Skip to content
This repository has been archived by the owner on Jan 31, 2020. It is now read-only.

Commit

Permalink
Merge branch 'security/escaper-usage'
Browse files Browse the repository at this point in the history 
Fixes a number of components that were not using Zend\Escaper to escape HTML,
HTML attributes, and/or URLs.
  • Loading branch information
@weierophinney
weierophinney committed Sep 20, 2012
91 parents 721f353 + 38e7a18 + 86ede54 + bb4f77a + 1ddebf3 + 0ffc57a + b946607 + 6f5587c + 315d8f1 + b6ad313 + f726ae3 + 7ad284f + 93b2293 + 6b9f3a9 + 8651985 + ed49c8f + 861b59b + ab368b3 + 42e779e + e446b23 + a77df97 + 83bebb3 + fac5fe1 + 0ecf55e + 6c9ab93 + d1576fd + 452dcfd + a5c8053 + 47591a8 + 4632b67 + 93389c9 + 59d4a69 + 6d7b139 + d060759 + a69361e + 65d2077 + ab34f04 + 16dc336 + 5ee0e7c + a3c5b47 + 0482e7d + 7349022 + 870fdc6 + 41980d5 + 8191f6d + 28e1f24 + c13913c + a787df2 + 700bec3 + 6279a0a + 59e1371 + 384145a + 2186cf3 + 266dd39 + 58cda5f + 6880bda + 9c58077 + f0a7ffa + af9ffb6 + 3a4f745 + f6ee3fa + ab1f64f + 37055aa + 785b6c6 + 965cde0 + b50b4db + cdc3a1d + d0638c2 + d2d69cb + f47f0b9 + c9b215a + 29a471c + 1914f43 + 0110db8 + 6cf95f3 + 3fe2af7 + fd2330d + d35c5af + 1360dd2 + 2d02d6c + f8c3676 + 478c122 + a64da1c + 56683e0 + f63f002 + b4c274d + 0183709 + 98549f4 + 9c7f3f3 + 1d0fa5c + a0d918c commit 94cf692
Showing 1 changed file with 40 additions and 6 deletions.
46 changes: 40 additions & 6 deletions src/Uri.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@

namespace Zend\Uri;

use Zend\Escaper\Escaper;
use Zend\Validator;

/**
Expand Down Expand Up @@ -125,6 +126,11 @@ class Uri implements UriInterface
*/
protected static $defaultPorts = array();

/**
* @var Escaper
*/
protected static $escaper;

/**
* Create a new URI object
*
Expand Down Expand Up @@ -152,6 +158,31 @@ public function __construct($uri = null)
}
}

/**
* Set Escaper instance
*
* @param Escaper $escaper
*/
public static function setEscaper(Escaper $escaper)
{
static::$escaper = $escaper;
}

/**
* Retrieve Escaper instance
*
* Lazy-loads one if none provided
*
* @return Escaper
*/
public static function getEscaper()
{
if (null === static::$escaper) {
static::setEscaper(new Escaper());
}
return static::$escaper;
}

/**
* Check if the URI is valid
*
Expand Down Expand Up @@ -935,8 +966,9 @@ public static function encodeUserInfo($userInfo)
}

$regex = '/(?:[^' . self::CHAR_UNRESERVED . self::CHAR_SUB_DELIMS . '%:]|%(?![A-Fa-f0-9]{2}))/';
$replace = function($match) {
return rawurlencode($match[0]);
$escaper = static::getEscaper();
$replace = function ($match) use ($escaper) {
return $escaper->escapeUrl($match[0]);
};

return preg_replace_callback($regex, $replace, $userInfo);
Expand All @@ -962,8 +994,9 @@ public static function encodePath($path)
}

$regex = '/(?:[^' . self::CHAR_UNRESERVED . ':@&=\+\$,\/;%]+|%(?![A-Fa-f0-9]{2}))/';
$replace = function($match) {
return rawurlencode($match[0]);
$escaper = static::getEscaper();
$replace = function ($match) use ($escaper) {
return $escaper->escapeUrl($match[0]);
};

return preg_replace_callback($regex, $replace, $path);
Expand All @@ -990,8 +1023,9 @@ public static function encodeQueryFragment($input)
}

$regex = '/(?:[^' . self::CHAR_UNRESERVED . self::CHAR_SUB_DELIMS . '%:@\/\?]+|%(?![A-Fa-f0-9]{2}))/';
$replace = function($match) {
return rawurlencode($match[0]);
$escaper = static::getEscaper();
$replace = function ($match) use ($escaper) {
return $escaper->escapeUrl($match[0]);
};

return preg_replace_callback($regex, $replace, $input);
Expand Down

0 comments on commit 94cf692

Please sign in to comment.