coa/aowow
3
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

PageTemplate/Fixup

Browse source 
* Don't try to be smart with the helper methods as they are used to escape user input.
This commit is contained in:
Sarjuuk 2026-01-26 20:01:26 +01:00
parent c6d92031c5
commit e675a8f953
5 changed files with 23 additions and 17 deletions
Download patch file Download diff file Expand all files Collapse all files

20
includes/components/pagetemplate.class.php
View file

@ -207,27 +207,27 @@ class PageTemplate
return Cfg::get($name);
}
private function json(mixed $var, int $jsonFlags = 0x0) : string
private function json(mixed $var, int $jsonFlags = 0x0, bool $varRef = false) : string
{
if (is_string($var) && $this->$var)
$var = $this->$var;
if (!is_string($var))
return preg_replace('/script\s*\>/i', 'scr"+"ipt>', Util::toJSON($var, $jsonFlags) ?: "{}");
return preg_replace('/script\s*\>/i', 'scr"+"ipt>', Util::toJSON($var, $jsonFlags) ?: "{}");
return preg_replace('/script\s*\>/i', 'scr"+"ipt>', Util::toJSON($varRef ? $this->$var : $var, $jsonFlags) ?: "{}");
}
private function escHTML(string $var) : string|array
private function escHTML(string $var, bool $varRef = false) : string|array
{
return Util::htmlEscape($this->$var ?? $var);
return Util::htmlEscape($varRef ? $this->$var : $var);
}
private function escJS(string $var) : string|array
private function escJS(string $var, bool $varRef = false) : string|array
{
return Util::jsEscape($this->$var ?? $var);
return Util::jsEscape($varRef ? $this->$var : $var);
}
private function ucFirst(string $var) : string
private function ucFirst(string $var, bool $varRef = false) : string
{
return Util::ucFirst($this->$var ?? $var);
return Util::ucFirst($varRef ? $this->$var : $var);
}

10
includes/utilities.php
View file

@ -239,8 +239,11 @@ abstract class Util
return 'b'.$_;
}
public static function htmlEscape($data)
public static function htmlEscape(string|array|null $data) : string|array
{
if (empty($data)) // null, '', [] and not "0"
return '';
if (is_array($data))
{
foreach ($data as &$v)
@ -252,8 +255,11 @@ abstract class Util
return htmlspecialchars($data, ENT_QUOTES | ENT_DISALLOWED | ENT_HTML5, 'utf-8');
}
public static function jsEscape($data)
public static function jsEscape(string|array|null $data) : string|array
{
if (empty($data)) // null, '', [] and not "0"
return '';
if (is_array($data))
{
foreach ($data as &$v)