作者:nsp1
项目:Drupal
/**
* Retrieves the plain-text content from the current raw content.
*/
protected function getTextContent()
{
if (!isset($this->plainTextContent)) {
$this->plainTextContent = Xss::filter($this->getRawContent(), array());
}
return $this->plainTextContent;
}
作者:nstiela
项目:drops-
/**
* Tests the integration.
*/
public function testIntegration()
{
// Remove the watchdog entries added by the potential batch process.
$this->container->get('database')->truncate('watchdog')->execute();
$entries = array();
// Setup a watchdog entry without tokens.
$entries[] = array('message' => $this->randomMachineName(), 'variables' => array('link' => \Drupal::l('Link', new Url('<front>'))));
// Setup a watchdog entry with one token.
$entries[] = array('message' => '@token1', 'variables' => array('@token1' => $this->randomMachineName(), 'link' => \Drupal::l('Link', new Url('<front>'))));
// Setup a watchdog entry with two tokens.
$entries[] = array('message' => '@token1 !token2', 'variables' => array('@token1' => $this->randomMachineName(), '!token2' => $this->randomMachineName(), 'link' => \Drupal::l(SafeMarkup::set('<object>Link</object>'), new Url('<front>'))));
$logger_factory = $this->container->get('logger.factory');
foreach ($entries as $entry) {
$entry += array('type' => 'test-views', 'severity' => RfcLogLevel::NOTICE);
$logger_factory->get($entry['type'])->log($entry['severity'], $entry['message'], $entry['variables']);
}
$view = Views::getView('test_dblog');
$this->executeView($view);
$view->initStyle();
foreach ($entries as $index => $entry) {
$this->assertEqual($view->style_plugin->getField($index, 'message'), SafeMarkup::format($entry['message'], $entry['variables']));
$this->assertEqual($view->style_plugin->getField($index, 'link'), Xss::filterAdmin($entry['variables']['link']));
}
// Disable replacing variables and check that the tokens aren't replaced.
$view->destroy();
$view->storage->invalidateCaches();
$view->initHandlers();
$this->executeView($view);
$view->initStyle();
$view->field['message']->options['replace_variables'] = FALSE;
foreach ($entries as $index => $entry) {
$this->assertEqual($view->style_plugin->getField($index, 'message'), $entry['message']);
}
}
作者:isram
项目:camp-gd
/**
* Redirects on 403 Access Denied kernel exceptions.
*
* @param \Symfony\Component\HttpKernel\Event\GetResponseEvent $event
* The Event to process.
*/
public function onKernelException(GetResponseEvent $event)
{
$exception = $event->getException();
if (!$exception instanceof AccessDeniedHttpException) {
return;
}
$config = $this->configFactory->get('r4032login.settings');
$options = array();
$options['query'] = $this->redirectDestination->getAsArray();
$options['absolute'] = TRUE;
$code = $config->get('default_redirect_code');
if ($this->currentUser->isAnonymous()) {
// Show custom access denied message if set.
if ($config->get('display_denied_message')) {
$message = $config->get('access_denied_message');
$message_type = $config->get('access_denied_message_type');
drupal_set_message(Xss::filterAdmin($message), $message_type);
}
// Handle redirection to the login form.
$login_route = $config->get('user_login_route');
$url = Url::fromRoute($login_route, array(), $options)->toString();
$response = new RedirectResponse($url, $code);
$event->setResponse($response);
} else {
// Check to see if we are to redirect the user.
$redirect = $config->get('redirect_authenticated_users_to');
if ($redirect) {
// Custom access denied page for logged in users.
$url = Url::fromUserInput($redirect, $options)->toString();
$response = new RedirectResponse($url, $code);
$event->setResponse($response);
}
}
}
作者:alnutil
项目:drunatr
/**
* Overrides \Drupal\views\Plugin\views\style\StylePluginBase\StylePluginBase::render().
*/
public function render()
{
if (!empty($this->view->live_preview)) {
return parent::render();
}
// Group the rows according to the grouping field, if specified.
$sets = $this->renderGrouping($this->view->result, $this->options['grouping']);
// Grab the alias of the 'id' field added by
// entity_reference_plugin_display.
$id_field_alias = $this->view->storage->get('base_field');
// @todo We don't display grouping info for now. Could be useful for select
// widget, though.
$results = array();
$this->view->row_index = 0;
foreach ($sets as $records) {
foreach ($records as $values) {
// Sanitize HTML, remove line breaks and extra whitespace.
$output = $this->view->rowPlugin->render($values);
$output = drupal_render($output);
$results[$values->{$id_field_alias}] = Xss::filterAdmin(preg_replace('/\\s\\s+/', ' ', str_replace("\n", '', $output)));
$this->view->row_index++;
}
}
unset($this->view->row_index);
return $results;
}
作者:anatalsce
项目:en-class
/**
* Tests the integration.
*/
public function testIntegration()
{
// Remove the watchdog entries added by the potential batch process.
$this->container->get('database')->truncate('watchdog')->execute();
$entries = array();
// Setup a watchdog entry without tokens.
$entries[] = array('message' => $this->randomMachineName(), 'variables' => array(), 'link' => l('Link', 'node/1'));
// Setup a watchdog entry with one token.
$entries[] = array('message' => '@token1', 'variables' => array('@token1' => $this->randomMachineName()), 'link' => l('Link', 'node/2'));
// Setup a watchdog entry with two tokens.
$entries[] = array('message' => '@token1 !token2', 'variables' => array('@token1' => $this->randomMachineName(), '!token2' => $this->randomMachineName()), 'link' => l('<object>Link</object>', 'node/2', array('html' => TRUE)));
foreach ($entries as $entry) {
$entry += array('type' => 'test-views', 'severity' => WATCHDOG_NOTICE);
watchdog($entry['type'], $entry['message'], $entry['variables'], $entry['severity'], $entry['link']);
}
$view = Views::getView('test_dblog');
$this->executeView($view);
$view->initStyle();
foreach ($entries as $index => $entry) {
$this->assertEqual($view->style_plugin->getField($index, 'message'), String::format($entry['message'], $entry['variables']));
$this->assertEqual($view->style_plugin->getField($index, 'link'), Xss::filterAdmin($entry['link']));
}
// Disable replacing variables and check that the tokens aren't replaced.
$view->destroy();
$view->initHandlers();
$this->executeView($view);
$view->initStyle();
$view->field['message']->options['replace_variables'] = FALSE;
foreach ($entries as $index => $entry) {
$this->assertEqual($view->style_plugin->getField($index, 'message'), $entry['message']);
}
}
作者:pedrocone
项目:hydrotool
/**
* {@inheritdoc}
*/
public function completeSale($order, $login = FALSE)
{
// Empty that cart...
$this->emptyCart();
// Force the order to load from the DB instead of the entity cache.
// @todo Remove this once uc_payment_enter() can modify order objects?
// @todo Should we be overwriting $order with this newly-loaded db_order?
$db_order = $this->entityManager()->getStorage('uc_order')->loadUnchanged($order->id());
$order->data = $db_order->data;
// Ensure that user creation and triggers are only run once.
if (empty($order->data->complete_sale)) {
$this->completeSaleAccount($order);
// Move an order's status from "In checkout" to "Pending".
if ($order->getStateId() == 'in_checkout') {
$order->setStatusId(uc_order_state_default('post_checkout'));
}
$order->save();
// Invoke the checkout complete trigger and hook.
$account = $order->getUser();
$this->moduleHandler()->invokeAll('uc_checkout_complete', array($order, $account));
// rules_invoke_event('uc_checkout_complete', $order);
}
$type = $order->data->complete_sale;
// Log in new users, if requested.
if ($type == 'new_user' && $login && $this->currentUser()->isAnonymous()) {
$type = 'new_user_logged_in';
user_login_finalize($order->getUser());
}
$message = $this->config('uc_cart.messages')->get($type);
$message = \Drupal::token()->replace($message, array('uc_order' => $order));
$variables['!new_username'] = isset($order->data->new_user_name) ? $order->data->new_user_name : '';
$variables['!new_password'] = isset($order->password) ? $order->password : t('Your password');
$message = strtr($message, $variables);
return array('#theme' => 'uc_cart_complete_sale', '#message' => Xss::filterAdmin($message), '#order' => $order);
}
作者:Suite
项目:feelmyboo
/**
* Determines if a string of text is considered "simple".
*
* @param string $string
* The string of text to check "simple" criteria on.
* @param int|FALSE $length
* The length of characters used to determine whether or not $string is
* considered "simple". Set explicitly to FALSE to disable this criteria.
* @param array|FALSE $allowed_tags
* An array of allowed tag elements. Set explicitly to FALSE to disable this
* criteria.
* @param bool $html
* A variable, passed by reference, that indicates whether or not the
* string contains HTML.
*
* @return bool
* Returns TRUE if the $string is considered "simple", FALSE otherwise.
*/
public static function isSimple($string, $length = 250, $allowed_tags = NULL, &$html = FALSE)
{
// Typecast to a string (if an object).
$string_clone = (string) $string;
// Use the advanced drupal_static() pattern.
static $drupal_static_fast;
if (!isset($drupal_static_fast)) {
$drupal_static_fast['strings'] =& drupal_static(__METHOD__);
}
$strings =& $drupal_static_fast['strings'];
if (!isset($strings[$string_clone])) {
$plain_string = strip_tags($string_clone);
$simple = TRUE;
if ($allowed_tags !== FALSE) {
$filtered_string = Xss::filter($string_clone, $allowed_tags);
$html = $filtered_string !== $plain_string;
$simple = $simple && $string_clone === $filtered_string;
}
if ($length !== FALSE) {
$simple = $simple && strlen($plain_string) <= intval($length);
}
$strings[$string_clone] = $simple;
}
return $strings[$string_clone];
}
作者:aWEBoLab
项目:tax
/**
* {@inheritdoc}
*/
public function build()
{
$this->view->display_handler->preBlockBuild($this);
// We ask ViewExecutable::buildRenderable() to avoid creating a render cache
// entry for the view output by passing FALSE, because we're going to cache
// the whole block instead.
if ($output = $this->view->buildRenderable($this->displayID, [], FALSE)) {
// Override the label to the dynamic title configured in the view.
if (empty($this->configuration['views_label']) && $this->view->getTitle()) {
$output['#title'] = ['#markup' => $this->view->getTitle(), '#allowed_tags' => Xss::getHtmlTagList()];
}
// Before returning the block output, convert it to a renderable array
// with contextual links.
$this->addContextualLinks($output);
// Block module expects to get a final render array, without another
// top-level #pre_render callback. So, here we make sure that Views'
// #pre_render callback has already been applied.
$output = View::preRenderViewElement($output);
// When view_build is empty, the actual render array output for this View
// is going to be empty. In that case, return just #cache, so that the
// render system knows the reasons (cache contexts & tags) why this Views
// block is empty, and can cache it accordingly.
if (empty($output['view_build'])) {
$output = ['#cache' => $output['#cache']];
}
return $output;
}
return array();
}
作者:jasonruyl
项目:crm_cor
/**
* {@inheritdoc}
*/
public function buildRow(EntityInterface $entity)
{
$row = array();
$row['title'] = array('data' => $this->getLabel($entity), 'class' => array('menu-label'));
$row['description'] = Xss::filterAdmin($entity->description);
return $row + parent::buildRow($entity);
}
作者:ddrozdi
项目:dmap
/**
* {@inheritdoc}
*/
public function process($text, $langcode)
{
$allowed_tags = array_filter($this->settings['restrictions']['allowed'], function ($value) {
return is_array($value) || (bool) $value !== FALSE;
});
return new FilterProcessResult(Xss::filter($text, array_keys($allowed_tags)));
}
作者:davidsoloma
项目:drupalconsole.co
/**
* {@inheritdoc}
*/
public function execute($entity = NULL)
{
if (empty($this->configuration['node'])) {
$this->configuration['node'] = $entity;
}
$message = $this->token->replace(Xss::filterAdmin($this->configuration['message']), $this->configuration);
drupal_set_message($message);
}
作者:aritnath199
项目:simplenewslates
/**
* Returns the array of recipient handler labels.
* @todo documentation
*/
public function getOptions()
{
$handlers = $this->getDefinitions();
$allowed_values = array();
foreach ($handlers as $handler => $settings) {
$allowed_values[$handler] = Xss::filter($settings['title']);
}
return $allowed_values;
}
作者:jthorese
项目:PladsenDrupa
/**
* Retrieves the plain-text content from the current raw content.
*/
protected function getTextContent() {
if (!isset($this->plainTextContent)) {
$raw_content = $this->getRawContent();
// Strip everything between the HEAD tags.
$raw_content = preg_replace('@<head>(.+?)</head>@si', '', $raw_content);
$this->plainTextContent = Xss::filter($raw_content, array());
}
return $this->plainTextContent;
}
作者:sarahwille
项目:OD
/**
* Tests execution order of hook_form_alter() and hook_form_FORM_ID_alter().
*/
function testExecutionOrder()
{
$this->drupalGet('form-test/alter');
// Ensure that the order is first by module, then for a given module, the
// id-specific one after the generic one.
$expected = array('block_form_form_test_alter_form_alter() executed.', 'form_test_form_alter() executed.', 'form_test_form_form_test_alter_form_alter() executed.', 'system_form_form_test_alter_form_alter() executed.');
$content = preg_replace('/\\s+/', ' ', Xss::filter($this->content, array()));
$this->assert(strpos($content, implode(' ', $expected)) !== FALSE, 'Form alter hooks executed in the expected order.');
}
作者:briefmedia-digita
项目:drupal
/**
* Ensure that custom field content is XSS filtered.
*/
public function testCustomFieldXss()
{
$view = Views::getView('test_view');
$view->setDisplay();
// Alter the text of the field to include XSS.
$text = '<script>alert("kittens")</script>';
$view->displayHandlers->get('default')->overrideOption('fields', array('name' => array('id' => 'name', 'table' => 'views_test_data', 'field' => 'name', 'relationship' => 'none', 'alter' => array('text' => $text))));
$this->executeView($view);
$this->assertEqual(Xss::filter($text), $view->style_plugin->getField(0, 'name'));
}
作者:neetumorwan
项目:bloggin
function at_core_submit_custom_css($values, $generated_files_path)
{
$custom_css = '';
if (!empty($values['settings_custom_css'])) {
// sanitize user entered data
$custom_css = Xss::filter($values['settings_custom_css']);
}
$file_name = 'custom-css.css';
$filepath = $generated_files_path . '/' . $file_name;
file_unmanaged_save_data($custom_css, $filepath, FILE_EXISTS_REPLACE);
}
作者:pedrocone
项目:hydrotool
/**
* {@inheritdoc}
*/
public function view(OrderInterface $order, array $form, FormStateInterface $form_state)
{
$contents['#description'] = Xss::filterAdmin(\Drupal::config('uc_quote.settings')->get('pane_description'));
$contents['#attached']['library'][] = 'uc_quote/uc_quote.styles';
$contents['uid'] = array('#type' => 'hidden', '#value' => \Drupal::currentUser()->id());
$contents['quote_button'] = array('#type' => 'submit', '#value' => t('Click to calculate shipping'), '#submit' => [[$this, 'paneSubmit']], '#weight' => 0, '#ajax' => array('effect' => 'slide', 'progress' => array('type' => 'bar', 'message' => t('Receiving quotes...'))), '#limit_validation_errors' => array());
$contents['quotes'] = array('#tree' => TRUE, '#prefix' => '<div id="quote">', '#suffix' => '</div>', '#weight' => 1);
$contents['quotes'] += $order->quote_form;
$form_state->set(['uc_ajax', 'uc_quote', 'panes][quotes][quote_button'], array('payment-pane' => 'uc_ajax_replace_checkout_pane', 'quotes-pane' => 'uc_ajax_replace_checkout_pane'));
$form_state->set(['uc_ajax', 'uc_quote', 'panes][quotes][quotes][quote_option'], array('payment-pane' => 'uc_ajax_replace_checkout_pane'));
return $contents;
}
作者:Hak
项目:drupal8_trainin
/**
* {@inheritdoc}
*/
public function process($text, $langcode)
{
$restrictions = $this->getHtmlRestrictions();
// Split the work into two parts. For filtering HTML tags out of the content
// we rely on the well-tested Xss::filter() code. Since there is no '*' tag
// that needs to be removed from the list.
unset($restrictions['allowed']['*']);
$text = Xss::filter($text, array_keys($restrictions['allowed']));
// After we've done tag filtering, we do attribute and attribute value
// filtering as the second part.
return new FilterProcessResult($this->filterAttributes($text));
}
作者:sathishRi
项目:theme
/**
* Pre-processes variables for the "bootstrap_panel" theme hook.
*
* See template for list of available variables.
*
* @see bootstrap-panel.html.twig
*
* @ingroup theme_preprocess
*/
function bootstrap_preprocess_bootstrap_panel(&$variables)
{
$element = $variables['element'];
Element::setAttributes($element, array('id'));
Element\RenderElement::setAttributes($element);
$variables['attributes'] = $element['#attributes'];
$variables['prefix'] = isset($element['#field_prefix']) ? $element['#field_prefix'] : NULL;
$variables['suffix'] = isset($element['#field_suffix']) ? $element['#field_suffix'] : NULL;
$variables['title_display'] = isset($element['#title_display']) ? $element['#title_display'] : NULL;
$variables['children'] = $element['#children'];
$variables['required'] = !empty($element['#required']) ? $element['#required'] : NULL;
$variables['legend']['title'] = !empty($element['#title']) ? Xss::filterAdmin($element['#title']) : '';
$variables['legend']['attributes'] = new Attribute();
$variables['legend_span']['attributes'] = new Attribute();
if (!empty($element['#description'])) {
$description_id = $element['#attributes']['id'] . '--description';
$description_attributes['id'] = $description_id;
$variables['description']['attributes'] = new Attribute($description_attributes);
$variables['description']['content'] = $element['#description'];
// Add the description's id to the fieldset aria attributes.
$variables['attributes']['aria-describedby'] = $description_id;
}
$variables['collapsible'] = FALSE;
if (isset($element['#collapsible'])) {
$variables['collapsible'] = $element['#collapsible'];
$variables['attributes']['class'][] = 'collapsible';
}
$variables['collapsed'] = FALSE;
if (isset($element['#collapsed'])) {
$variables['collapsed'] = $element['#collapsed'];
}
// Force grouped fieldsets to not be collapsible (for vertical tabs).
if (!empty($element['#group'])) {
$variables['collapsible'] = FALSE;
$variables['collapsed'] = FALSE;
}
if (!isset($element['#id']) && $variables['collapsible']) {
$element['#id'] = \Drupal\Component\Utility\Html::getUniqueId('bootstrap-panel');
}
$variables['target'] = NULL;
if (isset($element['#id'])) {
if (!isset($variables['attributes']['id'])) {
$variables['attributes']['id'] = $element['#id'];
}
$variables['target'] = '#' . $element['#id'] . ' > .collapse';
}
// Iterate over optional variables.
$keys = array('description', 'prefix', 'suffix', 'title', 'value');
foreach ($keys as $key) {
$variables[$key] = !empty($element["#{$key}"]) ? $element["#{$key}"] : FALSE;
}
}
作者:nsp1
项目:Drupal
/**
* Filters an HTML string to prevent XSS vulnerabilities.
*
* Like \Drupal\Component\Utility\Xss::filterAdmin(), but with a shorter list
* of allowed tags.
*
* Used for items entered by administrators, like field descriptions, allowed
* values, where some (mainly inline) mark-up may be desired (so
* \Drupal\Component\Utility\SafeMarkup::checkPlain() is not acceptable).
*
* @param string $string
* The string with raw HTML in it.
*
* @return \Drupal\Component\Utility\SafeMarkup
* An XSS safe version of $string, or an empty string if $string is not
* valid UTF-8.
*/
public function fieldFilterXss($string)
{
// All known XSS vectors are filtered out by
// \Drupal\Component\Utility\Xss::filter(), all tags in the markup are
// allowed intentionally by the trait, and no danger is added in by
// \Drupal\Component\Utility\HTML::normalize(). Since the normalized value
// is essentially the same markup, designate this string as safe as well.
// This method is an internal part of field sanitization, so the resultant,
// sanitized string should be printable as is.
//
// @todo Free this memory in https://www.drupal.org/node/2505963.
return SafeMarkup::set(Html::normalize(Xss::filter($string, $this->allowedTags())));
}