Server : Apache System : Linux server2.corals.io 4.18.0-348.2.1.el8_5.x86_64 #1 SMP Mon Nov 15 09:17:08 EST 2021 x86_64 User : corals ( 1002) PHP Version : 7.4.33 Disable Function : exec,passthru,shell_exec,system Directory : /home/corals/mautic.corals.io/app/bundles/FormBundle/Twig/Extension/ |
<?php
declare(strict_types=1);
namespace Mautic\FormBundle\Twig\Extension;
use Mautic\FormBundle\Helper\FormFieldHelper;
use Twig\Extension\AbstractExtension;
use Twig\TwigFunction;
final class FormFieldExtension extends AbstractExtension
{
public function getFunctions()
{
return [
new TwigFunction('formFieldParseBooleanList', [FormFieldHelper::class, 'parseBooleanList']),
new TwigFunction('formFieldParseList', [FormFieldHelper::class, 'parseList']),
new TwigFunction('formFieldParseListForChoices', [FormFieldHelper::class, 'parseListForChoices']),
new TwigFunction('formFieldCleanInputAttributes', [$this, 'cleanInputAttributes']),
];
}
/**
* Clean input evil attributes to prevent XSS
* Remove any attribute starting with "on" or xmlns or javascript:. Used in href, src, value, data, etc.
*/
public function cleanInputAttributes(string $value): string
{
// Remove any HTML tags
$value = htmlspecialchars($value, ENT_SUBSTITUTE, 'UTF-8', false);
// Remove any attribute starting with "on" or javascript used in href, src, value, data, etc.
preg_match('/(on[A-Za-z]*\s*=|javascript:)/i', $value, $result);
if (!empty($result)) {
return '';
}
return $value;
}
}