Changeset 7120

Timestamp:

01/21/08 09:13:59 (10 months ago)

Author:

fabien

Message:

added a way to mark template value as being safe for output

• new decorator class sfOutputEscaperSafe to mark a value as being safe for output
  
• added sfOutputEscaper::markClassesAsSafe() and sfOutputEscaper::markClassAsSafe() to mark classes as safe for ouptut
  
• added sfForm class (and all its children) as being safe by default
  
• updated CRUD templates to just echo the form
  
• added a third argument to sfComponent::setVar() to add a safe value
  

Files:

• branches/1.1/lib/action/sfComponent.class.php (modified) (1 diff)
• branches/1.1/lib/plugins/sfPropelPlugin/data/generator/sfPropelCrud/default/template/templates/editSuccess.php (modified) (1 diff)
• branches/1.1/lib/view/escaper/sfOutputEscaper.class.php (modified) (4 diffs)
• branches/1.1/lib/view/escaper/sfOutputEscaperSafe.class.php (added)
• branches/1.1/lib/view/sfView.class.php (modified) (1 diff)
• branches/1.1/test/unit/view/escaper/sfOutputEscaperSafeTest.php (added)
• branches/1.1/test/unit/view/escaper/sfOutputEscaperTest.php (modified) (4 diffs)

branches/1.1/lib/action/sfComponent.class.php

@@ -237 +237 @@
-   * Sets a variable for the template.
-   *
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
-  }
-

branches/1.1/lib/plugins/sfPropelPlugin/data/generator/sfPropelCrud/default/template/templates/editSuccess.php

@@ -18 +18 @@
-    <tbody>
-<?php if (isset($this->params['non_verbose_templates']) && $this->params['non_verbose_templates']): ?>
-this->getAttributeHolder()->isEscaped() ? $form->render(ESC_RAW) : $
+
-<?php else: ?>
-

branches/1.1/lib/view/escaper/sfOutputEscaper.class.php

@@ -33 +33 @@
-   */
-  protected $escapingMethod;
+
+  static protected $safeClasses = array();
-
-  /**
@@ -101 +103 @@
-      if ($value instanceof sfOutputEscaper)
-      {
- when passing values from action template to component/partial
+
-        $copy = clone $value;
-
@@ -108 +110 @@
-        return $copy;
-      }
-
+ 
-      {
-        return new sfOutputEscaperIteratorDecorator($escapingMethod, $value);
+      }
+      else if ($value instanceof sfOutputEscaperSafe)
+      {
+        // do not escape objects marked as safe
+        // return the original object
+        return $value->getValue();
+      }
+      else if (self::isClassMarkedAsSafe(get_class($value)))
+      {
+        // the class or one of its children is marked as safe
+        // return the unescaped object
+        return $value;
-      }
-      else
@@ -123 +137 @@
-
-  /**
+   * Returns true if the class if marked as safe.
+   *
+   * @param  string  A class name
+   *
+   * @return Boolean true if the class if safe, false otherwise
+   */
+  static public function isClassMarkedAsSafe($class)
+  {
+    if (in_array($class, self::$safeClasses))
+    {
+      return true;
+    }
+
+    foreach (self::$safeClasses as $safeClass)
+    {
+      if (is_subclass_of($class, $safeClass))
+      {
+        return true;
+      }
+    }
+
+    return false;
+  }
+
+  /**
+   * Marks an array of classes (and all its children) as being safe for output.
+   *
+   * @param array An array of class names
+   */
+  static public function markClassesAsSafe(array $classes)
+  {
+    self::$safeClasses = array_unique(array_merge(self::$safeClasses, $classes));
+  }
+
+  /**
+   * Marks a class (and all its children) as being safe for output.
+   *
+   * @param string A class name
+   */
+  static public function markClassAsSafe($class)
+  {
+    self::markClassesAsSafe(array($class));
+  }
+
+  /**
-   * Returns the raw value associated with this instance.
-   *

branches/1.1/lib/view/sfView.class.php

@@ -119 +119 @@
-    }
-
+    sfOutputEscaper::markClassAsSafe('sfForm');
+
-    $this->attributeHolder = false === sfConfig::get('sf_escaping_method') ? new sfViewParameterHolder() : new sfEscapedViewParameterHolder();
-    $this->attributeHolder->initialize($this->dispatcher, array(), array(

branches/1.1/test/unit/view/escaper/sfOutputEscaperTest.php

@@ -15 +15 @@
-require_once(dirname(__FILE__).'/../../../../lib/view/escaper/sfOutputEscaperObjectDecorator.class.php');
-require_once(dirname(__FILE__).'/../../../../lib/view/escaper/sfOutputEscaperIteratorDecorator.class.php');
+require_once(dirname(__FILE__).'/../../../../lib/view/escaper/sfOutputEscaperSafe.class.php');
-
-require_once(dirname(__FILE__).'/../../../../lib/plugins/sfCompat10Plugin/lib/helper/EscapingHelper.php');
@@ -21 +22 @@
-sfConfig::set('sf_charset', 'UTF-8');
-
-18
+21
-
-class OutputEscaperTestClass
@@ -38 +39 @@
-    return $o->getTitle();
-  }
+}
+
+class OutputEscaperTestClassChild extends OutputEscaperTestClass
+{
-}
-
@@ -77 +82 @@
-$t->isa_ok(sfOutputEscaper::escape('esc_entities', new DirectoryIterator('.')), 'sfOutputEscaperIteratorDecorator', '::escape() returns a sfOutputEscaperIteratorDecorator object if the value to escape is an object that implements the ArrayAccess interface');
-
+$t->diag('::escape() does not escape object marked as being safe');
+$t->isa_ok(sfOutputEscaper::escape('esc_entities', new sfOutputEscaperSafe(new OutputEscaperTestClass())), 'OutputEscaperTestClass', '::escape() returns the original value if it is marked as being safe');
+
+sfOutputEscaper::markClassAsSafe('OutputEscaperTestClass');
+$t->isa_ok(sfOutputEscaper::escape('esc_entities', new OutputEscaperTestClass()), 'OutputEscaperTestClass', '::escape() returns the original value if the object class is marked as being safe');
+$t->isa_ok(sfOutputEscaper::escape('esc_entities', new OutputEscaperTestClassChild()), 'OutputEscaperTestClassChild', '::escape() returns the original value if one of the object parent class is marked as being safe');
+
-$t->diag('::escape() cannot escape resources');
-$fh = fopen(__FILE__, 'r');