X-Git-Url: https://git.mxchange.org/?a=blobdiff_plain;f=lib%2Fhtmloutputter.php;h=9a43ef069efaae237df31f7b48931827ec1103ee;hb=9f75131082ad282a59bc9de1c8ad82f5e3c79956;hp=9780dc42432b87b4d04e3ced4643660e313b9652;hpb=99194e03fa50b61f99164674afc949b4bbefd44a;p=quix0rs-gnu-social.git diff --git a/lib/htmloutputter.php b/lib/htmloutputter.php index 9780dc4243..9a43ef069e 100644 --- a/lib/htmloutputter.php +++ b/lib/htmloutputter.php @@ -108,6 +108,13 @@ class HTMLOutputter extends XMLOutputter header('Content-Type: '.$type); + // Output anti-framing headers to prevent clickjacking (respected by newer + // browsers). + if (common_config('javascript', 'bustframes')) { + header('X-XSS-Protection: 1; mode=block'); // detect XSS Reflection attacks + header('X-Frame-Options: SAMEORIGIN'); // no rendering if origin mismatch + } + $this->extraHeaders(); if (preg_match("/.*\/.*xml/", $type)) { // Required for XML documents @@ -119,9 +126,16 @@ class HTMLOutputter extends XMLOutputter $language = $this->getLanguage(); - $this->elementStart('html', array('xmlns' => 'http://www.w3.org/1999/xhtml', - 'xml:lang' => $language, - 'lang' => $language)); + $attrs = array( + 'xmlns' => 'http://www.w3.org/1999/xhtml', + 'xml:lang' => $language, + 'lang' => $language + ); + + if (Event::handle('StartHtmlElement', array($this, &$attrs))) { + $this->elementStart('html', $attrs); + Event::handle('EndHtmlElement', array($this, &$attrs)); + } } function getLanguage() @@ -163,20 +177,21 @@ class HTMLOutputter extends XMLOutputter * @param string $label text of label for the element * @param string $value value of the element, default null * @param string $instructions instructions for valid input + * @param string $name name of the element; if null, the id will + * be used * - * @todo add a $name parameter * @todo add a $maxLength parameter * @todo add a $size parameter * * @return void */ - function input($id, $label, $value=null, $instructions=null) + function input($id, $label, $value=null, $instructions=null, $name=null) { $this->element('label', array('for' => $id), $label); - $attrs = array('name' => $id, - 'type' => 'text', - 'id' => $id); + $attrs = array('type' => 'text', + 'id' => $id); + $attrs['name'] = is_null($name) ? $id : $name; if (!is_null($value)) { // value can be 0 or '' $attrs['value'] = $value; } @@ -352,58 +367,74 @@ class HTMLOutputter extends XMLOutputter */ function script($src, $type='text/javascript') { - if(Event::handle('StartScriptElement', array($this,&$src,&$type))) { + if (Event::handle('StartScriptElement', array($this,&$src,&$type))) { $url = parse_url($src); - if( empty($url['scheme']) && empty($url['host']) && empty($url['query']) && empty($url['fragment'])) - { + if (empty($url['scheme']) && empty($url['host']) && empty($url['query']) && empty($url['fragment'])) { + + // XXX: this seems like a big assumption + if (strpos($src, 'plugins/') === 0 || strpos($src, 'local/') === 0) { - $src = common_path($src) . '?version=' . STATUSNET_VERSION; + $src = common_path($src, StatusNet::isHTTPS()) . '?version=' . STATUSNET_VERSION; - }else{ + } else { - $path = common_config('javascript', 'path'); + if (StatusNet::isHTTPS()) { - if (empty($path)) { - $path = common_config('site', 'path') . '/js/'; - } + $sslserver = common_config('javascript', 'sslserver'); - if ($path[strlen($path)-1] != '/') { - $path .= '/'; - } + if (empty($sslserver)) { + if (is_string(common_config('site', 'sslserver')) && + mb_strlen(common_config('site', 'sslserver')) > 0) { + $server = common_config('site', 'sslserver'); + } else if (common_config('site', 'server')) { + $server = common_config('site', 'server'); + } + $path = common_config('site', 'path') . '/js/'; + } else { + $server = $sslserver; + $path = common_config('javascript', 'sslpath'); + if (empty($path)) { + $path = common_config('javascript', 'path'); + } + } - if ($path[0] != '/') { - $path = '/'.$path; - } + $protocol = 'https'; - $server = common_config('javascript', 'server'); + } else { - if (empty($server)) { - $server = common_config('site', 'server'); - } + $path = common_config('javascript', 'path'); - $ssl = common_config('javascript', 'ssl'); + if (empty($path)) { + $path = common_config('site', 'path') . '/js/'; + } - if (is_null($ssl)) { // null -> guess - if (common_config('site', 'ssl') == 'always' && - !common_config('javascript', 'server')) { - $ssl = true; - } else { - $ssl = false; + $server = common_config('javascript', 'server'); + + if (empty($server)) { + $server = common_config('site', 'server'); } + + $protocol = 'http'; } - $protocol = ($ssl) ? 'https' : 'http'; + if ($path[strlen($path)-1] != '/') { + $path .= '/'; + } + + if ($path[0] != '/') { + $path = '/'.$path; + } $src = $protocol.'://'.$server.$path.$src . '?version=' . STATUSNET_VERSION; } } $this->element('script', array('type' => $type, - 'src' => $src), - ' '); + 'src' => $src), + ' '); Event::handle('EndScriptElement', array($this,$src,$type)); } @@ -453,7 +484,7 @@ class HTMLOutputter extends XMLOutputter if(file_exists(Theme::file($src,$theme))){ $src = Theme::path($src, $theme); }else{ - $src = common_path($src); + $src = common_path($src, StatusNet::isHTTPS()); } $src.= '?version=' . STATUSNET_VERSION; } @@ -493,28 +524,48 @@ class HTMLOutputter extends XMLOutputter * @param string $label text of label for the element * @param string $content content of the textarea, default none * @param string $instructions instructions for valid input + * @param string $name name of textarea; if null, $id will be used + * @param int $cols number of columns + * @param int $rows number of rows * * @return void - * - * @todo add a $name parameter - * @todo add a $cols parameter - * @todo add a $rows parameter */ - function textarea($id, $label, $content=null, $instructions=null) - { + function textarea( + $id, + $label, + $content = null, + $instructions = null, + $name = null, + $cols = null, + $rows = null + ) { $this->element('label', array('for' => $id), $label); - $this->element('textarea', array('rows' => 3, - 'cols' => 40, - 'name' => $id, - 'id' => $id), - ($content) ? $content : ''); + $attrs = array( + 'rows' => 3, + 'cols' => 40, + 'id' => $id + ); + $attrs['name'] = is_null($name) ? $id : $name; + + if ($cols != null) { + $attrs['cols'] = $cols; + + } + if ($rows != null) { + $attrs['rows'] = $rows; + } + $this->element( + 'textarea', + $attrs, + is_null($content) ? '' : $content + ); if ($instructions) { $this->element('p', 'form_guide', $instructions); } } - /** + /** * Internal script to autofocus the given element on page onload. * * @param string $id element ID, must refer to an existing element