[BUGFIX] Prevent XSS in ViewHelpers
[Packages/TYPO3.CMS.git] / typo3 / sysext / fluid / Classes / ViewHelpers / Format / StripTagsViewHelper.php
1 <?php
2 namespace TYPO3\CMS\Fluid\ViewHelpers\Format;
3
4 /*
5 * This file is part of the TYPO3 CMS project.
6 *
7 * It is free software; you can redistribute it and/or modify it under
8 * the terms of the GNU General Public License, either version 2
9 * of the License, or any later version.
10 *
11 * For the full copyright and license information, please read the
12 * LICENSE.txt file that was distributed with this source code.
13 *
14 * The TYPO3 project - inspiring people to share!
15 */
16
17 use TYPO3\CMS\Fluid\Core\Rendering\RenderingContextInterface;
18 use TYPO3\CMS\Fluid\Core\ViewHelper\AbstractViewHelper;
19
20 /**
21 * Removes tags from the given string (applying PHPs strip_tags() function)
22 *
23 * @see http://www.php.net/manual/function.strip-tags.php
24 *
25 * = Examples =
26 *
27 * <code title="default notation">
28 * <f:format.stripTags>Some Text with <b>Tags</b> and an &Uuml;mlaut.</f:format.stripTags>
29 * </code>
30 * <output>
31 * Some Text with Tags and an &Uuml;mlaut. (strip_tags() applied. Note: encoded entities are not decoded)
32 * </output>
33 *
34 * <code title="inline notation">
35 * {text -> f:format.stripTags()}
36 * </code>
37 * <output>
38 * Text without tags (strip_tags() applied)
39 * </output>
40 *
41 * @api
42 */
43 class StripTagsViewHelper extends AbstractViewHelper
44 {
45 /**
46 * No output escaping as some tags may be allowed
47 *
48 * @var bool
49 */
50 protected $escapeOutput = false;
51
52 /**
53 * To ensure all tags are removed, child node's output must not be escaped
54 *
55 * @var bool
56 */
57 protected $escapeChildren = false;
58
59 /**
60 * Escapes special characters with their escaped counterparts as needed using PHPs strip_tags() function.
61 *
62 * @param string $value string to format
63 * @param string $allowedTags Optional string of allowed tags as required by PHPs strip_tags() function
64 * @return mixed
65 * @see http://www.php.net/manual/function.strip-tags.php
66 * @api
67 */
68 public function render($value = null, $allowedTags = null)
69 {
70 return static::renderStatic(
71 array(
72 'value' => $value,
73 'allowedTags' => $allowedTags
74 ),
75 $this->buildRenderChildrenClosure(),
76 $this->renderingContext
77 );
78 }
79
80 /**
81 * Applies strip_tags() on the specified value.
82 *
83 * @param array $arguments
84 * @param \Closure $renderChildrenClosure
85 * @param \TYPO3\CMS\Fluid\Core\Rendering\RenderingContextInterface $renderingContext
86 * @return string
87 */
88 public static function renderStatic(array $arguments, \Closure $renderChildrenClosure, RenderingContextInterface $renderingContext)
89 {
90 $value = $arguments['value'];
91 if ($value === null) {
92 $value = $renderChildrenClosure();
93 }
94 if (!is_string($value)) {
95 return $value;
96 }
97 return strip_tags($value, (string)$arguments['allowedTags']);
98 }
99 }