[BUGFIX] Prevent XSS in ViewHelpers
[Packages/TYPO3.CMS.git] / typo3 / sysext / fluid / Classes / ViewHelpers / DebugViewHelper.php
1 <?php
2 namespace TYPO3\CMS\Fluid\ViewHelpers;
3
4 /*
5 * This file is part of the TYPO3 CMS project.
6 *
7 * It is free software; you can redistribute it and/or modify it under
8 * the terms of the GNU General Public License, either version 2
9 * of the License, or any later version.
10 *
11 * For the full copyright and license information, please read the
12 * LICENSE.txt file that was distributed with this source code.
13 *
14 * The TYPO3 project - inspiring people to share!
15 */
16
17 use TYPO3\CMS\Extbase\Utility\DebuggerUtility;
18 use TYPO3\CMS\Fluid\Core\Rendering\RenderingContextInterface;
19 use TYPO3\CMS\Fluid\Core\ViewHelper\AbstractViewHelper;
20
21 /**
22 * This ViewHelper generates a HTML dump of the tagged variable.
23 *
24 * = Examples =
25 *
26 * <code title="Simple">
27 * <f:debug>{testVariables.array}</f:debug>
28 * </code>
29 * <output>
30 * foobarbazfoo
31 * </output>
32 *
33 * <code title="All Features">
34 * <f:debug title="My Title" maxDepth="5" blacklistedClassNames="{0:'Tx_BlogExample_Domain_Model_Administrator'}" plainText="TRUE" ansiColors="FALSE" inline="TRUE" blacklistedPropertyNames="{0:'posts'}">{blogs}</f:debug>
35 * </code>
36 * <output>
37 * [A HTML view of the var_dump]
38 * </output>
39 */
40 class DebugViewHelper extends AbstractViewHelper
41 {
42 /**
43 * This prevents double escaping as the output is encoded in DebuggerUtility::var_dump
44 *
45 * @var bool
46 */
47 protected $escapeChildren = false;
48
49 /**
50 * Output of this viewhelper is already escaped
51 *
52 * @var bool
53 */
54 protected $escapeOutput = false;
55
56 /**
57 * A wrapper for \TYPO3\CMS\Extbase\Utility\DebuggerUtility::var_dump().
58 *
59 * @param string $title optional custom title for the debug output
60 * @param int $maxDepth Sets the max recursion depth of the dump (defaults to 8). De- or increase the number according to your needs and memory limit.
61 * @param bool $plainText If TRUE, the dump is in plain text, if FALSE the debug output is in HTML format.
62 * @param bool $ansiColors If TRUE, ANSI color codes is added to the plaintext output, if FALSE (default) the plaintext debug output not colored.
63 * @param bool $inline if TRUE, the dump is rendered at the position of the <f:debug> tag. If FALSE (default), the dump is displayed at the top of the page.
64 * @param array $blacklistedClassNames An array of class names (RegEx) to be filtered. Default is an array of some common class names.
65 * @param array $blacklistedPropertyNames An array of property names and/or array keys (RegEx) to be filtered. Default is an array of some common property names.
66 * @return string
67 */
68 public function render($title = null, $maxDepth = 8, $plainText = false, $ansiColors = false, $inline = false, $blacklistedClassNames = null, $blacklistedPropertyNames = null)
69 {
70 return static::renderStatic(
71 array(
72 'title' => $title,
73 'maxDepth' => $maxDepth,
74 'plainText' => $plainText,
75 'ansiColors' => $ansiColors,
76 'inline' => $inline,
77 'blacklistedClassNames' => $blacklistedClassNames,
78 'blacklistedPropertyNames' => $blacklistedPropertyNames
79 ),
80 $this->buildRenderChildrenClosure(),
81 $this->renderingContext
82 );
83 }
84
85 /**
86 * @param array $arguments
87 * @param callable $renderChildrenClosure
88 * @param RenderingContextInterface $renderingContext
89 *
90 * @return string
91 */
92 public static function renderStatic(array $arguments, \Closure $renderChildrenClosure, RenderingContextInterface $renderingContext)
93 {
94 return DebuggerUtility::var_dump($renderChildrenClosure(), $arguments['title'], $arguments['maxDepth'], (bool)$arguments['plainText'], (bool)$arguments['ansiColors'], (bool)$arguments['inline'], $arguments['blacklistedClassNames'], $arguments['blacklistedPropertyNames']);
95 }
96 }