5 * @author Wei Zhuo <weizhuo[at]gmail[dot]com>
6 * @link http://www.pradosoft.com/
7 * @copyright Copyright © 2005-2013 PradoSoft
8 * @license http://www.pradosoft.com/license/
9 * @version $Id: TSafeHtml.php 3245 2013-01-07 20:23:32Z ctrlaltca $
10 * @package System.Web.UI.WebControls
16 * TSafeHtml is a control that strips down all potentially dangerous
17 * HTML content. It is mainly a wrapper of {@link http://pear.php.net/package/SafeHTML SafeHTML}
18 * project. According to the SafeHTML project, it tries to safeguard
19 * the following situations when the string is to be displayed to end-users,
20 * - Opening tag without its closing tag
21 * - closing tag without its opening tag
22 * - any of these tags: base, basefont, head, html, body, applet, object,
23 * iframe, frame, frameset, script, layer, ilayer, embed, bgsound, link,
24 * meta, style, title, blink, xml, etc.
25 * - any of these attributes: on*, data*, dynsrc
26 * - javascript:/vbscript:/about: etc. protocols
27 * - expression/behavior etc. in styles
28 * - any other active content.
30 * To use TSafeHtml, simply enclose the content to be secured within
31 * the body of TSafeHtml in a template.
33 * If the content is encoded in UTF-7, you'll need to enable the {@link setRepackUTF7 RepackUTF7} property
34 * to ensure the contents gets parsed correctly.
36 * @author Wei Zhuo <weizhuo[at]gmail[dot]com>
37 * @version $Id: TSafeHtml.php 3245 2013-01-07 20:23:32Z ctrlaltca $
38 * @package System.Web.UI.WebControls
41 class TSafeHtml extends TControl
44 * Sets whether to parse the contents as UTF-7. This property enables a routine
45 * that repacks the content as UTF-7 before parsing it. Defaults to false.
46 * @param boolean whether to parse the contents as UTF-7
48 public function setRepackUTF7($value)
50 $this->setViewState('RepackUTF7',TPropertyValue::ensureBoolean($value),false);
54 * @return boolean whether to parse the contents as UTF-7. Defaults to false.
56 public function getRepackUTF7()
58 return $this->getViewState('RepackUTF7',false);
62 * Renders body content.
63 * This method overrides parent implementation by removing
64 * malicious javascript code from the body content
65 * @param THtmlWriter writer
67 public function render($writer)
69 $htmlWriter = Prado::createComponent($this->GetResponse()->getHtmlWriterType(), new TTextWriter());
70 parent::render($htmlWriter);
71 $writer->write($this->parseSafeHtml($htmlWriter->flush()));
75 * Use SafeHTML to remove malicous javascript from the HTML content.
76 * @param string HTML content
77 * @return string safer HTML content
79 protected function parseSafeHtml($text)
81 $renderer = Prado::createComponent('System.3rdParty.SafeHtml.TSafeHtmlParser');
82 return $renderer->parse($text, $this->getRepackUTF7());