Disallow the use of the callback filter for the url_param and form_param Twig functions

2018-02-24 14:02:59 +01:00 · 2018-02-24 14:02:59 +01:00 · 80263a91dc
commit 80263a91dc
parent 5f7b455975
1 changed files with 58 additions and 2 deletions
--- a/lib/PicoTwigExtension.php
+++ b/lib/PicoTwigExtension.php
@ -89,8 +89,8 @@ class PicoTwigExtension extends Twig_Extension
    public function getFunctions()
    {
        return array(
-            'url_param' => new Twig_SimpleFunction('url_param', array($this->pico, 'getUrlParameter')),
-            'form_param' => new Twig_SimpleFunction('form_param', array($this->pico, 'getFormParameter'))
+            'url_param' => new Twig_SimpleFunction('url_param', array($this, 'urlParamFunction')),
+            'form_param' => new Twig_SimpleFunction('form_param', array($this, 'formParamFunction'))
        );
    }

@ -281,4 +281,60 @@ class PicoTwigExtension extends Twig_Extension

        return $var;
    }
+
+    /**
+     * Filters a URL GET parameter with a specified filter
+     *
+     * The Twig function disallows the use of the `callback` filter.
+     *
+     * @see Pico::getUrlParameter()
+     *
+     * @param string                    $name    name of the URL GET parameter
+     *     to filter
+     * @param int|string                $filter  the filter to apply
+     * @param mixed|array               $options either a associative options
+     *     array to be used by the filter or a scalar default value
+     * @param int|string|int[]|string[] $flags   flags and flag strings to be
+     *     used by the filter
+     *
+     * @return mixed either the filtered data, FALSE if the filter fails, or
+     *     NULL if the URL GET parameter doesn't exist and no default value is
+     *     given
+     */
+    public function urlParamFunction($name, $filter = '', $options = null, $flags = null)
+    {
+        if (($filter === 'callback') || ($filter === FILTER_CALLBACK)) {
+            return false;
+        }
+
+        return $this->pico->getUrlParameter($name, $filter, $options, $flags);
+    }
+
+    /**
+     * Filters a HTTP POST parameter with a specified filter
+     *
+     * The Twig function disallows the use of the `callback` filter.
+     *
+     * @see Pico::getFormParameter()
+     *
+     * @param string                    $name    name of the HTTP POST
+     *     parameter to filter
+     * @param int|string                $filter  the filter to apply
+     * @param mixed|array               $options either a associative options
+     *     array to be used by the filter or a scalar default value
+     * @param int|string|int[]|string[] $flags   flags and flag strings to be
+     *     used by the filter
+     *
+     * @return mixed either the filtered data, FALSE if the filter fails, or
+     *     NULL if the HTTP POST parameter doesn't exist and no default value
+     *     is given
+     */
+    public function formParamFunction($name, $filter = '', $options = null, $flags = null)
+    {
+        if (($filter === 'callback') || ($filter === FILTER_CALLBACK)) {
+            return false;
+        }
+
+        return $this->pico->getFormParameter($name, $filter, $options, $flags);
+    }
 }