Gitiles
Code Review Sign In
gerrit.benkard.de / kubeia / 12a5735c15056e2807ac44a988868ac2244a19f1 / . / mailcow / src / mailcow-dockerized / data / web / inc / lib / vendor / twig / twig / src / Extension / EscaperExtension.php
blob: 372551f25251c4f12b4fcc9189d3dbbc74e5f75b [file] [log] [blame]
Matthias Andreas Benkard12a57352021-12-28 18:02:04 +0100[diff] [blame^]1<?php
2
3/*
4 * This file is part of Twig.
5 *
6 * (c) Fabien Potencier
7 *
8 * For the full copyright and license information, please view the LICENSE
9 * file that was distributed with this source code.
10 */
11
12namespace Twig\Extension {
13use Twig\FileExtensionEscapingStrategy;
14use Twig\NodeVisitor\EscaperNodeVisitor;
15use Twig\TokenParser\AutoEscapeTokenParser;
16use Twig\TwigFilter;
17
18final class EscaperExtension extends AbstractExtension
19{
20 private $defaultStrategy;
21 private $escapers = [];
22
23 /** @internal */
24 public $safeClasses = [];
25
26 /** @internal */
27 public $safeLookup = [];
28
29 /**
30 * @param string|false|callable $defaultStrategy An escaping strategy
31 *
32 * @see setDefaultStrategy()
33 */
34 public function __construct($defaultStrategy = 'html')
35 {
36 $this->setDefaultStrategy($defaultStrategy);
37 }
38
39 public function getTokenParsers(): array
40 {
41 return [new AutoEscapeTokenParser()];
42 }
43
44 public function getNodeVisitors(): array
45 {
46 return [new EscaperNodeVisitor()];
47 }
48
49 public function getFilters(): array
50 {
51 return [
52 new TwigFilter('escape', 'twig_escape_filter', ['needs_environment' => true, 'is_safe_callback' => 'twig_escape_filter_is_safe']),
53 new TwigFilter('e', 'twig_escape_filter', ['needs_environment' => true, 'is_safe_callback' => 'twig_escape_filter_is_safe']),
54 new TwigFilter('raw', 'twig_raw_filter', ['is_safe' => ['all']]),
55 ];
56 }
57
58 /**
59 * Sets the default strategy to use when not defined by the user.
60 *
61 * The strategy can be a valid PHP callback that takes the template
62 * name as an argument and returns the strategy to use.
63 *
64 * @param string|false|callable $defaultStrategy An escaping strategy
65 */
66 public function setDefaultStrategy($defaultStrategy): void
67 {
68 if ('name' === $defaultStrategy) {
69 $defaultStrategy = [FileExtensionEscapingStrategy::class, 'guess'];
70 }
71
72 $this->defaultStrategy = $defaultStrategy;
73 }
74
75 /**
76 * Gets the default strategy to use when not defined by the user.
77 *
78 * @param string $name The template name
79 *
80 * @return string|false The default strategy to use for the template
81 */
82 public function getDefaultStrategy(string $name)
83 {
84 // disable string callables to avoid calling a function named html or js,
85 // or any other upcoming escaping strategy
86 if (!\is_string($this->defaultStrategy) && false !== $this->defaultStrategy) {
87 return \call_user_func($this->defaultStrategy, $name);
88 }
89
90 return $this->defaultStrategy;
91 }
92
93 /**
94 * Defines a new escaper to be used via the escape filter.
95 *
96 * @param string $strategy The strategy name that should be used as a strategy in the escape call
97 * @param callable $callable A valid PHP callable
98 */
99 public function setEscaper($strategy, callable $callable)
100 {
101 $this->escapers[$strategy] = $callable;
102 }
103
104 /**
105 * Gets all defined escapers.
106 *
107 * @return callable[] An array of escapers
108 */
109 public function getEscapers()
110 {
111 return $this->escapers;
112 }
113
114 public function setSafeClasses(array $safeClasses = [])
115 {
116 $this->safeClasses = [];
117 $this->safeLookup = [];
118 foreach ($safeClasses as $class => $strategies) {
119 $this->addSafeClass($class, $strategies);
120 }
121 }
122
123 public function addSafeClass(string $class, array $strategies)
124 {
125 $class = ltrim($class, '\\');
126 if (!isset($this->safeClasses[$class])) {
127 $this->safeClasses[$class] = [];
128 }
129 $this->safeClasses[$class] = array_merge($this->safeClasses[$class], $strategies);
130
131 foreach ($strategies as $strategy) {
132 $this->safeLookup[$strategy][$class] = true;
133 }
134 }
135}
136}
137
138namespace {
139use Twig\Environment;
140use Twig\Error\RuntimeError;
141use Twig\Extension\EscaperExtension;
142use Twig\Markup;
143use Twig\Node\Expression\ConstantExpression;
144use Twig\Node\Node;
145
146/**
147 * Marks a variable as being safe.
148 *
149 * @param string $string A PHP variable
150 */
151function twig_raw_filter($string)
152{
153 return $string;
154}
155
156/**
157 * Escapes a string.
158 *
159 * @param mixed $string The value to be escaped
160 * @param string $strategy The escaping strategy
161 * @param string $charset The charset
162 * @param bool $autoescape Whether the function is called by the auto-escaping feature (true) or by the developer (false)
163 *
164 * @return string
165 */
166function twig_escape_filter(Environment $env, $string, $strategy = 'html', $charset = null, $autoescape = false)
167{
168 if ($autoescape && $string instanceof Markup) {
169 return $string;
170 }
171
172 if (!\is_string($string)) {
173 if (\is_object($string) && method_exists($string, '__toString')) {
174 if ($autoescape) {
175 $c = \get_class($string);
176 $ext = $env->getExtension(EscaperExtension::class);
177 if (!isset($ext->safeClasses[$c])) {
178 $ext->safeClasses[$c] = [];
179 foreach (class_parents($string) + class_implements($string) as $class) {
180 if (isset($ext->safeClasses[$class])) {
181 $ext->safeClasses[$c] = array_unique(array_merge($ext->safeClasses[$c], $ext->safeClasses[$class]));
182 foreach ($ext->safeClasses[$class] as $s) {
183 $ext->safeLookup[$s][$c] = true;
184 }
185 }
186 }
187 }
188 if (isset($ext->safeLookup[$strategy][$c]) || isset($ext->safeLookup['all'][$c])) {
189 return (string) $string;
190 }
191 }
192
193 $string = (string) $string;
194 } elseif (\in_array($strategy, ['html', 'js', 'css', 'html_attr', 'url'])) {
195 return $string;
196 }
197 }
198
199 if ('' === $string) {
200 return '';
201 }
202
203 if (null === $charset) {
204 $charset = $env->getCharset();
205 }
206
207 switch ($strategy) {
208 case 'html':
209 // see https://secure.php.net/htmlspecialchars
210
211 // Using a static variable to avoid initializing the array
212 // each time the function is called. Moving the declaration on the
213 // top of the function slow downs other escaping strategies.
214 static $htmlspecialcharsCharsets = [
215 'ISO-8859-1' => true, 'ISO8859-1' => true,
216 'ISO-8859-15' => true, 'ISO8859-15' => true,
217 'utf-8' => true, 'UTF-8' => true,
218 'CP866' => true, 'IBM866' => true, '866' => true,
219 'CP1251' => true, 'WINDOWS-1251' => true, 'WIN-1251' => true,
220 '1251' => true,
221 'CP1252' => true, 'WINDOWS-1252' => true, '1252' => true,
222 'KOI8-R' => true, 'KOI8-RU' => true, 'KOI8R' => true,
223 'BIG5' => true, '950' => true,
224 'GB2312' => true, '936' => true,
225 'BIG5-HKSCS' => true,
226 'SHIFT_JIS' => true, 'SJIS' => true, '932' => true,
227 'EUC-JP' => true, 'EUCJP' => true,
228 'ISO8859-5' => true, 'ISO-8859-5' => true, 'MACROMAN' => true,
229 ];
230
231 if (isset($htmlspecialcharsCharsets[$charset])) {
232 return htmlspecialchars($string, \ENT_QUOTES | \ENT_SUBSTITUTE, $charset);
233 }
234
235 if (isset($htmlspecialcharsCharsets[strtoupper($charset)])) {
236 // cache the lowercase variant for future iterations
237 $htmlspecialcharsCharsets[$charset] = true;
238
239 return htmlspecialchars($string, \ENT_QUOTES | \ENT_SUBSTITUTE, $charset);
240 }
241
242 $string = twig_convert_encoding($string, 'UTF-8', $charset);
243 $string = htmlspecialchars($string, \ENT_QUOTES | \ENT_SUBSTITUTE, 'UTF-8');
244
245 return iconv('UTF-8', $charset, $string);
246
247 case 'js':
248 // escape all non-alphanumeric characters
249 // into their \x or \uHHHH representations
250 if ('UTF-8' !== $charset) {
251 $string = twig_convert_encoding($string, 'UTF-8', $charset);
252 }
253
254 if (!preg_match('//u', $string)) {
255 throw new RuntimeError('The string to escape is not a valid UTF-8 string.');
256 }
257
258 $string = preg_replace_callback('#[^a-zA-Z0-9,\._]#Su', function ($matches) {
259 $char = $matches[0];
260
261 /*
262 * A few characters have short escape sequences in JSON and JavaScript.
263 * Escape sequences supported only by JavaScript, not JSON, are omitted.
264 * \" is also supported but omitted, because the resulting string is not HTML safe.
265 */
266 static $shortMap = [
267 '\\' => '\\\\',
268 '/' => '\\/',
269 "\x08" => '\b',
270 "\x0C" => '\f',
271 "\x0A" => '\n',
272 "\x0D" => '\r',
273 "\x09" => '\t',
274 ];
275
276 if (isset($shortMap[$char])) {
277 return $shortMap[$char];
278 }
279
280 $codepoint = mb_ord($char);
281 if (0x10000 > $codepoint) {
282 return sprintf('\u%04X', $codepoint);
283 }
284
285 // Split characters outside the BMP into surrogate pairs
286 // https://tools.ietf.org/html/rfc2781.html#section-2.1
287 $u = $codepoint - 0x10000;
288 $high = 0xD800 | ($u >> 10);
289 $low = 0xDC00 | ($u & 0x3FF);
290
291 return sprintf('\u%04X\u%04X', $high, $low);
292 }, $string);
293
294 if ('UTF-8' !== $charset) {
295 $string = iconv('UTF-8', $charset, $string);
296 }
297
298 return $string;
299
300 case 'css':
301 if ('UTF-8' !== $charset) {
302 $string = twig_convert_encoding($string, 'UTF-8', $charset);
303 }
304
305 if (!preg_match('//u', $string)) {
306 throw new RuntimeError('The string to escape is not a valid UTF-8 string.');
307 }
308
309 $string = preg_replace_callback('#[^a-zA-Z0-9]#Su', function ($matches) {
310 $char = $matches[0];
311
312 return sprintf('\\%X ', 1 === \strlen($char) ? \ord($char) : mb_ord($char, 'UTF-8'));
313 }, $string);
314
315 if ('UTF-8' !== $charset) {
316 $string = iconv('UTF-8', $charset, $string);
317 }
318
319 return $string;
320
321 case 'html_attr':
322 if ('UTF-8' !== $charset) {
323 $string = twig_convert_encoding($string, 'UTF-8', $charset);
324 }
325
326 if (!preg_match('//u', $string)) {
327 throw new RuntimeError('The string to escape is not a valid UTF-8 string.');
328 }
329
330 $string = preg_replace_callback('#[^a-zA-Z0-9,\.\-_]#Su', function ($matches) {
331 /**
332 * This function is adapted from code coming from Zend Framework.
333 *
334 * @copyright Copyright (c) 2005-2012 Zend Technologies USA Inc. (https://www.zend.com)
335 * @license https://framework.zend.com/license/new-bsd New BSD License
336 */
337 $chr = $matches[0];
338 $ord = \ord($chr);
339
340 /*
341 * The following replaces characters undefined in HTML with the
342 * hex entity for the Unicode replacement character.
343 */
344 if (($ord <= 0x1f && "\t" != $chr && "\n" != $chr && "\r" != $chr) || ($ord >= 0x7f && $ord <= 0x9f)) {
345 return '&#xFFFD;';
346 }
347
348 /*
349 * Check if the current character to escape has a name entity we should
350 * replace it with while grabbing the hex value of the character.
351 */
352 if (1 === \strlen($chr)) {
353 /*
354 * While HTML supports far more named entities, the lowest common denominator
355 * has become HTML5's XML Serialisation which is restricted to the those named
356 * entities that XML supports. Using HTML entities would result in this error:
357 * XML Parsing Error: undefined entity
358 */
359 static $entityMap = [
360 34 => '&quot;', /* quotation mark */
361 38 => '&amp;', /* ampersand */
362 60 => '&lt;', /* less-than sign */
363 62 => '&gt;', /* greater-than sign */
364 ];
365
366 if (isset($entityMap[$ord])) {
367 return $entityMap[$ord];
368 }
369
370 return sprintf('&#x%02X;', $ord);
371 }
372
373 /*
374 * Per OWASP recommendations, we'll use hex entities for any other
375 * characters where a named entity does not exist.
376 */
377 return sprintf('&#x%04X;', mb_ord($chr, 'UTF-8'));
378 }, $string);
379
380 if ('UTF-8' !== $charset) {
381 $string = iconv('UTF-8', $charset, $string);
382 }
383
384 return $string;
385
386 case 'url':
387 return rawurlencode($string);
388
389 default:
390 static $escapers;
391
392 if (null === $escapers) {
393 $escapers = $env->getExtension(EscaperExtension::class)->getEscapers();
394 }
395
396 if (isset($escapers[$strategy])) {
397 return $escapers[$strategy]($env, $string, $charset);
398 }
399
400 $validStrategies = implode(', ', array_merge(['html', 'js', 'url', 'css', 'html_attr'], array_keys($escapers)));
401
402 throw new RuntimeError(sprintf('Invalid escaping strategy "%s" (valid ones: %s).', $strategy, $validStrategies));
403 }
404}
405
406/**
407 * @internal
408 */
409function twig_escape_filter_is_safe(Node $filterArgs)
410{
411 foreach ($filterArgs as $arg) {
412 if ($arg instanceof ConstantExpression) {
413 return [$arg->getAttribute('value')];
414 }
415
416 return [];
417 }
418
419 return ['html'];
420}
421}