[BUGFIX] Prevent XSS in ViewHelpers
[Packages/TYPO3.CMS.git] / typo3 / sysext / fluid / Classes / ViewHelpers / Format / UrlencodeViewHelper.php
1 <?php
2 namespace TYPO3\CMS\Fluid\ViewHelpers\Format;
3
4 /*
5 * This file is part of the TYPO3 CMS project.
6 *
7 * It is free software; you can redistribute it and/or modify it under
8 * the terms of the GNU General Public License, either version 2
9 * of the License, or any later version.
10 *
11 * For the full copyright and license information, please read the
12 * LICENSE.txt file that was distributed with this source code.
13 *
14 * The TYPO3 project - inspiring people to share!
15 */
16
17 use TYPO3\CMS\Fluid\Core\Rendering\RenderingContextInterface;
18 use TYPO3\CMS\Fluid\Core\ViewHelper\AbstractViewHelper;
19
20 /**
21 * Encodes the given string according to http://www.faqs.org/rfcs/rfc3986.html (applying PHPs rawurlencode() function)
22 * @see http://www.php.net/manual/function.rawurlencode.php
23 * Note: The output is not escaped. You may have to ensure proper escaping on your own.
24 *
25 * = Examples =
26 *
27 * <code title="default notation">
28 * <f:format.rawurlencode>foo @+%/</f:format.rawurlencode>
29 * </code>
30 * <output>
31 * foo%20%40%2B%25%2F (rawurlencode() applied)
32 * </output>
33 *
34 * <code title="inline notation">
35 * {text -> f:format.urlencode()}
36 * </code>
37 * <output>
38 * Url encoded text (rawurlencode() applied)
39 * </output>
40 *
41 * @api
42 */
43 class UrlencodeViewHelper extends AbstractViewHelper
44 {
45 /**
46 * Prevent escaping for further processing
47 *
48 * @var bool
49 */
50 protected $escapeOutput = false;
51
52 /**
53 * Prevent double escaping on child node's output
54 *
55 * @var bool
56 */
57 protected $escapeChildren = false;
58
59 /**
60 * Escapes special characters with their escaped counterparts as needed using PHPs rawurlencode() function.
61 *
62 * @param string $value string to format
63 * @return mixed
64 * @see http://www.php.net/manual/function.rawurlencode.php
65 * @api
66 */
67 public function render($value = null)
68 {
69 return static::renderStatic(
70 array(
71 'value' => $value
72 ),
73 $this->buildRenderChildrenClosure(),
74 $this->renderingContext
75 );
76 }
77
78 /**
79 * @param array $arguments
80 * @param callable $renderChildrenClosure
81 * @param RenderingContextInterface $renderingContext
82 *
83 * @return string
84 */
85 public static function renderStatic(array $arguments, \Closure $renderChildrenClosure, RenderingContextInterface $renderingContext)
86 {
87 $value = $arguments['value'];
88
89 if ($value === null) {
90 $value = $renderChildrenClosure();
91 }
92 if (!is_string($value)) {
93 return $value;
94 }
95 return rawurlencode($value);
96 }
97 }