mirror of
https://github.com/postfixadmin/postfixadmin.git
synced 2024-09-20 03:36:20 +02:00
PFASmarty class
This commit is contained in:
parent
d146f51feb
commit
01c8b14a44
91
lib/PFASmarty.php
Normal file
91
lib/PFASmarty.php
Normal file
@ -0,0 +1,91 @@
|
||||
<?php
|
||||
|
||||
/**
|
||||
* Turn on sanitisation of all data by default so it's not possible for XSS flaws to occur in PFA
|
||||
*/
|
||||
class PFASmarty {
|
||||
|
||||
/**
|
||||
* @var Smarty
|
||||
*/
|
||||
protected $template = null;
|
||||
|
||||
/**
|
||||
* @param string $template_theme
|
||||
*/
|
||||
public function __construct($template_theme = 'default') {
|
||||
$this->template = new Smarty();
|
||||
|
||||
//$this->template->debugging = true;
|
||||
if($template_theme == 'default') {
|
||||
$this->template->setTemplateDir(dirname(__FILE__) . '/../templates');
|
||||
}
|
||||
else {
|
||||
$this->template->setTemplateDir(dirname(__FILE__) . '/../templates/'. $template_theme);
|
||||
}
|
||||
|
||||
// if it's not present or writeable, smarty should just not cache.
|
||||
$templates_c = dirname(__FILE__) . '/../templates_c';
|
||||
if (is_dir($templates_c) && is_writeable($templates_c)) {
|
||||
$this->template->setCompileDir($templates_c);
|
||||
} else {
|
||||
# unfortunately there's no sane way to just disable compiling of templates
|
||||
clearstatcache(); // just incase someone just fixed it; on their next refresh it should work.
|
||||
error_log("ERROR: directory $templates_c doesn't exist or isn't writeable for the webserver");
|
||||
die("ERROR: the templates_c directory doesn't exist or isn't writeable for the webserver");
|
||||
}
|
||||
|
||||
$this->template->setConfigDir(dirname(__FILE__) . '/../configs');
|
||||
}
|
||||
|
||||
/**
|
||||
* @param string $key
|
||||
* @param mixed $value
|
||||
* @param bool $sanitise
|
||||
*/
|
||||
public function assign($key, $value, $sanitise = true) {
|
||||
$this->template->assign("RAW_$key", $value);
|
||||
if ($sanitise == false) {
|
||||
return $this->template->assign($key, $value);
|
||||
}
|
||||
$clean = $this->sanitise($value);
|
||||
/* we won't run the key through sanitise() here... some might argue we should */
|
||||
return $this->template->assign($key, $clean);
|
||||
}
|
||||
|
||||
/**
|
||||
* @return void
|
||||
* @param string $template
|
||||
*/
|
||||
public function display($template) {
|
||||
header("Expires: Sun, 16 Mar 2003 05:00:00 GMT");
|
||||
header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT");
|
||||
header("Cache-Control: no-store, no-cache, must-revalidate");
|
||||
header("Cache-Control: post-check=0, pre-check=0", false);
|
||||
header("Pragma: no-cache");
|
||||
header("Content-Type: text/html; charset=UTF-8");
|
||||
|
||||
$this->template->display($template);
|
||||
unset($_SESSION['flash']); # cleanup flash messages
|
||||
}
|
||||
/**
|
||||
* Recursive cleaning of data, using htmlentities - this assumes we only ever output to HTML and we're outputting in UTF-8 charset
|
||||
*
|
||||
* @param mixed $data - array or primitive type; objects not supported.
|
||||
* @return mixed $data
|
||||
* */
|
||||
public function sanitise($data) {
|
||||
if (!is_array($data)) {
|
||||
return htmlentities($data, ENT_QUOTES, 'UTF-8', false);
|
||||
}
|
||||
if (is_array($data)) {
|
||||
$clean = array();
|
||||
foreach ($data as $key => $value) {
|
||||
/* as this is a nested data structure it's more likely we'll output the key too (at least in my opinion, so we'll sanitise it too */
|
||||
$clean[$this->sanitise($key)] = $this->sanitise($value);
|
||||
}
|
||||
return $clean;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user