CRM_Core_Smarty_UserContentPolicy
extends AutoService
in package
Define the security-constraints to apply to user-supplied Smarty content.
At time of writing, we have a complication -- parallel support for Smarty 2/3/4/5. Each version has slightly different functionality.
To bridge the gap, we define a general policy -- and then map it into each Smarty implementation.
Table of Contents
Properties
- $allow_constants : mixed
- $allow_super_globals : mixed
- $disabled_tags : array<string|int, mixed>
- This is an array of disabled tags.
- $php_functions : array<string|int, mixed>
- This is an array of trusted PHP functions.
- $php_modifiers : array<string|int, mixed>
- This is an array of trusted PHP modifiers.
- $old_settings : mixed
Methods
- assertTagAllowed() : void
- Smarty 3+4 have option to disable tags in secure mode, but Smarty 2 doesn't.
- create() : CRM_Core_Smarty_UserContentPolicy
- disable() : void
- enable() : void
- createSmartyPolicy2() : array<string|int, mixed>
- createSmartyPolicy34() : string
- createSmartyPolicy5() : string
Properties
$allow_constants
public
mixed
$allow_constants
= \FALSE
$allow_super_globals
public
mixed
$allow_super_globals
= \FALSE
$disabled_tags
This is an array of disabled tags.
public
array<string|int, mixed>
$disabled_tags
= ['crmAPI']
If empty no restriction by disabled_tags.
$php_functions
This is an array of trusted PHP functions.
public
array<string|int, mixed>
$php_functions
= ['array', 'list', 'isset', 'empty', 'count', 'sizeof', 'in_array', 'is_array', 'true', 'false', 'null']
If empty all functions are allowed. To disable all PHP functions set $php_functions = null.
$php_modifiers
This is an array of trusted PHP modifiers.
public
array<string|int, mixed>
$php_modifiers
= ['escape', 'count', 'sizeof', 'nl2br']
If empty all modifiers are allowed. To disable all modifier set $php_modifiers = null.
$old_settings
private
mixed
$old_settings
= \NULL
Methods
assertTagAllowed()
Smarty 3+4 have option to disable tags in secure mode, but Smarty 2 doesn't.
public
static assertTagAllowed(string $tag) : void
So for any potentially-sensitive tags, we support an alternate mechanism to check access.
Parameters
- $tag : string
Tags
create()
public
static create() : CRM_Core_Smarty_UserContentPolicy
Tags
Return values
CRM_Core_Smarty_UserContentPolicydisable()
public
disable() : void
enable()
public
enable() : void
createSmartyPolicy2()
protected
createSmartyPolicy2(mixed $smarty) : array<string|int, mixed>
Parameters
- $smarty : mixed
Return values
array<string|int, mixed>createSmartyPolicy34()
protected
createSmartyPolicy34() : string
Return values
stringcreateSmartyPolicy5()
protected
createSmartyPolicy5() : string