Page Menu
Home
c4science
Search
Configure Global Search
Log In
Files
F107043736
render.php
No One
Temporary
Actions
Download File
Edit File
Delete File
View Transforms
Subscribe
Mute Notifications
Award Token
Subscribers
None
File Metadata
Details
File Info
Storage
Attached
Created
Thu, Apr 3, 22:27
Size
4 KB
Mime Type
text/x-php
Expires
Sat, Apr 5, 22:27 (2 d)
Engine
blob
Format
Raw Data
Handle
25339764
Attached To
rPHU libphutil
render.php
View Options
<?php
/**
* @group markup
*/
function
phutil_render_tag
(
$tag
,
array
$attributes
=
array
(),
$content
=
null
)
{
if
(!
empty
(
$attributes
[
'href'
]))
{
// This might be a URI object, so cast it to a string.
$href
=
(
string
)
$attributes
[
'href'
];
// Block 'javascript:' hrefs at the tag level: no well-designed application
// should ever use them, and they are a potent attack vector. This function
// is deep in the core and performance sensitive, so skip the relatively
// expensive preg_match() call if the initial character is '/' (this is the
// case with essentially every URI Phabricator renders).
if
(
isset
(
$href
[
0
])
&&
(
$href
[
0
]
!=
'/'
)
&&
preg_match
(
'/^
\s
*javascript:/i'
,
$href
))
{
throw
new
Exception
(
"Attempting to render a tag with an 'href' attribute that begins "
.
"with 'javascript:'. This is either a serious security concern or a "
.
"serious architecture concern. Seek urgent remedy."
);
}
}
foreach
(
$attributes
as
$k
=>
$v
)
{
if
(
$v
===
null
)
{
continue
;
}
$v
=
phutil_escape_html
(
$v
);
$attributes
[
$k
]
=
' '
.
$k
.
'="'
.
$v
.
'"'
;
}
$attributes
=
implode
(
''
,
$attributes
);
if
(
$content
===
null
)
{
return
'<'
.
$tag
.
$attributes
.
' />'
;
}
else
{
return
'<'
.
$tag
.
$attributes
.
'>'
.
$content
.
'</'
.
$tag
.
'>'
;
}
}
/**
* @group markup
*/
function
phutil_escape_html
(
$string
)
{
return
htmlspecialchars
(
$string
,
ENT_QUOTES
,
'UTF-8'
);
}
/**
* Format a HTML code. This function behaves like sprintf(), except that all
* the normal conversions (like %s) will be properly escaped.
*
* @group markup
*/
function
hsprintf
(
$html
/*, ... */
)
{
$args
=
func_get_args
();
array_shift
(
$args
);
return
vsprintf
(
$html
,
array_map
(
'phutil_escape_html'
,
$args
));
}
/**
* Escape text for inclusion in a URI or a query parameter. Note that this
* method does NOT escape '/', because "%2F" is invalid in paths and Apache
* will automatically 404 the page if it's present. This will produce correct
* (the URIs will work) and desirable (the URIs will be readable) behavior in
* these cases:
*
* '/path/?param='.phutil_escape_uri($string); # OK: Query Parameter
* '/path/to/'.phutil_escape_uri($string); # OK: URI Suffix
*
* It will potentially produce the WRONG behavior in this special case:
*
* COUNTEREXAMPLE
* '/path/to/'.phutil_escape_uri($string).'/thing/'; # BAD: URI Infix
*
* In this case, any '/' characters in the string will not be escaped, so you
* will not be able to distinguish between the string and the suffix (unless
* you have more information, like you know the format of the suffix). For infix
* URI components, use @{function:phutil_escape_uri_path_component} instead.
*
* @param string Some string.
* @return string URI encoded string, except for '/'.
*
* @group markup
*/
function
phutil_escape_uri
(
$string
)
{
return
str_replace
(
'%2F'
,
'/'
,
rawurlencode
(
$string
));
}
/**
* Escape text for inclusion as an infix URI substring. See discussion at
* @{function:phutil_escape_uri}. This function covers an unusual special case;
* @{function:phutil_escape_uri} is usually the correct function to use.
*
* This function will escape a string into a format which is safe to put into
* a URI path and which does not contain '/' so it can be correctly parsed when
* embedded as a URI infix component.
*
* However, you MUST decode the string with
* @{function:phutil_unescape_uri_path_component} before it can be used in the
* application.
*
* @param string Some string.
* @return string URI encoded string that is safe for infix composition.
*
* @group markup
*/
function
phutil_escape_uri_path_component
(
$string
)
{
return
rawurlencode
(
rawurlencode
(
$string
));
}
/**
* Unescape text that was escaped by
* @{function:phutil_escape_uri_path_component}. See
* @{function:phutil_escape_uri} for discussion.
*
* Note that this function is NOT the inverse of
* @{function:phutil_escape_uri_path_component}! It undoes additional escaping
* which is added to survive the implied unescaping performed by the webserver
* when interpreting the request.
*
* @param string Some string emitted
* from @{function:phutil_escape_uri_path_component} and
* then accessed via a web server.
* @return string Original string.
* @group markup
*/
function
phutil_unescape_uri_path_component
(
$string
)
{
return
rawurldecode
(
$string
);
}
Event Timeline
Log In to Comment