";
}
/**
* Handles tooltips via the wz_tooltip class from Walter Zorn
*
* @param string $text text or html for the tooltip, all chars allowed, they will be quoted approperiate
* @param boolean $do_lang (default False) should the text be run though lang()
* @param array $options param/value pairs, eg. 'TITLE' => 'I am the title'. Some common parameters:
* title (string) gives extra title-row, width (int,'auto') , padding (int), above (bool), bgcolor (color), bgimg (URL)
* For a complete list and description see http://www.walterzorn.com/tooltip/tooltip_e.htm
* @param boolean $return_as_attributes true to return array(onmouseover, onmouseout) attributes
* @return string|array to be included in any tag, like 'checkbox_multiselect('$name',".array2string($key).",".array2string($arr).",$no_lang,'$options',$multiple,$selected_first,'$style')
\n"; if(is_null($enhanced)) $enhanced = (count($arr) > self::SELECT_ENHANCED_ROW_COUNT); if (!is_array($arr)) { $arr = array('no','yes'); } if ((int)$multiple <= 0) $multiple = 1; if (substr($name,-2) != '[]') { $name .= '[]'; } $base_name = substr($name,0,-2); if($enhanced) return self::select($name, $key, $arr,$no_lang,$options." style=\"$style\" ",$multiple,$enhanced); if (!is_array($key)) { // explode on ',' only if multiple values expected and the key contains just numbers and commas $key = preg_match('/^[,0-9]+$/',$key) ? explode(',',$key) : array($key); } $html = ''; $options_no_id = preg_replace('/id="[^"]+"/i','',$options); if ($selected_first) { $selected = $not_selected = array(); foreach($arr as $val => $label) { if (in_array((string)$val,$key)) { $selected[$val] = $label; } else { $not_selected[$val] = $label; } } $arr = $selected + $not_selected; } $max_len = 0; foreach($arr as $val => $label) { if (is_array($label)) { $title = $label['title']; $label = $label['label']; } else { $title = ''; } if ($label && !$no_lang) $label = lang($label); if ($title && !$no_lang) $title = lang($title); if (strlen($label) > $max_len) $max_len = strlen($label); $html .= self::label(self::checkbox($name,in_array((string)$val,$key),$val,$options_no_id. ' id="'.$base_name.'['.$val.']'.'"').self::htmlspecialchars($label), $base_name.'['.$val.']','',($title ? 'title="'.self::htmlspecialchars($title).'" ':''))."html::link(url='$url',vars='"; print_r($vars); echo "')
\n"; if (!is_array($vars)) { parse_str($vars,$vars); } list($url,$v) = explode('?', $_url); // url may contain additional vars if ($v) { parse_str($v,$v); $vars += $v; } return egw::link($url,$vars); } /** * represents html checkbox * * @param string $name name * @param boolean $checked box checked on display * @param string $value value the var should be set to, default 'True' * @param string $options attributes for the tag, default ''=none * @return string html */ static function checkbox($name,$checked=false,$value='True',$options='') { return '\n"; } /** * represents a html form * * @param string $content of the form, if '' only the opening tag gets returned * @param array $hidden_vars array with name-value pairs for hidden input fields * @param string $_url eGW relative URL, will be run through the link function, if empty the current url is used * @param string|array $url_vars parameters for the URL, send to link static function too * @param string $name name of the form, defaul ''=none * @param string $options attributes for the tag, default ''=none * @param string $method method of the form, default 'POST' * @return string html */ static function form($content,$hidden_vars,$_url,$url_vars='',$name='',$options='',$method='POST') { $url = $_url ? self::link($_url, $url_vars) : $_SERVER['PHP_SELF'].'?'.$_SERVER['QUERY_STRING']; $html = "\n"; } return $html; } /** * represents a html form with one button * * @param string $name name of the button * @param string $label label of the button * @param array $hidden_vars array with name-value pairs for hidden input fields * @param string $url eGW relative URL, will be run through the link function * @param string|array $url_vars parameters for the URL, send to link static function too * @param string $options attributes for the tag, default ''=none * @param string $form_name name of the form, defaul ''=none * @param string $method method of the form, default 'POST' * @return string html */ static function form_1button($name,$label,$hidden_vars,$url,$url_vars='',$form_name='',$method='POST') { return self::form(self::submit_button($name,$label),$hidden_vars,$url,$url_vars,$form_name,' style="display: inline-block"',$method); } const THEAD = 1; const TFOOT = 2; const TBODY = 3; static $part2tag = array( self::THEAD => 'thead', self::TFOOT => 'tfoot', self::TBODY => 'tbody', ); /** * creates table from array of rows * * abstracts the html stuff for the table creation * Example: $rows = array ( * 'h1' => array( // optional header row(s) * ), * 'f1' => array( // optional footer row(s) * ), * '1' => array( * 1 => 'cell1', '.1' => 'colspan=3', * 2 => 'cell2', * 3 => 'cell3', '.3' => 'width="10%"' * ),'.1' => 'BGCOLOR="#0000FF"' ); * table($rows,'width="100%"') = '| cell1 | cell2 | cell3 | ||
html::a_href('".self::htmlspecialchars($content)."','$url',".print_r($vars,True).") = ".self::link($url,$vars)."
"; return ''.$content.''; } /** * representates a b tab (bold) * * @param string $content of the link, if '' only the opening tag gets returned * @return string the html */ static function bold($content) { return ''.$content.''; } /** * representates a i tab (bold) * * @param string $content of the link, if '' only the opening tag gets returned * @return string the html */ static function italic($content) { return ''.$content.''; } /** * representates a hr tag (horizontal rule) * * @param string $width default ''=none given * @param string $options attributes for the tag, default ''=none * @return string the html */ static function hr($width='',$options='') { if ($width) $options .= " width=\"$width\""; return "path=$path, _selected=".print_r($_selected,true).": $entryOptions
\n"; } // highlight current item elseif ((string)$_selected === (string)$path) { $entryOptions .= ',SELECT'; } $html .= "$tree.insertNewItem('".addslashes($parentName)."','".addslashes($path)."','".addslashes($label). "',$_onNodeSelect,$image1,$image2,$image3,'$entryOptions');\n"; if (isset($data['title'])) { $html .= "$tree.setItemText('".addslashes($path)."','".addslashes($label)."','".addslashes($data['title'])."');\n"; } ++$n; } } $html .= "$tree.closeAllItems(0);\n"; if ($_selected) { foreach(is_array($_selected)?$_selected:array($_selected) as $path) { $html .= "$tree.openItem('".addslashes($path)."');\n"; } } else { $html .= "$tree.openItem('$top');\n"; } $html .= "});"; $html .= "\n"; return $html; } /** * Runs HTMLPurifier over supplied html to remove malicious code * * @param string $html * @param array|string $config =null - config to influence the behavior of current purifying engine * @param array|string $spec =null - spec to influence the behavior of current purifying engine * The $spec argument can be used to disallow an otherwise legal attribute for an element, * or to restrict the attribute's values * @param boolean $_force =null - force the config passed to be used without merging to the default */ static function purify($html,$config=null,$spec=array(),$_force=false) { $defaultConfig = array('valid_xhtml'=>1,'safe'=>1); if (empty($html)) return $html; // no need to process further if (!empty($config) && is_string($config)) { //error_log(__METHOD__.__LINE__.$config); $config = json_decode($config,true); if (is_null($config)) error_log(__METHOD__.__LINE__." decoding of config failed; standard will be applied"); } // User preferences $font = $GLOBALS['egw_info']['user']['preferences']['common']['rte_font']; $font_size = $GLOBALS['egw_info']['user']['preferences']['common']['rte_font_size']; // Check for "blank" = just user preference span - for some reason we can't match on the entity, so approximate $regex = '#^.?$#us'; if(preg_match($regex,$html)) { return ''; } $htmLawed = new egw_htmLawed(); if (is_array($config) && $_force===false) $config = array_merge($defaultConfig, $config); if (empty($config)) $config = $defaultConfig; //error_log(__METHOD__.__LINE__.array2string($config)); return $htmLawed->egw_htmLawed($html,$config,$spec); } /** * Output content headers for user-content, mitigating risk of javascript or html * * Mitigate risk of serving javascript or css from our domain, * which will get around same origin policy and CSP! * * Mitigate risk of html downloads by using CSP or force download for IE * * @param resource|string &$content content might be changed by this call * @param string $path filename or path for content-disposition header * @param string &$mime ='' mimetype or '' (default) to detect it from filename, using mime_magic::filename2mime() * on return used, maybe changed, mime-type * @param int $length =0 content length, default 0 = skip that header * on return changed size * @param boolean $nocache =true send headers to disallow browser/proxies to cache the download * @param boolean $force_download =true send content-disposition attachment header * @param boolean $no_content_type =false do not send actual content-type and content-length header, just content-disposition */ public static function safe_content_header(&$content, $path, &$mime='', &$length=0, $nocache=true, $force_download=true, $no_content_type=false) { // mitigate risk of serving javascript or css via webdav from our domain, // which will get around same origin policy and CSP list($type, $subtype) = explode('/', strtolower($mime)); if (!$force_download && in_array($type, array('application', 'text')) && in_array($subtype, array('javascript', 'x-javascript', 'ecmascript', 'jscript', 'vbscript', 'css'))) { // unfortunatly only Chrome and IE >= 8 allow to switch content-sniffing off with X-Content-Type-Options: nosniff if (html::$user_agent == 'chrome' || html::$user_agent == 'msie' && html::$ua_version >= 8) { $mime = 'text/plain'; header('X-Content-Type-Options: nosniff'); // stop IE & Chrome from content-type sniffing } // for the rest we change mime-type to text/html and let code below handle it safely // this stops Safari and Firefox from using it as src attribute in a script tag // but only for "real" browsers, we dont want to modify data for our WebDAV clients elseif (isset($_SERVER['HTTP_REFERER'])) { $mime = 'text/html'; if (is_resource($content)) { $data = fread($content, $length); fclose($content); $content =& $data; unset($data); } $content = ''.$content;
$length += 5;
}
}
// mitigate risk of html downloads by using CSP or force download for IE
if (!$force_download && in_array($mime, array('text/html', 'application/xhtml+xml')))
{
// use CSP only for current user-agents/versions I was able to positivly test
if (html::$user_agent == 'chrome' && html::$ua_version >= 24 ||
// mobile FF 24 on Android does NOT honor CSP!
html::$user_agent == 'firefox' && !html::$ua_mobile && html::$ua_version >= 24 ||
html::$user_agent == 'safari' && !html::$ua_mobile && html::$ua_version >= 536 || // OS X
html::$user_agent == 'safari' && html::$ua_mobile && html::$ua_version >= 9537) // iOS 7
{
$csp = "script-src 'none'"; // forbid to execute any javascript
header("Content-Security-Policy: $csp");
header("X-Webkit-CSP: $csp"); // Chrome: <= 24, Safari incl. iOS
//header("X-Content-Security-Policy: $csp"); // FF <= 22
//error_log(__METHOD__."('$options[path]') ".html::$user_agent.'/'.html::$ua_version.(html::$ua_mobile?'/mobile':'').": using Content-Security-Policy: $csp");
}
else // everything else get's a Content-dispostion: attachment, to be on save side
{
//error_log(__METHOD__."('$options[path]') ".html::$user_agent.'/'.html::$ua_version.(html::$ua_mobile?'/mobile':'').": using Content-disposition: attachment");
$force_download = true;
}
}
if ($no_content_type)
{
if ($force_download) self::content_disposition_header(egw_vfs::basename($path), $force_download);
}
else
{
self::content_header(egw_vfs::basename($path), $mime, $length, $nocache, $force_download);
}
}
/**
* Output content-type headers for file downloads
*
* This function should only be used for non-user supplied content!
* For uploaded files, mail attachmentes, etc, you have to use safe_content_header!
*
* @author Miles Lott originally in browser class
* @param string $fn filename
* @param string $mime ='' mimetype or '' (default) to detect it from filename, using mime_magic::filename2mime()
* @param int $length =0 content length, default 0 = skip that header
* @param boolean $nocache =true send headers to disallow browser/proxies to cache the download
* @param boolean $forceDownload =true send headers to handle as attachment/download
*/
public static function content_header($fn,$mime='',$length=0,$nocache=True,$forceDownload=true)
{
// if no mime-type is given or it's the default binary-type, guess it from the extension
if(empty($mime) || $mime == 'application/octet-stream')
{
$mime = mime_magic::filename2mime($fn);
}
if($fn)
{
// Show this for all
self::content_disposition_header($fn,$forceDownload);
header('Content-type: '.$mime);
if($length)
{
header('Content-length: '.$length);
}
if($nocache)
{
header('Pragma: no-cache');
header('Pragma: public');
header('Expires: 0');
header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
}
}
}
/**
* Output content-disposition header for file downloads
*
* @param string $fn filename
* @param boolean $forceDownload =true send headers to handle as attachment/download
*/
public static function content_disposition_header($fn,$forceDownload=true)
{
if ($forceDownload===true)
{
$attachment = ' attachment;';
}
else
{
$attachment = ' inline;';
}
header('Content-disposition:'.$attachment.' filename="'.translation::to_ascii($fn).'"; filename*=utf-8\'\''.rawurlencode($fn));
}
/**
* split html by PRE tag, return array with all content pre-sections isolated in array elements
* @author Leithoff, Klaus
* @param string html
* @return mixed array of parts or unaffected html
*/
static function splithtmlByPRE($html)
{
$searchFor = '',$pos);
$length = $endofpre-$pos+6;
$html2ret[] = substr($html,$pos,$length);
$searchFor = ' stuff of the html passed in
* and remove it from input
* @author Leithoff, Klaus
* @param string html
* @return string the style css
*/
static function getStyles(&$html)
{
$ct=0;
$newStyle = null;
if (stripos($html,'(.+)#isU', $html, $newStyle);
if ($ct>0)
{
//error_log(__METHOD__.__LINE__.array2string($newStyle[0]));
$style2buffer = implode('',$newStyle[0]);
// only replace what we have found, we use it here, as we use the same routine in translation::replaceTagsCompletley
// no need to do the extra routine
$html = str_ireplace($newStyle[0],'',$html);
}
if ($style2buffer)
{
//error_log(__METHOD__.__LINE__.array2string($style2buffer));
$test = json_encode($style2buffer);
//error_log(__METHOD__.__LINE__.'#'.$test.'# ->'.strlen($style2buffer).' Error:'.json_last_error());
//if (json_last_error() != JSON_ERROR_NONE && strlen($style2buffer)>0)
if ($test=="null" && strlen($style2buffer)>0)
{
// this should not be needed, unless something fails with charset detection/ wrong charset passed
error_log(__METHOD__.__LINE__.' Found Invalid sequence for utf-8 in CSS:'.$style2buffer.' Carset Detected:'.translation::detect_encoding($style2buffer));
$style2buffer = utf8_encode($style2buffer);
}
}
$style .= $style2buffer;
// clean out comments and stuff
$search = array(
'@url\(http:\/\/[^\)].*?\)@si', // url calls e.g. in style definitions
// '@@', // Strip multi-line comments including CDATA
// '@ in stylesheet are outdated, and ck-editor does not understand it, we remove it
$css_no_comment = str_replace(array(':',''),array(': ','',''),$css);
//error_log(__METHOD__.__LINE__.$css);
// we already removed what we have found, above, as we used pretty much the same routine as in translation::replaceTagsCompletley
// no need to do the extra routine
// TODO: we may have to strip urls and maybe comments and ifs
//if (stripos($html,'style')!==false) translation::replaceTagsCompletley($html,'style'); // clean out empty or pagewide style definitions / left over tags
return $css_no_comment;
}
}
html::_init_static();