Verzeichnisstruktur phpBB-3.3.15
- Veröffentlicht
- 28.08.2024
So funktioniert es
|
|
Auf das letzte Element klicken. Dies geht jeweils ein Schritt zurück |
Auf das Icon klicken, dies öffnet das Verzeichnis. Nochmal klicken schließt das Verzeichnis. |
|
|
(Beispiel Datei-Icons)
|
Auf das Icon klicken um den Quellcode anzuzeigen |
AbstractFlashRestriction.php
001 <?php
002
003 /**
004 * @package s9e\TextFormatter
005 * @copyright Copyright (c) 2010-2022 The s9e authors
006 * @license http://www.opensource.org/licenses/mit-license.php The MIT License
007 */
008 namespace s9e\TextFormatter\Configurator\TemplateChecks;
009
010 use DOMElement;
011 use DOMNode;
012 use DOMXPath;
013 use s9e\TextFormatter\Configurator\Exceptions\UnsafeTemplateException;
014 use s9e\TextFormatter\Configurator\Items\Tag;
015 use s9e\TextFormatter\Configurator\TemplateCheck;
016
017 /**
018 * NOTE: when this check is enabled, DisallowObjectParamsWithGeneratedName should be enabled too.
019 * Otherwise, <param/> elements with a dynamic 'name' attribute could be used to bypass this
020 * restriction. For the same reason, DisallowCopy, DisallowDisableOutputEscaping,
021 * DisallowDynamicAttributeNames, DisallowDynamicElementNames and DisallowUnsafeCopyOf should
022 * all be enabled too
023 */
024 abstract class AbstractFlashRestriction extends TemplateCheck
025 {
026 /**
027 * @var string Name of the default setting
028 */
029 public $defaultSetting;
030
031 /**
032 * @var string Name of the highest setting allowed
033 */
034 public $maxSetting;
035
036 /**
037 * @var bool Whether this restriction applies only to elements using any kind of dynamic markup:
038 * XSL elements or attribute value templates
039 */
040 public $onlyIfDynamic;
041
042 /**
043 * @var string Name of the restricted setting
044 */
045 protected $settingName;
046
047 /**
048 * @var array Valid settings
049 */
050 protected $settings;
051
052 /**
053 * @var DOMElement <xsl:template/> node
054 */
055 protected $template;
056
057 /**
058 * Constructor
059 *
060 * @param string $maxSetting Max setting allowed
061 * @param bool $onlyIfDynamic Whether this restriction applies only to elements using any kind
062 * of dynamic markup: XSL elements or attribute value templates
063 */
064 public function __construct($maxSetting, $onlyIfDynamic = false)
065 {
066 $this->maxSetting = $maxSetting;
067 $this->onlyIfDynamic = $onlyIfDynamic;
068 }
069
070 /**
071 * Test for the set Flash restriction
072 *
073 * @param DOMElement $template <xsl:template/> node
074 * @param Tag $tag Tag this template belongs to
075 * @return void
076 */
077 public function check(DOMElement $template, Tag $tag)
078 {
079 $this->template = $template;
080 $this->checkEmbeds();
081 $this->checkObjects();
082 }
083
084 /**
085 * Test given element's attributes
086 *
087 * @param DOMElement $embed Context element
088 * @return void
089 */
090 protected function checkAttributes(DOMElement $embed)
091 {
092 $settingName = strtolower($this->settingName);
093 $useDefault = true;
094 foreach ($embed->attributes as $attribute)
095 {
096 $attrName = strtolower($attribute->name);
097 if ($attrName === $settingName)
098 {
099 $this->checkSetting($attribute, $attribute->value);
100 $useDefault = false;
101 }
102 }
103 if ($useDefault)
104 {
105 $this->checkSetting($embed, $this->defaultSetting);
106 }
107 }
108
109 /**
110 * Test whether given element has dynamic attributes that match the setting's name
111 *
112 * @param DOMElement $embed Context element
113 * @return void
114 */
115 protected function checkDynamicAttributes(DOMElement $embed)
116 {
117 $settingName = strtolower($this->settingName);
118 foreach ($embed->getElementsByTagNameNS(self::XMLNS_XSL, 'attribute') as $attribute)
119 {
120 $attrName = strtolower($attribute->getAttribute('name'));
121 if ($attrName === $settingName)
122 {
123 throw new UnsafeTemplateException('Cannot assess the safety of dynamic attributes', $attribute);
124 }
125 }
126 }
127
128 /**
129 * Test the presence of dynamic params in given object
130 *
131 * @param DOMElement $object Context element
132 * @return void
133 */
134 protected function checkDynamicParams(DOMElement $object)
135 {
136 foreach ($this->getObjectParams($object) as $param)
137 {
138 foreach ($param->getElementsByTagNameNS(self::XMLNS_XSL, 'attribute') as $attribute)
139 {
140 // Test for a dynamic "value" attribute
141 if (strtolower($attribute->getAttribute('name')) === 'value')
142 {
143 throw new UnsafeTemplateException('Cannot assess the safety of dynamic attributes', $attribute);
144 }
145 }
146 }
147 }
148
149 /**
150 * Check embed elements in given template
151 *
152 * @return void
153 */
154 protected function checkEmbeds()
155 {
156 foreach ($this->getElements('embed') as $embed)
157 {
158 // Test <xsl:attribute/> descendants
159 $this->checkDynamicAttributes($embed);
160
161 // Test the element's attributes
162 $this->checkAttributes($embed);
163 }
164 }
165
166 /**
167 * Check object elements in given template
168 *
169 * @return void
170 */
171 protected function checkObjects()
172 {
173 foreach ($this->getElements('object') as $object)
174 {
175 // Make sure this object doesn't have dynamic params
176 $this->checkDynamicParams($object);
177
178 // Test the element's <param/> descendants
179 $params = $this->getObjectParams($object);
180 foreach ($params as $param)
181 {
182 $this->checkSetting($param, $param->getAttribute('value'));
183 }
184 if (empty($params))
185 {
186 $this->checkSetting($object, $this->defaultSetting);
187 }
188 }
189 }
190
191 /**
192 * Test whether given setting is allowed
193 *
194 * @param DOMNode $node Target node
195 * @param string $setting Setting
196 * @return void
197 */
198 protected function checkSetting(DOMNode $node, $setting)
199 {
200 if (!isset($this->settings[strtolower($setting)]))
201 {
202 // Test whether the value contains an odd number of {
203 if (preg_match('/(?<!\\{)\\{(?:\\{\\{)*(?!\\{)/', $setting))
204 {
205 throw new UnsafeTemplateException('Cannot assess ' . $this->settingName . " setting '" . $setting . "'", $node);
206 }
207
208 throw new UnsafeTemplateException('Unknown ' . $this->settingName . " value '" . $setting . "'", $node);
209 }
210
211 $value = $this->settings[strtolower($setting)];
212 $maxValue = $this->settings[strtolower($this->maxSetting)];
213
214 if ($value > $maxValue)
215 {
216 throw new UnsafeTemplateException($this->settingName . " setting '" . $setting . "' exceeds restricted value '" . $this->maxSetting . "'", $node);
217 }
218 }
219
220 /**
221 * Test whether given node contains dynamic content (XSL elements or attribute value template)
222 *
223 * @param DOMElement $node Node
224 * @return bool
225 */
226 protected function isDynamic(DOMElement $node)
227 {
228 if ($node->getElementsByTagNameNS(self::XMLNS_XSL, '*')->length)
229 {
230 return true;
231 }
232
233 // Look for any attributes containing "{" in this element or its descendants
234 $xpath = new DOMXPath($node->ownerDocument);
235 $query = './/@*[contains(., "{")]';
236
237 foreach ($xpath->query($query, $node) as $attribute)
238 {
239 // Test whether the value contains an odd number of {
240 if (preg_match('/(?<!\\{)\\{(?:\\{\\{)*(?!\\{)/', $attribute->value))
241 {
242 return true;
243 }
244 }
245
246 return false;
247 }
248
249 /**
250 * Get all elements the restriction applies to
251 *
252 * @param string $tagName Element's name
253 * @return DOMElement[]
254 */
255 protected function getElements($tagName)
256 {
257 $nodes = [];
258 foreach ($this->template->ownerDocument->getElementsByTagName($tagName) as $node)
259 {
260 if (!$this->onlyIfDynamic || $this->isDynamic($node))
261 {
262 $nodes[] = $node;
263 }
264 }
265
266 return $nodes;
267 }
268
269 /**
270 * Get all param elements attached to given object
271 *
272 * @param DOMElement $object Context element
273 * @return DOMElement[]
274 */
275 protected function getObjectParams(DOMElement $object)
276 {
277 $params = [];
278 $settingName = strtolower($this->settingName);
279 foreach ($object->getElementsByTagName('param') as $param)
280 {
281 $paramName = strtolower($param->getAttribute('name'));
282 if ($paramName === $settingName && $param->parentNode->isSameNode($object))
283 {
284 $params[] = $param;
285 }
286 }
287
288 return $params;
289 }
290 }