[BUGFIX] Prevent XSS in ViewHelpers
[Packages/TYPO3.CMS.git] / typo3 / sysext / fluid / Classes / ViewHelpers / CaseViewHelper.php
1 <?php
2 namespace TYPO3\CMS\Fluid\ViewHelpers;
3
4 /* *
5 * This script is backported from the TYPO3 Flow package "TYPO3.Fluid". *
6 * *
7 * It is free software; you can redistribute it and/or modify it under *
8 * the terms of the GNU Lesser General Public License, either version 3 *
9 * of the License, or (at your option) any later version. *
10 * *
11 * The TYPO3 project - inspiring people to share! *
12 * */
13
14 use TYPO3\CMS\Core\Utility\GeneralUtility;
15 use TYPO3\CMS\Fluid\Core\ViewHelper\AbstractViewHelper;
16 use TYPO3\CMS\Fluid\Core\ViewHelper\Exception;
17 use TYPO3Fluid\Fluid\Core\Rendering\RenderingContextInterface;
18 use TYPO3Fluid\Fluid\ViewHelpers\SwitchViewHelper as OriginalSwitchViewHelper;
19
20 /**
21 * Case view helper that is only usable within the SwitchViewHelper.
22 * @see \TYPO3\CMS\Fluid\ViewHelpers\SwitchViewHelper
23 *
24 * @api
25 */
26 class CaseViewHelper extends AbstractViewHelper
27 {
28 /**
29 * @var bool
30 */
31 protected $escapeOutput = false;
32
33 /**
34 * @param mixed $value The switch value. If it matches, the child will be rendered
35 * @param bool $default If this is set, this child will be rendered, if none else matches
36 *
37 * @return string the contents of this view helper if $value equals the expression of the surrounding switch view helper, or $default is TRUE. otherwise an empty string
38 * @throws Exception
39 *
40 * @api
41 */
42 public function render($value = null, $default = false)
43 {
44 return static::renderStatic(
45 array(
46 'value' => $value,
47 'default' => $default
48 ),
49 $this->buildRenderChildrenClosure(),
50 $this->renderingContext
51 );
52 }
53
54 /**
55 * @param array $arguments
56 * @param callable $renderChildrenClosure
57 * @param RenderingContextInterface $renderingContext
58 *
59 * @return mixed|string
60 * @throws Exception
61 */
62 public static function renderStatic(array $arguments, \Closure $renderChildrenClosure, RenderingContextInterface $renderingContext)
63 {
64 $value = $arguments['value'];
65 $default = $arguments['default'];
66 $viewHelperVariableContainer = $renderingContext->getViewHelperVariableContainer();
67 if ($default !== false) {
68 GeneralUtility::deprecationLog('Argument "default" on f:case is deprecated - use f:defaultCase instead');
69 }
70 if ($value === null && $default === false) {
71 throw new Exception('The case View helper must have either value or default argument', 1382867521);
72 }
73 $expression = $viewHelperVariableContainer->get(OriginalSwitchViewHelper::class, 'switchExpression');
74
75 // non-type-safe comparison by intention
76 if ($default === true || $expression == $value) {
77 $viewHelperVariableContainer->addOrUpdate(OriginalSwitchViewHelper::class, 'break', true);
78 return $renderChildrenClosure();
79 }
80
81 return '';
82 }
83 }