diff options
| author | thomascube <thomas@roundcube.net> | 2009-01-22 14:47:23 +0000 |
|---|---|---|
| committer | thomascube <thomas@roundcube.net> | 2009-01-22 14:47:23 +0000 |
| commit | aa055c931a68547763f7bb89425a08e8ceecb749 (patch) | |
| tree | ece66b96ce0bc8c1f892f6c620a32c93f5df621f /program/include/rcube_string_replacer.php | |
| parent | 4f27148d400661c81005b496ac7c05b6c6ed9483 (diff) | |
Get rid of vulnerable preg_replace eval and create_function (#1485686) + correctly handle base and link tags in html messages
Diffstat (limited to 'program/include/rcube_string_replacer.php')
| -rw-r--r-- | program/include/rcube_string_replacer.php | 116 |
1 files changed, 116 insertions, 0 deletions
diff --git a/program/include/rcube_string_replacer.php b/program/include/rcube_string_replacer.php new file mode 100644 index 000000000..fe082a583 --- /dev/null +++ b/program/include/rcube_string_replacer.php @@ -0,0 +1,116 @@ +<?php + +/* + +-----------------------------------------------------------------------+ + | program/include/rcube_string_replacer.php | + | | + | This file is part of the RoundCube Webmail client | + | Copyright (C) 2009, RoundCube Dev. - Switzerland | + | Licensed under the GNU GPL | + | | + | PURPOSE: | + | Handle string replacements based on preg_replace_callback | + | | + +-----------------------------------------------------------------------+ + | Author: Thomas Bruederli <roundcube@gmail.com> | + +-----------------------------------------------------------------------+ + + $Id: $ + +*/ + + +/** + * Helper class for string replacements based on preg_replace_callback + * + * @package Core + */ +class rcube_string_replacer +{ + public static $pattern = '/##str_replacement\[([0-9]+)\]##/'; + + private $values = array(); + + + /** + * Add a string to the internal list + * + * @param string String value + * @return int Index of value for retrieval + */ + public function add($str) + { + $i = count($this->values); + $this->values[$i] = $str; + return $i; + } + + /** + * Build replacement string + */ + public function get_replacement($i) + { + return '##str_replacement['.$i.']##'; + } + + /** + * Callback function used to build HTML links around URL strings + * + * @param array Matches result from preg_replace_callback + * @return int Index of saved string value + */ + public function link_callback($matches) + { + $i = -1; + $scheme = strtolower($matches[1]); + + if ($scheme == 'http' || $scheme == 'https' || $scheme == 'ftp') { + $url = $matches[1] . '://' . $matches[2]; + $i = $this->add(html::a(array('href' => $url, 'target' => "_blank"), Q($url))); + } + else if ($matches[2] == 'www.') { + $url = $matches[2] . $matches[3]; + $i = $this->add($matches[1] . html::a(array('href' => 'http://' . $url, 'target' => "_blank"), Q($url))); + } + + return $i >= 0 ? $this->get_replacement($i) : ''; + } + + /** + * Callback function used to build mailto: links around e-mail strings + * + * @param array Matches result from preg_replace_callback + * @return int Index of saved string value + */ + public function mailto_callback($matches) + { + $i = $this->add(html::a(array( + 'href' => 'mailto:' . $matches[1], + 'onclick' => "return ".JS_OBJECT_NAME.".command('compose','".JQ($matches[1])."',this)", + ), + Q($matches[1]))); + + return $i >= 0 ? $this->get_replacement($i) : ''; + } + + /** + * Look up the index from the preg_replace matches array + * and return the substitution value. + * + * @param array Matches result from preg_replace_callback + * @return string Value at index $matches[1] + */ + public function replace_callback($matches) + { + return $this->values[$matches[1]]; + } + + /** + * Replace substituted strings with original values + */ + public function resolve($str) + { + return preg_replace_callback(self::$pattern, array($this, 'replace_callback'), $str); + } + +}
\ No newline at end of file |