 395 | |
| 396 | if (isset($escapers[$strategy])) { |
| 397 | return $escapers[$strategy]($env, $string, $charset); |
| 398 | } |
| 399 | |
| 400 | $validStrategies = implode(', ', array_merge(['html', 'js', 'url', 'css', 'html_attr'], array_keys($escapers))); |
| 401 | |
| 402 | throw new RuntimeError(sprintf('Invalid escaping strategy "%s" (valid ones: %s).', $strategy, $validStrategies)); |
| 403 | } |
| 404 | } |
| 405 | |
| 406 | /** |
| 407 | * @internal |
| 408 | */ |
| 409 | function twig_escape_filter_is_safe(Node $filterArgs) |
| 410 | { |
| 411 | foreach ($filterArgs as $arg) { |
| 412 | if ($arg instanceof ConstantExpression) { |
| 413 | return [$arg->getAttribute('value')]; |
| 414 | } |
| 415 | |
| 416 | return []; |
| 417 | } |
| 418 | |
| 419 | return ['html']; |
| 420 | } |
| 421 | } |