mirror/postfixadmin
0
0
Fork 0
mirror of https://github.com/postfixadmin/postfixadmin.git synced 2024-09-20 03:36:20 +02:00
Code
a93d63a692
postfixadmin/smarty.inc.php
Christian Boltz a93d63a692 smarty.inc.php: interface cleanup etc. 
- move initialisation of $smarty->template_dir, compile_dir and 
  config_dir into __construct() of PFASmarty class
- remove usage of /tmp/postfixadmin_templates_c/ to avoid security
  risks (symlink attacks etc.)
- remove __set, __get and __call from PFASmarty class to ensure we
  have a clearly documented interface to the template layer
- whitespace changes (mostly in select_options())
- added vim: line

See also the discussion about the r949 commit in postfixadmin-devel
for details.


git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@957 a1433add-5e2c-0410-b055-b7f2511e0802
2011-02-13 22:15:22 +00:00

100 lines
3.3 KiB
PHP
Raw Blame History

<?php
require_once ("$incpath/smarty/libs/Smarty.class.php");
/**
* Turn on sanitisation of all data by default so it's not possible for XSS flaws to occur in PFA
*/
class PFASmarty {
protected $template = null;
public function __construct() {
$this->template = new Smarty();
//$smarty->debugging = true;
$incpath = dirname(__FILE__);
$smarty->template_dir = $incpath.'/templates';
$smarty->compile_dir = $incpath.'/templates_c';
$smarty->config_dir = $incpath.'/'.$smarty->config_dir;
}
public function assign($key, $value, $sanitise = true) {
if($sanitise == false) {
return $this->template->assign($key, $value);
}
$clean = $this->sanitise($value);
/* we won't run the key through sanitise() here... some might argue we should */
return $this->template->assign($key, $clean);
}
public function display($template) {
$this->template->display($template);
}
/**
* Recursive cleaning of data, using htmlentities - this assumes we only ever output to HTML and we're outputting in UTF-8 charset
*
* @param mixed $data - array or primitive type; objects not supported.
* @return mixed $data
* */
public function sanitise($data) {
if(!is_array($data)) {
return htmlentities($data, ENT_QUOTES, 'UTF-8', false);
}
if(is_array($data)) {
$clean = array();
foreach($data as $key => $value) {
/* as this is a nested data structure it's more likely we'll output the key too (at least in my opinion, so we'll sanitise it too */
$clean[$this->sanitise($key)] = $this->sanitise($value);
}
return $clean;
}
}
}
$smarty = new PFASmarty();
$CONF['theme_css'] = $CONF['postfix_admin_url'].'/'.htmlentities($CONF['theme_css']);
$CONF['theme_logo'] = $CONF['postfix_admin_url'].'/'.htmlentities($CONF['theme_logo']);
$smarty->assign ('CONF', $CONF);
$smarty->assign ('PALANG', $PALANG);
$smarty->assign('url_domain', '');
//*** footer.tpl
$smarty->assign ('version', $version);
//*** menu.tpl
$smarty->assign ('boolconf_alias_domain', boolconf('alias_domain'));
$smarty->assign ('authentication_has_role', array ('global_admin' => authentication_has_role ('global-admin'), 'admin' => authentication_has_role ('admin'), 'user' => authentication_has_role ('user')));
if (authentication_has_role('global-admin'))
{
$motd_file = "motd-admin.txt";
}
else
{
$motd_file = "motd.txt";
}
$smarty->assign('motd_file', '');
if (file_exists ($CONF ['postfix_admin_path'].'/templates/'.$motd_file)) {
$smarty->assign ('motd_file', $motd_file);
}
function select_options($aValues, $aSelected)
{
$ret_val = '';
foreach ($aValues as $val)
{
$ret_val .= '<option value="'.$val.'"';
if (in_array ($val, $aSelected))
$ret_val .= ' selected="selected"';
$ret_val .= '>'.$val.'</option>';
}
return $ret_val;
}
function eval_size ($aSize)
{
if ($aSize == 0) {$ret_val = $GLOBALS ['PALANG']['pOverview_unlimited']; }
elseif ($aSize < 0) {$ret_val = $GLOBALS ['PALANG']['pOverview_disabled']; }
else {$ret_val = $aSize; }
return $ret_val;
}
/* vim: set expandtab softtabstop=4 tabstop=4 shiftwidth=4: */
?>
View Git Blame Copy Permalink