diff options
author | Aleksander Machniak <alec@alec.pl> | 2013-05-01 03:36:46 -0700 |
---|---|---|
committer | Aleksander Machniak <alec@alec.pl> | 2013-05-01 03:36:46 -0700 |
commit | 06c2d0add5cd5d6bb531bba9480039e96f98f2a2 (patch) | |
tree | 27cc9827bf2942306e04a0300c9e39c765dec04b | |
parent | 969cb03f9a3aa9496da68cff53fedce79acc1071 (diff) | |
parent | de6585eb771ef6a7e7a98c9a9b011da34cbf05b0 (diff) |
Merge pull request #67 from andywer/master
Replaced nasty eval() code
-rw-r--r-- | program/include/rcmail_output_html.php | 38 |
1 files changed, 23 insertions, 15 deletions
diff --git a/program/include/rcmail_output_html.php b/program/include/rcmail_output_html.php index d8996edbf..0fba66080 100644 --- a/program/include/rcmail_output_html.php +++ b/program/include/rcmail_output_html.php @@ -731,14 +731,13 @@ class rcmail_output_html extends rcmail_output /** * Determines if a given condition is met * - * @todo Get rid off eval() once I understand what this does. * @todo Extend this to allow real conditions, not just "set" * @param string Condition statement * @return boolean True if condition is met, False if not */ protected function check_condition($condition) { - return eval("return (".$this->parse_expression($condition).");"); + return $this->eval_expression($condition); } @@ -760,14 +759,11 @@ class rcmail_output_html extends rcmail_output /** - * Parses expression and replaces variables - * + * Parse & evaluate a given expression and return its result. * @param string Expression statement - * @return string Expression value */ - protected function parse_expression($expression) - { - return preg_replace( + protected function eval_expression ($expression) { + $expression = preg_replace( array( '/session:([a-z0-9_]+)/i', '/config:([a-z0-9_]+)(:([a-z0-9_]+))?/i', @@ -779,14 +775,27 @@ class rcmail_output_html extends rcmail_output ), array( "\$_SESSION['\\1']", - "\$this->app->config->get('\\1',rcube_utils::get_boolean('\\3'))", - "\$this->env['\\1']", + "\$app->config->get('\\1',rcube_utils::get_boolean('\\3'))", + "\$env['\\1']", "rcube_utils::get_input_value('\\1', rcube_utils::INPUT_GPC)", "\$_COOKIE['\\1']", - "\$this->browser->{'\\1'}", + "\$browser->{'\\1'}", $this->template_name, ), - $expression); + $expression + ); + + $fn = create_function('$app,$browser,$env', "return ($expression);"); + if(!$fn) { + rcube::raise_error(array( + 'code' => 505, + 'type' => 'php', + 'file' => __FILE__, + 'line' => __LINE__, + 'message' => "Expression parse error on: ($expression)"), true, false); + } + + return $fn($this->app, $this->browser, $this->env); } @@ -839,7 +848,7 @@ class rcmail_output_html extends rcmail_output // show a label case 'label': if ($attrib['expression']) - $attrib['name'] = eval("return " . $this->parse_expression($attrib['expression']) .";"); + $attrib['name'] = $this->eval_expression($attrib['expression']); if ($attrib['name'] || $attrib['command']) { // @FIXME: 'noshow' is useless, remove? @@ -971,8 +980,7 @@ class rcmail_output_html extends rcmail_output // return code for a specified eval expression case 'exp': - $value = $this->parse_expression($attrib['expression']); - return eval("return html::quote($value);"); + return html::quote( $this->eval_expression($attrib['expression']) ); // return variable case 'var': |