| 1 |
lars |
1 |
<?php
|
|
|
2 |
/**
|
|
|
3 |
* TSafeHtml class file
|
|
|
4 |
*
|
|
|
5 |
* @author Wei Zhuo <weizhuo[at]gmail[dot]com>
|
|
|
6 |
* @link http://www.pradosoft.com/
|
|
|
7 |
* @copyright Copyright © 2005-2008 PradoSoft
|
|
|
8 |
* @license http://www.pradosoft.com/license/
|
|
|
9 |
* @version $Id: TSafeHtml.php 2541 2008-10-21 15:05:13Z qiang.xue $
|
|
|
10 |
* @package System.Web.UI.WebControls
|
|
|
11 |
*/
|
|
|
12 |
|
|
|
13 |
/**
|
|
|
14 |
* TSafeHtml class
|
|
|
15 |
*
|
|
|
16 |
* TSafeHtml is a control that strips down all potentially dangerous
|
|
|
17 |
* HTML content. It is mainly a wrapper of {@link http://pixel-apes.com/safehtml/ SafeHTML}
|
|
|
18 |
* project. According to the SafeHTML project, it tries to safeguard
|
|
|
19 |
* the following situations when the string is to be displayed to end-users,
|
|
|
20 |
* - Opening tag without its closing tag
|
|
|
21 |
* - closing tag without its opening tag
|
|
|
22 |
* - any of these tags: base, basefont, head, html, body, applet, object,
|
|
|
23 |
* iframe, frame, frameset, script, layer, ilayer, embed, bgsound, link,
|
|
|
24 |
* meta, style, title, blink, xml, etc.
|
|
|
25 |
* - any of these attributes: on*, data*, dynsrc
|
|
|
26 |
* - javascript:/vbscript:/about: etc. protocols
|
|
|
27 |
* - expression/behavior etc. in styles
|
|
|
28 |
* - any other active content.
|
|
|
29 |
*
|
|
|
30 |
* To use TSafeHtml, simply enclose the content to be secured within
|
|
|
31 |
* the body of TSafeHtml in a template.
|
|
|
32 |
*
|
|
|
33 |
* @author Wei Zhuo <weizhuo[at]gmail[dot]com>
|
|
|
34 |
* @version $Id: TSafeHtml.php 2541 2008-10-21 15:05:13Z qiang.xue $
|
|
|
35 |
* @package System.Web.UI.WebControls
|
|
|
36 |
* @since 3.0
|
|
|
37 |
*/
|
|
|
38 |
class TSafeHtml extends TControl
|
|
|
39 |
{
|
|
|
40 |
/**
|
|
|
41 |
* Renders body content.
|
|
|
42 |
* This method overrides parent implementation by removing
|
|
|
43 |
* malicious javascript code from the body content
|
|
|
44 |
* @param THtmlWriter writer
|
|
|
45 |
*/
|
|
|
46 |
public function render($writer)
|
|
|
47 |
{
|
|
|
48 |
$textWriter=new TTextWriter;
|
|
|
49 |
parent::render(new THtmlWriter($textWriter));
|
|
|
50 |
$writer->write($this->parseSafeHtml($textWriter->flush()));
|
|
|
51 |
}
|
|
|
52 |
|
|
|
53 |
/**
|
|
|
54 |
* Use SafeHTML to remove malicous javascript from the HTML content.
|
|
|
55 |
* @param string HTML content
|
|
|
56 |
* @return string safer HTML content
|
|
|
57 |
*/
|
|
|
58 |
protected function parseSafeHtml($text)
|
|
|
59 |
{
|
|
|
60 |
$renderer = Prado::createComponent('System.3rdParty.SafeHtml.TSafeHtmlParser');
|
|
|
61 |
return $renderer->parse($text);
|
|
|
62 |
}
|
|
|
63 |
}
|
|
|
64 |
|