Changeset 8201
- Timestamp:
- 04/02/08 10:19:06 (6 months ago)
- Files:
-
- branches/1.1/lib/config/config/core_compile.yml (modified) (1 diff)
- branches/1.1/lib/config/config/settings.yml (modified) (1 diff)
- branches/1.1/lib/config/sfApplicationConfiguration.class.php (modified) (1 diff)
- branches/1.1/lib/controller/default/templates/defaultLayout.php (modified) (1 diff)
- branches/1.1/lib/plugins/sfCompat10Plugin/test/functional/fixtures/apps/frontend/templates/layout.php (modified) (1 diff)
- branches/1.1/lib/plugins/sfPropelPlugin/test/functional/fixtures/apps/backend/templates/layout.php (modified) (1 diff)
- branches/1.1/lib/plugins/sfPropelPlugin/test/functional/fixtures/apps/crud/templates/layout.php (modified) (1 diff)
- branches/1.1/lib/task/generator/sfGenerateAppTask.class.php (modified) (3 diffs)
- branches/1.1/lib/task/generator/skeleton/app/app/config/settings.yml (modified) (2 diffs)
- branches/1.1/lib/task/generator/skeleton/app/app/templates/layout.php (modified) (1 diff)
- branches/1.1/lib/task/project/upgrade1.1/sfLayoutUpgrade.class.php (added)
- branches/1.1/lib/view/escaper/sfOutputEscaper.class.php (modified) (2 diffs)
- branches/1.1/lib/view/escaper/sfOutputEscaperSafe.class.php (modified) (1 diff)
- branches/1.1/lib/view/sfEscapedViewParameterHolder.class.php (modified) (4 diffs)
- branches/1.1/lib/view/sfPHPView.class.php (modified) (1 diff)
- branches/1.1/test/functional/escapingTest.php (modified) (1 diff)
- branches/1.1/test/functional/fixtures/project/apps/cache/templates/image.php (modified) (1 diff)
- branches/1.1/test/functional/fixtures/project/apps/cache/templates/layout.php (modified) (1 diff)
- branches/1.1/test/functional/fixtures/project/apps/frontend/modules/escaping/actions/actions.class.php (modified) (1 diff)
- branches/1.1/test/functional/fixtures/project/apps/frontend/templates/layout.php (modified) (1 diff)
- branches/1.1/test/functional/fixtures/project/apps/i18n/templates/layout.php (modified) (1 diff)
- branches/1.1/test/unit/view/sfEscapedViewParameterHolderTest.php (modified) (2 diffs)
Legend:
- Unmodified
- Added
- Removed
- Modified
- Copied
- Moved
branches/1.1/lib/config/config/core_compile.yml
r7843 r8201 36 36 37 37 # output escaper 38 - %SF_SYMFONY_LIB_DIR%/view/escaper/sfOutputEscaper.class.php 39 - %SF_SYMFONY_LIB_DIR%/view/escaper/sfOutputEscaperArrayDecorator.class.php 40 - %SF_SYMFONY_LIB_DIR%/view/escaper/sfOutputEscaperGetterDecorator.class.php 41 - %SF_SYMFONY_LIB_DIR%/view/escaper/sfOutputEscaperIteratorDecorator.class.php 42 - %SF_SYMFONY_LIB_DIR%/view/escaper/sfOutputEscaperObjectDecorator.class.php 38 - %SF_SYMFONY_LIB_DIR%/view/escaper/sfOutputEscaperSafe.class.php 39 #- %SF_SYMFONY_LIB_DIR%/view/escaper/sfOutputEscaper.class.php 40 #- %SF_SYMFONY_LIB_DIR%/view/escaper/sfOutputEscaperArrayDecorator.class.php 41 #- %SF_SYMFONY_LIB_DIR%/view/escaper/sfOutputEscaperGetterDecorator.class.php 42 #- %SF_SYMFONY_LIB_DIR%/view/escaper/sfOutputEscaperIteratorDecorator.class.php 43 #- %SF_SYMFONY_LIB_DIR%/view/escaper/sfOutputEscaperObjectDecorator.class.php branches/1.1/lib/config/config/settings.yml
r8158 r8201 25 25 26 26 # Output escaping settings 27 escaping_strategy: bc # Determines how variables are made available to templates. Accepted values: bc,both, on, off. The value off deactivates escaping completely and gives a slight boost.27 escaping_strategy: off # Determines how variables are made available to templates. Accepted values: both, on, off. The value off deactivates escaping completely and gives a slight boost. 28 28 escaping_method: ESC_SPECIALCHARS # Function or helper used for escaping. Accepted values: ESC_RAW, ESC_ENTITIES, ESC_JS, ESC_JS_NO_ENTITIES, and ESC_SPECIALCHARS. 29 29 branches/1.1/lib/config/sfApplicationConfiguration.class.php
r8158 r8201 103 103 } 104 104 105 if (false !== sfConfig::get('sf_ form_csrf_secret'))106 { 107 sfForm::enableCSRFProtection(sfConfig::get('sf_ form_csrf_secret'));105 if (false !== sfConfig::get('sf_csrf_secret')) 106 { 107 sfForm::enableCSRFProtection(sfConfig::get('sf_csrf_secret')); 108 108 } 109 109 branches/1.1/lib/controller/default/templates/defaultLayout.php
r6280 r8201 19 19 <div class="sfTContainer"> 20 20 <?php echo link_to(image_tag('/sf/sf_default/images/sfTLogo.png', array('alt' => 'symfony PHP Framework', 'class' => 'sfTLogo', 'size' => '186x39')), 'http://www.symfony-project.org/') ?> 21 <?php echo $ this->getAttributeHolder()->isEscaped() ? $sf_data->getRaw('sf_content') : $sf_content ?>21 <?php echo $sf_content ?> 22 22 </div> 23 23 </body> branches/1.1/lib/plugins/sfCompat10Plugin/test/functional/fixtures/apps/frontend/templates/layout.php
r5320 r8201 13 13 <body> 14 14 15 <?php echo $sf_ data->getRaw('sf_content')?>15 <?php echo $sf_content ?> 16 16 17 17 </body> branches/1.1/lib/plugins/sfPropelPlugin/test/functional/fixtures/apps/backend/templates/layout.php
r2217 r8201 13 13 <body> 14 14 15 <?php echo $sf_ data->getRaw('sf_content')?>15 <?php echo $sf_content ?> 16 16 17 17 </body> branches/1.1/lib/plugins/sfPropelPlugin/test/functional/fixtures/apps/crud/templates/layout.php
r2126 r8201 13 13 <body> 14 14 15 <?php echo $sf_ data->getRaw('sf_content')?>15 <?php echo $sf_content ?> 16 16 17 17 </body> branches/1.1/lib/task/generator/sfGenerateAppTask.class.php
r8148 r8201 42 42 )); 43 43 44 $this->addOptions(array( 45 new sfCommandOption('escaping-strategy', null, sfCommandOption::PARAMETER_REQUIRED, 'Output escaping strategy', false), 46 new sfCommandOption('csrf-secret', null, sfCommandOption::PARAMETER_REQUIRED, 'Secret to use for CSRF protection', false), 47 )); 48 44 49 $this->aliases = array('init-app'); 45 50 $this->namespace = 'generate'; … … 65 70 If an application with the same name already exists, 66 71 it throws a [sfCommandException|COMMENT]. 72 73 You can enable output escaping (to prevent XSS) by using the [escaping-strategy|COMMENT] option: 74 75 [./symfony generate:app frontend --escaping-strategy=both|INFO] 76 77 You can enable session token in forms (to prevent CSRF) by defining 78 a secret with the [csrf-secret|COMMENT] option: 79 80 [./symfony generate:app frontend --csrf-secret=Big\$ecret|INFO] 81 67 82 EOF; 68 83 } … … 96 111 // Set no_script_name value in settings.yml for production environment 97 112 $finder = sfFinder::type('file')->name('settings.yml'); 98 $this->getFilesystem()->replaceTokens($finder->in($appDir.'/config'), '##', '##', array('NO_SCRIPT_NAME' => ($firstApp ? 'on' : 'off'))); 113 $this->getFilesystem()->replaceTokens($finder->in($appDir.'/config'), '##', '##', array( 114 'NO_SCRIPT_NAME' => $firstApp ? 'on' : 'off', 115 'CSRF_SECRET' => sfYamlInline::dump($options['csrf-secret']), 116 'ESCAPING_STRATEGY' => sfYamlInline::dump($options['escaping-strategy']), 117 )); 99 118 100 119 $this->getFilesystem()->copy(dirname(__FILE__).'/skeleton/app/web/index.php', sfConfig::get('sf_web_dir').'/'.$indexName.'.php'); branches/1.1/lib/task/generator/skeleton/app/app/config/settings.yml
r8158 r8201 19 19 no_script_name: off 20 20 etag: off 21 22 all: 23 .settings: 24 # Form security secret (CSRF protection) 25 csrf_secret: ##CSRF_SECRET## # Unique secret to enable CSRF protection or false to disable 26 27 # Output escaping settings 28 escaping_strategy: ##ESCAPING_STRATEGY## # Determines how variables are made available to templates. Accepted values: both, on, off. The value off deactivates escaping completely and gives a slight boost. 29 escaping_method: ESC_SPECIALCHARS # Function or helper used for escaping. Accepted values: ESC_RAW, ESC_ENTITIES, ESC_JS, ESC_JS_NO_ENTITIES, and ESC_SPECIALCHARS. 21 30 22 31 #all: … … 41 50 # compressed: off # Enable PHP response compression. Set to on to compress the outgoing HTML via the PHP handler. 42 51 # check_lock: off # Enable the application lock system triggered by the clear-cache and disable tasks. Set to on to have all requests to disabled applications redirected to the $sf_symfony_data_dir/web/arrors/unavailable.php page. 43 #44 # # Form security secret (CSRF protection)45 # form_csrf_secret: false # Unique secret to enable CSRF protection or false to disable46 #47 # # Output escaping settings48 # escaping_strategy: bc # Determines how variables are made available to templates. Accepted values: bc, both, on, off. The value off deactivates escaping completely and gives a slight boost.49 # escaping_method: ESC_SPECIALCHARS # Function or helper used for escaping. Accepted values: ESC_RAW, ESC_ENTITIES, ESC_JS, ESC_JS_NO_ENTITIES, and ESC_SPECIALCHARS.50 52 # 51 53 # # Routing settings branches/1.1/lib/task/generator/skeleton/app/app/templates/layout.php
r3278 r8201 13 13 <body> 14 14 15 <?php echo $sf_ data->getRaw('sf_content')?>15 <?php echo $sf_content ?> 16 16 17 17 </body> branches/1.1/lib/view/escaper/sfOutputEscaper.class.php
r7120 r8201 110 110 return $copy; 111 111 } 112 else if ($value instanceof Traversable) 113 { 114 return new sfOutputEscaperIteratorDecorator($escapingMethod, $value); 112 else if (self::isClassMarkedAsSafe(get_class($value))) 113 { 114 // the class or one of its children is marked as safe 115 // return the unescaped object 116 return $value; 115 117 } 116 118 else if ($value instanceof sfOutputEscaperSafe) … … 120 122 return $value->getValue(); 121 123 } 122 else if (self::isClassMarkedAsSafe(get_class($value))) 123 { 124 // the class or one of its children is marked as safe 125 // return the unescaped object 126 return $value; 124 else if ($value instanceof Traversable) 125 { 126 return new sfOutputEscaperIteratorDecorator($escapingMethod, $value); 127 127 } 128 128 else branches/1.1/lib/view/escaper/sfOutputEscaperSafe.class.php
r7120 r8201 32 32 } 33 33 34 public function __toString() 35 { 36 return $this->value; 37 } 38 34 39 /** 35 40 * Returns the embedded value. branches/1.1/lib/view/sfEscapedViewParameterHolder.class.php
r7899 r8201 34 34 * <b>Options:</b> 35 35 * 36 * # <b>escaping_strategy</b> - [ bc] - The escaping strategy (bc,both, on or off)36 * # <b>escaping_strategy</b> - [off] - The escaping strategy (both, on or off) 37 37 * # <b>escaping_method</b> - [ESC_SPECIALCHARS] - The escaping method (ESC_RAW, ESC_ENTITIES, ESC_JS, ESC_JS_NO_ENTITIES, or ESC_SPECIALCHARS) 38 38 * … … 45 45 parent::initialize($dispatcher, $parameters, $options); 46 46 47 $this->setEscaping(isset($options['escaping_strategy']) ? $options['escaping_strategy'] : 'bc');47 $this->setEscaping(isset($options['escaping_strategy']) ? $options['escaping_strategy'] : false); 48 48 $this->setEscapingMethod(isset($options['escaping_method']) ? $options['escaping_method'] : 'ESC_SPECIALCHARS'); 49 49 } … … 70 70 $attributes = array(); 71 71 72 switch ( $this->getEscaping())72 switch (true) 73 73 { 74 case 'on': 75 $attributes['sf_data'] = sfOutputEscaper::escape($this->getEscapingMethod(), $this->getAll()); 76 break; 77 case 'bc': 78 $attributes = $this->getAll(); 79 $attributes['sf_data'] = sfOutputEscaper::escape($this->getEscapingMethod(), $this->getAll()); 80 break; 81 case 'both': 74 case 'bc' === $this->getEscaping(): 75 throw new InvalidArgumentException(sprintf('Escaping strategy "bc" is deprecated.')); 76 case 'both' === $this->getEscaping(): 82 77 $attributes['sf_data'] = sfOutputEscaper::escape($this->getEscapingMethod(), $this->getAll()); 83 78 foreach ($attributes['sf_data'] as $key => $value) … … 86 81 } 87 82 break; 88 case 'off': 83 case 'off' === $this->getEscaping(): 84 case false === $this->getEscaping(): 89 85 $attributes = $this->getAll(); 86 break; 87 case 'on' === $this->getEscaping(): 88 case true === $this->getEscaping(): 89 $attributes['sf_data'] = sfOutputEscaper::escape($this->getEscapingMethod(), $this->getAll()); 90 90 break; 91 91 default: branches/1.1/lib/view/sfPHPView.class.php
r8138 r8201 128 128 $attributeHolder = $this->attributeHolder; 129 129 130 $this->attributeHolder = $this->initializeAttributeHolder(array('sf_content' => $content));130 $this->attributeHolder = $this->initializeAttributeHolder(array('sf_content' => new sfOutputEscaperSafe($content))); 131 131 132 132 // render the decorator template and return the result branches/1.1/test/functional/escapingTest.php
r6723 r8201 36 36 37 37 $b-> 38 get('/escaping/bc')->39 isStatusCode(200)->40 isRequestParameter('module', 'escaping')->41 isRequestParameter('action', 'bc')->42 responseContains('<h1>Lorem <strong>ipsum</strong> dolor sit amet.</h1>')->43 responseContains('<h2>Lorem <strong>ipsum</strong> dolor sit amet.</h2>');44 ;45 46 $b->47 38 get('/escaping/off')-> 48 39 isStatusCode(200)-> branches/1.1/test/functional/fixtures/project/apps/cache/templates/image.php
r3098 r8201 1 <?php echo $sf_ data->getRaw('sf_content')?>1 <?php echo $sf_content ?> branches/1.1/test/functional/fixtures/project/apps/cache/templates/layout.php
r7729 r8201 13 13 <body> 14 14 15 <?php echo $sf_ data->getRaw('sf_content')?>15 <?php echo $sf_content ?> 16 16 17 17 <div id="component_slot_content"><?php echo get_slot('component') ?></div> branches/1.1/test/functional/fixtures/project/apps/frontend/modules/escaping/actions/actions.class.php
r6723 r8201 28 28 } 29 29 30 public function executeBc()31 {32 sfConfig::set('sf_escaping_strategy', 'bc');33 }34 35 30 public function executeOff() 36 31 { branches/1.1/test/functional/fixtures/project/apps/frontend/templates/layout.php
r2069 r8201 13 13 <body> 14 14 15 <?php echo $sf_ data->getRaw('sf_content')?>15 <?php echo $sf_content ?> 16 16 17 17 </body> branches/1.1/test/functional/fixtures/project/apps/i18n/templates/layout.php
r2740 r8201 13 13 <body> 14 14 15 <?php echo $sf_ data->getRaw('sf_content')?>15 <?php echo $sf_content ?> 16 16 17 17 </body> branches/1.1/test/unit/view/sfEscapedViewParameterHolderTest.php
r7899 r8201 12 12 require_once($_test_dir.'/unit/sfContextMock.class.php'); 13 13 14 $t = new lime_test(2 7, new lime_output_color());14 $t = new lime_test(23, new lime_output_color()); 15 15 16 16 define('ESC_SPECIALCHARS', 'esc_specialchars'); … … 126 126 } 127 127 128 $t->diag('Escaping strategy to bc');129 $p->setEscaping('bc');130 $values = $p->toArray();131 $t->is(count($values), 2, '->toArray() knows about the "bc" strategy');132 $t->is(count($values['sf_data']), 1, '->toArray() knows about the "bc" strategy');133 $t->is($values['foo'], 'bar', '->toArray() knows about the "bc" strategy');134 $t->is($values['sf_data']['foo'], '-ESCAPED-bar-ESCAPED-', '->toArray() knows about the "bc" strategy');135 136 128 $t->diag('Escaping strategy to both'); 137 129 $p->setEscaping('both');
