mirror of
https://github.com/Lastorder-DC/rhymix.git
synced 2026-01-03 16:51:40 +09:00
dfa1e93c79
- 아래에 이미 author 언급이 있으므로 중복되는 저작권 표기는 제거 - 클래스 하단에 불필요한 end of file 표시 제거 (파일 하나에 클래스 하나씩이므로 파일이 중간에 끊겼다면 클래스가 닫히지 않아 쉽게 알 수 있음)
187 lines
3.4 KiB
PHP
187 lines
3.4 KiB
PHP
<?php
|
|
|
|
/**
|
|
* Security class
|
|
*
|
|
* @author NAVER (developers@xpressengine.com)
|
|
*/
|
|
class Security
|
|
{
|
|
|
|
/**
|
|
* Action target variable. If this value is null, the method will use Context variables
|
|
* @var mixed
|
|
*/
|
|
public $_targetVar = NULL;
|
|
|
|
/**
|
|
* @constructor
|
|
* @param mixed $var Target context
|
|
* @return void
|
|
*/
|
|
public function __construct($var = NULL)
|
|
{
|
|
$this->_targetVar = $var;
|
|
}
|
|
|
|
/**
|
|
* - Convert special characters to HTML entities for the target variables.
|
|
* - The results of conversion are equivalent to the results of htmlspecialchars() which is a native function of PHP.
|
|
* @params string $varName. A variable's name to convert to process properties of an object or elements of an array,
|
|
* separate the owner(object or array) and the item(property or element) using a dot(.)
|
|
* @return mixed
|
|
*/
|
|
public function encodeHTML(/* , $varName1, $varName2, ... */)
|
|
{
|
|
$varNames = func_get_args();
|
|
if(count($varNames) < 0)
|
|
{
|
|
return FALSE;
|
|
}
|
|
|
|
$use_context = is_null($this->_targetVar);
|
|
if(!$use_context)
|
|
{
|
|
if(!count($varNames) || (!is_object($this->_targetVar) && !is_array($this->_targetVar)))
|
|
{
|
|
return $this->_encodeHTML($this->_targetVar);
|
|
}
|
|
|
|
$is_object = is_object($this->_targetVar);
|
|
}
|
|
|
|
foreach($varNames as $varName)
|
|
{
|
|
$varName = explode('.', $varName);
|
|
$varName0 = array_shift($varName);
|
|
if($use_context)
|
|
{
|
|
$var = Context::get($varName0);
|
|
}
|
|
elseif($varName0)
|
|
{
|
|
$var = $is_object ? ($this->_targetVar->{$varName0} ?? null) : ($this->_targetVar[$varName0] ?? null);
|
|
}
|
|
else
|
|
{
|
|
$var = $this->_targetVar;
|
|
}
|
|
$var = $this->_encodeHTML($var, $varName);
|
|
|
|
if($var === FALSE)
|
|
{
|
|
continue;
|
|
}
|
|
|
|
if($use_context)
|
|
{
|
|
Context::set($varName0, $var);
|
|
}
|
|
elseif($varName0)
|
|
{
|
|
if($is_object)
|
|
{
|
|
$this->_targetVar->{$varName0} = $var;
|
|
}
|
|
else
|
|
{
|
|
$this->_targetVar[$varName0] = $var;
|
|
}
|
|
}
|
|
else
|
|
{
|
|
$this->_targetVar = $var;
|
|
}
|
|
}
|
|
|
|
if(!$use_context)
|
|
{
|
|
return $this->_targetVar;
|
|
}
|
|
}
|
|
|
|
/**
|
|
* Convert special characters to HTML entities for the target variables.
|
|
* @param mixed $var
|
|
* @param array $name
|
|
* @return mixed
|
|
*/
|
|
protected function _encodeHTML($var, $name = array())
|
|
{
|
|
if(is_string($var))
|
|
{
|
|
if(strncmp('$user_lang->', $var, 12) !== 0)
|
|
{
|
|
$var = escape($var, false);
|
|
}
|
|
|
|
return $var;
|
|
}
|
|
|
|
if(!count($name) || (!is_array($var) && !is_object($var)))
|
|
{
|
|
return false;
|
|
}
|
|
|
|
$is_object = is_object($var);
|
|
$name0 = array_shift($name);
|
|
|
|
if(strlen($name0))
|
|
{
|
|
$target = $is_object ? ($var->{$name0} ?? null) : ($var[$name0] ?? null);
|
|
$target = $this->_encodeHTML($target, $name);
|
|
|
|
if($target === false)
|
|
{
|
|
return $var;
|
|
}
|
|
|
|
if($is_object)
|
|
{
|
|
$var->{$name0} = $target;
|
|
}
|
|
else
|
|
{
|
|
$var[$name0] = $target;
|
|
}
|
|
|
|
return $var;
|
|
}
|
|
|
|
foreach($var as $key => $target)
|
|
{
|
|
$cloned_name = array_slice($name, 0);
|
|
$target = $this->_encodeHTML($target, $name);
|
|
$name = $cloned_name;
|
|
|
|
if($target === false)
|
|
{
|
|
continue;
|
|
}
|
|
|
|
if($is_object)
|
|
{
|
|
$var->{$key} = $target;
|
|
}
|
|
else
|
|
{
|
|
$var[$key] = $target;
|
|
}
|
|
}
|
|
|
|
return $var;
|
|
}
|
|
|
|
/**
|
|
* @brief check XML External Entity
|
|
*
|
|
* @see from drupal. https://github.com/drupal/drupal/commit/90e884ad0f7f2cf269d953f7d70966de9fd821ff
|
|
*
|
|
* @param string $xml
|
|
* @return bool
|
|
*/
|
|
public static function detectingXEE($xml)
|
|
{
|
|
return !Rhymix\Framework\Security::checkXXE($xml);
|
|
}
|
|
}
|