From c0bb885ba3b5e4a27968aa060ed122617459aa1a Mon Sep 17 00:00:00 2001 From: nevermind Date: Wed, 29 May 2013 00:01:17 +0800 Subject: [PATCH 1/3] add "safe" modifier to skip htmlescape --- library/Rain/Tpl.php | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/library/Rain/Tpl.php b/library/Rain/Tpl.php index acf9318..87408d1 100644 --- a/library/Rain/Tpl.php +++ b/library/Rain/Tpl.php @@ -121,7 +121,7 @@ public function draw($templateFilePath, $toString = FALSE) { extract($this->var); // Merge local and static configurations $this->config = $this->objectConf + static::$conf; - + ob_start(); require $this->checkTemplate($templateFilePath); $html = ob_get_clean(); @@ -533,9 +533,9 @@ protected function compileTemplate($code, $isString, $templateBasedir, $template //get the included template $includeTemplate = $actualFolder . $this->varReplace($matches[1], $loopLevel); - // reduce the path + // reduce the path $includeTemplate = Tpl::reducePath( $includeTemplate ); - + //dynamic include $parsedCode .= 'checkTemplate("' . $includeTemplate . '");?>'; @@ -695,7 +695,7 @@ protected function compileTemplate($code, $isString, $templateBasedir, $template } // registered tags else { - + $found = FALSE; foreach (static::$registered_tags as $tags => $array) { if (preg_match_all('/' . $array['parse'] . '/', $html, $matches)) { @@ -764,6 +764,12 @@ protected function varReplace($html, $loopLevel = NULL, $escape = TRUE, $echo = $html = str_replace($matches[0][$i], $rep, $html); } + // add "safe" modifier to skip html escaping + if(preg_match('/\|safe$/', $html) || preg_match('/\|safe\|/', $html)) { + $escape = false; + $html = preg_replace(array('/\|safe\|/', '/\|safe$/'), array('|', ''), $html); + } + // update modifier $html = $this->modifierReplace($html); @@ -790,7 +796,7 @@ protected function conReplace($html) { } protected function modifierReplace($html) { - + $this->blackList($html); if (strpos($html,'|') !== false && substr($html,strpos($html,'|')+1,1) != "|") { preg_match('/([\$a-z_A-Z0-9\(\),\[\]"->]+)\|([\$a-z_A-Z0-9\(\):,\[\]"->]+)/i', $html,$result); From 8ea311a567be56df0e15ad1c8015c0a05f17ac25 Mon Sep 17 00:00:00 2001 From: nevermind Date: Wed, 29 May 2013 11:49:15 +0800 Subject: [PATCH 2/3] Only check safe modifier when necessary --- library/Rain/Tpl.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/Rain/Tpl.php b/library/Rain/Tpl.php index 87408d1..17f54ca 100644 --- a/library/Rain/Tpl.php +++ b/library/Rain/Tpl.php @@ -765,7 +765,7 @@ protected function varReplace($html, $loopLevel = NULL, $escape = TRUE, $echo = } // add "safe" modifier to skip html escaping - if(preg_match('/\|safe$/', $html) || preg_match('/\|safe\|/', $html)) { + if($this->config['auto_escape'] && $escape && !preg_match('/\$.*=.*/', $html) && (preg_match('/\|safe$/', $html) || preg_match('/\|safe\|/', $html))) { $escape = false; $html = preg_replace(array('/\|safe\|/', '/\|safe$/'), array('|', ''), $html); } From 619ac4ad02b8e4d43def28997cff79ca9b389725 Mon Sep 17 00:00:00 2001 From: nevermind Date: Thu, 20 Jun 2013 20:09:58 +0800 Subject: [PATCH 3/3] let the statement if does not initialize a value, e.g. {$a = 1} more specific --- library/Rain/Tpl.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/Rain/Tpl.php b/library/Rain/Tpl.php index 17f54ca..b060bda 100644 --- a/library/Rain/Tpl.php +++ b/library/Rain/Tpl.php @@ -774,7 +774,7 @@ protected function varReplace($html, $loopLevel = NULL, $escape = TRUE, $echo = $html = $this->modifierReplace($html); // if does not initialize a value, e.g. {$a = 1} - if (!preg_match('/\$.*=.*/', $html)) { + if (!preg_match('/\$.*[^<>=!]=[^>].*/', $html)) { // escape character if ($this->config['auto_escape'] && $escape)