/vendor/nooku/libraries/koowa/template/filter/form.php
PHP | 178 lines | 80 code | 19 blank | 79 comment | 4 complexity | b69ff4b3a9df2952600b963b28807051 MD5 | raw file
Possible License(s): GPL-2.0, LGPL-2.1
- <?php
- /**
- * @version $Id: form.php 4628 2012-05-06 19:56:43Z johanjanssens $
- * @package Koowa_Template
- * @subpackage Filter
- * @copyright Copyright (C) 2007 - 2012 Johan Janssens. All rights reserved.
- * @license GNU GPLv3 <http://www.gnu.org/licenses/gpl.html>
- * @link http://www.nooku.org
- */
- /**
- * Template write filter to handle form html elements
- *
- * For forms that use a post method this filter adds a token to prevent CSRF. For forms
- * that use a get method this filter adds the action url query params as hidden fields
- * to comply with the html form standard.
- *
- * @author Johan Janssens <johan@nooku.org>
- * @package Koowa_Template
- * @subpackage Filter
- * @see http://www.w3.org/TR/html401/interact/forms.html#h-17.13.3.4
- */
- class KTemplateFilterForm extends KTemplateFilterAbstract implements KTemplateFilterWrite
- {
- /**
- * The form token value
- *
- * @var string
- */
- protected $_token_value;
-
- /**
- * The form token name
- *
- * @var string
- */
- protected $_token_name;
-
- /**
- * Constructor.
- *
- * @param object An optional KConfig object with configuration options
- */
- public function __construct( KConfig $config = null)
- {
- parent::__construct($config);
-
- $this->_token_value = $config->token_value;
- $this->_token_name = $config->token_name;
- }
-
- /**
- * Initializes the options for the object
- *
- * Called from {@link __construct()} as a first step of object instantiation.
- *
- * @param object An optional KConfig object with configuration options
- * @return void
- */
- protected function _initialize(KConfig $config)
- {
- $config->append(array(
- 'token_value' => '',
- 'token_name' => '_token',
- ));
- parent::_initialize($config);
- }
-
- /**
- * Get the session token value.
- *
- * If a token isn't set yet one will be generated. Tokens are used to secure forms
- * from spamming attacks. Once a token has been generated the system will check the
- * post request to see if it is present, if not it will invalidate the session.
- *
- * @param boolean If true, force a new token to be created
- * @return string The session token
- */
- protected function _tokenValue($force = false)
- {
- return $this->_token_value;
- }
-
- /**
- * Get the session token name
- *
- * Tokens are used to secure forms from spamming attacks. Once a token
- * has been generated the system will check the post request to see if
- * it is present, if not it will invalidate the session.
- *
- * @return string The session token
- */
- protected function _tokenName()
- {
- return $this->_token_name;
- }
-
- /**
- * Add unique token field
- *
- * @param string
- * @return KTemplateFilterForm
- */
- public function write(&$text)
- {
- // All: Add the action if left empty
- if (preg_match_all('#<\s*form.*?action=""#im', $text, $matches, PREG_SET_ORDER))
- {
- $view = $this->getTemplate()->getView();
- $state = $view->getModel()->getState();
- $action = $view->getRoute(http_build_query($state->getData($state->isUnique())));
-
- foreach ($matches as $match)
- {
- $str = str_replace('action=""', 'action="'.$action.'"', $match[0]);
- $text = str_replace($match[0], $str, $text);
- }
- }
-
- // POST : Add token
- $matches = array();
- preg_match_all('/(<form.*method="post".*>)/i', $text, $matches, PREG_SET_ORDER);
-
- foreach($matches as $match)
- {
- $input = PHP_EOL.'<input type="hidden" name="'.$this->_tokenName().'" value="'.$this->_tokenValue().'" />';
- $text = str_replace($match[0], $match[0].$input, $text, $count);
- }
-
- // GET : Add token to .-koowa-grid forms
- $matches = array();
- preg_match_all('#(<\s*?form\s+?.*?class=(?:\'|")[^\'"]*?-koowa-grid.*?(?:\'|").*?)#im', $text, $matches, PREG_SET_ORDER);
-
- foreach($matches as $match)
- {
- $input = ' data-token-name="'.$this->_tokenName().'" data-token-value="'.$this->_tokenValue().'"';
- $text= str_replace($match[0], $match[0].$input, $text, $count);
- }
-
- // GET : Add query params
- $matches = array();
- if(preg_match_all('#<form.*action=".*\?(.*)".*method="get".*>#iU', $text, $matches))
- {
- foreach($matches[1] as $key => $query)
- {
- parse_str(str_replace('&', '&', $query), $query);
-
- $input = $this->_renderQuery($query);
- $text = str_replace($matches[0][$key], $matches[0][$key].$input, $text);
- }
- }
-
- return $this;
- }
-
- /**
- * Recursive function that transforms the query array into a string of input elements
- *
- * @param array Associative array of query information
- * @param string The name of the current input element
- * @return string String of the html input elements
- */
- protected function _renderQuery($query, $key = '')
- {
- $input = '';
- foreach($query as $name => $value)
- {
- $name = $key ? $key.'['.$name.']' : $name;
- if(is_array($value)) {
- $input .= $this->_renderQuery($value, $name);
- }
- else $input .= PHP_EOL.'<input type="hidden" name="'.$name.'" value="'.$value.'" />';
- }
-
- return $input;
- }
- }