diff options
| author | Meik Sievertsen <acydburn@phpbb.com> | 2006-07-20 17:57:56 +0000 |
|---|---|---|
| committer | Meik Sievertsen <acydburn@phpbb.com> | 2006-07-20 17:57:56 +0000 |
| commit | 13bf07d27532d25e6581aa1d4185d1fa4ea7e08f (patch) | |
| tree | 280f521c86d7d488102122901c85f62b0477d50e /phpBB/includes | |
| parent | b4d834ed09182b152cdf94c524e06ef5fed094c1 (diff) | |
| download | forums-13bf07d27532d25e6581aa1d4185d1fa4ea7e08f.tar forums-13bf07d27532d25e6581aa1d4185d1fa4ea7e08f.tar.gz forums-13bf07d27532d25e6581aa1d4185d1fa4ea7e08f.tar.bz2 forums-13bf07d27532d25e6581aa1d4185d1fa4ea7e08f.tar.xz forums-13bf07d27532d25e6581aa1d4185d1fa4ea7e08f.zip | |
another expression for grabbing php code in templates provided by david
also included "the ultimate solution" provided by ludovic (only added a check for T_OPEN_TAG_WITH_ECHO
git-svn-id: file:///svn/phpbb/trunk@6194 89ea8834-ac86-4346-8a33-228a782c2dd0
Diffstat (limited to 'phpBB/includes')
| -rw-r--r-- | phpBB/includes/functions_template.php | 56 |
1 files changed, 55 insertions, 1 deletions
diff --git a/phpBB/includes/functions_template.php b/phpBB/includes/functions_template.php index 55cb9b1e1a..ac15244687 100644 --- a/phpBB/includes/functions_template.php +++ b/phpBB/includes/functions_template.php @@ -69,6 +69,56 @@ class template_compile } /** + * Straight-forward strategy: use PHP's tokenizer to escape everything that + * looks like a PHP tag. + * + * We open/close PHP tags at the beginning of the template to clearly indicate + * that we are in HTML mode. If we find a PHP tag, we escape it then we reiterate + * over the whole file. That can become quite slow if the file is stuffed with + * <?php tags, but there's only so much we can do. + * + * Known issue: templates need to be rechecked everytime the value of the php.ini + * settings asp_tags or short_tags are changed + */ + function remove_php_tags(&$code) + { + do + { + $tokens = token_get_all('<?php ?>' . $code); + $code = ''; + $php_found = false; + + foreach ($tokens as $i => $token) + { + if (!is_array($token)) + { + $code .= $token; + } + else if ($token[0] == T_OPEN_TAG || $token[0] == T_OPEN_TAG_WITH_ECHO || $token[0] == T_CLOSE_TAG) + { + if ($i > 1) + { + $code .= htmlspecialchars($token[1]); + $php_found = true; + } + } + else + { + $code .= $token[1]; + } + } + unset($tokens); + + // Fix for a tokenizer oddity + if (!strncmp($code, '<?php ?>', 11)) + { + $code = substr($code, 11); + } + } + while ($php_found); + } + + /** * The all seeing all doing compile method. Parts are inspired by or directly from Smarty * @access: private */ @@ -86,9 +136,13 @@ class template_compile // php is a no-no. There is a potential issue here in that non-php // content may be removed ... however designers should use entities // if they wish to display < and > - $match_php_tags = array('#\<\?php .*?\?\>#is', '#\<script language="php"\>.*?\<\/script\>#is', '#\<\?.*?\?\>#s', '#\<%.*?%\>#s'); + $match_php_tags = array('#\<\?php.*?\?\>#is', '#<[^\w<]*(script)(((?:"[^"]*"|\'[^\']*\'|[^<>\'"])+)?(language[^<>\'"]+("[^"]*php[^"]*"|\'[^\']*php[^\']*\'))((?:"[^"]*"|\'[^\']*\'|[^<>\'"])+)?)?>.*?</script>#is', '#\<\?.*?\?\>#s', '#\<%.*?%\>#s'); $code = preg_replace($match_php_tags, '', $code); + // An alternative to the above would be calling this function which would be the ultimate solution but also has it's drawbacks. + // At the moment it is commented out until we decide which method to use. +// $this->remove_php_tags($code); + // Pull out all block/statement level elements and seperate plain text preg_match_all('#<!-- PHP -->(.*?)<!-- ENDPHP -->#s', $code, $matches); $php_blocks = $matches[1]; |