X-Git-Url: https://git.cyclocoop.org/?a=blobdiff_plain;f=includes%2FXml.php;h=c356c6db61973ee4e63048f43cfd7dd1abf810f6;hb=540608c8ddc2f57f64e1241b14a560c577b0a4b1;hp=78b87159216d6f121feca4c850756bcf0e945363;hpb=4ff8136807530b8970db51e25c3565f006b8a902;p=lhc%2Fweb%2Fwiklou.git diff --git a/includes/Xml.php b/includes/Xml.php index 78b8715921..c356c6db61 100644 --- a/includes/Xml.php +++ b/includes/Xml.php @@ -703,13 +703,15 @@ class Xml { /** * Check if a string is well-formed XML. * Must include the surrounding tag. + * This function is a DoS vector if an attacker can define + * entities in $text. * * @param string $text String to test. * @return bool * * @todo Error position reporting return */ - public static function isWellFormed( $text ) { + private static function isWellFormed( $text ) { $parser = xml_parser_create( "UTF-8" ); # case folding violates XML standard, turn it off @@ -869,112 +871,6 @@ class Xml { } } -class XmlSelect { - protected $options = array(); - protected $default = false; - protected $attributes = array(); - - public function __construct( $name = false, $id = false, $default = false ) { - if ( $name ) { - $this->setAttribute( 'name', $name ); - } - - if ( $id ) { - $this->setAttribute( 'id', $id ); - } - - if ( $default !== false ) { - $this->default = $default; - } - } - - /** - * @param string $default - */ - public function setDefault( $default ) { - $this->default = $default; - } - - /** - * @param string $name - * @param array $value - */ - public function setAttribute( $name, $value ) { - $this->attributes[$name] = $value; - } - - /** - * @param string $name - * @return array|null - */ - public function getAttribute( $name ) { - if ( isset( $this->attributes[$name] ) ) { - return $this->attributes[$name]; - } else { - return null; - } - } - - /** - * @param string $name - * @param bool $value - */ - public function addOption( $name, $value = false ) { - // Stab stab stab - $value = $value !== false ? $value : $name; - - $this->options[] = array( $name => $value ); - } - - /** - * This accepts an array of form - * label => value - * label => ( label => value, label => value ) - * - * @param array $options - */ - public function addOptions( $options ) { - $this->options[] = $options; - } - - /** - * This accepts an array of form - * label => value - * label => ( label => value, label => value ) - * - * @param array $options - * @param bool $default - * @return string - */ - static function formatOptions( $options, $default = false ) { - $data = ''; - - foreach ( $options as $label => $value ) { - if ( is_array( $value ) ) { - $contents = self::formatOptions( $value, $default ); - $data .= Html::rawElement( 'optgroup', array( 'label' => $label ), $contents ) . "\n"; - } else { - $data .= Xml::option( $label, $value, $value === $default ) . "\n"; - } - } - - return $data; - } - - /** - * @return string - */ - public function getHTML() { - $contents = ''; - - foreach ( $this->options as $options ) { - $contents .= self::formatOptions( $options, $this->default ); - } - - return Html::rawElement( 'select', $this->attributes, rtrim( $contents ) ); - } -} - /** * A wrapper class which causes Xml::encodeJsVar() and Xml::encodeJsCall() to * interpret a given string as being a JavaScript expression, instead of string