|
Class TSafeHtml
TSafeHtml class
TSafeHtml is a control that strips down all potentially dangerous HTML
content. It is mainly a wrapper of SafeHTML project. According to the SafeHTML project, it tries to safeguard the
following situations when the string is to be displayed to end-users,
- Opening tag without its closing tag
- closing tag without its opening tag
- any of these tags: base, basefont, head, html, body, applet, object, iframe,
frame, frameset, script, layer, ilayer, embed, bgsound, link, meta, style,
title, blink, xml, etc.
- any of these attributes: on*, data*, dynsrc
- javascript:/vbscript:/about: etc. protocols
- expression/behavior etc. in styles
- any other active content.
To use TSafeHtml, simply enclose the content to be secured within the body of
TSafeHtml in a template.
If the content is encoded in UTF-7, you'll need to enable the setRepackUTF7 RepackUTF7 property to ensure the contents gets parsed
correctly.
-
TComponent
-
TApplicationComponent
-
TControl
implements
IRenderable,
IBindable
-
TSafeHtml
Methods summary
public
|
#
setRepackUTF7( boolean $value )
Sets whether to parse the contents as UTF-7. This property enables a routine
that repacks the content as UTF-7 before parsing it. Defaults to false.
Sets whether to parse the contents as UTF-7. This property enables a routine
that repacks the content as UTF-7 before parsing it. Defaults to false.
Parameters
- $value
boolean whether to parse the contents as UTF-7
|
public
boolean
|
#
getRepackUTF7( )
Returns
boolean whether to parse the contents as UTF-7. Defaults to false.
|
public
|
#
render( THtmlWriter $writer )
Renders body content. This method overrides parent implementation by removing
malicious javascript code from the body content
Renders body content. This method overrides parent implementation by removing
malicious javascript code from the body content
Parameters
Overrides
|
protected
string
|
#
parseSafeHtml( string $text )
Use SafeHTML to remove malicous javascript from the HTML content.
Use SafeHTML to remove malicous javascript from the HTML content.
Parameters
Returns
string safer HTML content
|
Methods inherited from TControl
__construct(),
__get(),
addParsedObject(),
addToPostDataLoader(),
addedControl(),
applyStyleSheetSkin(),
autoBindProperty(),
autoDataBindProperties(),
bindProperty(),
broadcastEvent(),
bubbleEvent(),
clearChildState(),
clearControlState(),
clearNamingContainer(),
clearViewState(),
convertUniqueIdToClientId(),
createChildControls(),
createControlCollection(),
dataBind(),
dataBindChildren(),
dataBindProperties(),
ensureChildControls(),
findControl(),
findControlsByID(),
findControlsByType(),
focus(),
getAdapter(),
getAllowChildControls(),
getAttribute(),
getAttributes(),
getChildControlsCreated(),
getClientID(),
getControlStage(),
getControlState(),
getControls(),
getCustomData(),
getEnableTheming(),
getEnableViewState(),
getEnabled(),
getHasAdapter(),
getHasAttributes(),
getHasChildInitialized(),
getHasControls(),
getHasInitialized(),
getHasLoaded(),
getHasLoadedPostData(),
getHasPreRendered(),
getID(),
getIsSkinApplied(),
getNamingContainer(),
getPage(),
getParent(),
getRegisteredObject(),
getSkinID(),
getSourceTemplateControl(),
getTemplateControl(),
getUniqueID(),
getViewState(),
getVisible(),
hasAttribute(),
initRecursive(),
isDescendentOf(),
isObjectRegistered(),
loadRecursive(),
loadState(),
loadStateRecursive(),
onDataBinding(),
onInit(),
onLoad(),
onPreRender(),
onUnload(),
preRenderRecursive(),
raiseBubbleEvent(),
registerObject(),
removeAttribute(),
removedControl(),
renderChildren(),
renderControl(),
saveState(),
saveStateRecursive(),
setAdapter(),
setAttribute(),
setChildControlsCreated(),
setControlStage(),
setControlState(),
setCustomData(),
setEnableTheming(),
setEnableViewState(),
setEnabled(),
setID(),
setPage(),
setSkinID(),
setTemplateControl(),
setViewState(),
setVisible(),
trackViewState(),
traverseChildControls(),
unbindProperty(),
unloadRecursive(),
unregisterObject()
|
Methods inherited from TComponent
__call(),
__destruct(),
__isset(),
__set(),
__sleep(),
__unset(),
__wakeup(),
asa(),
attachBehavior(),
attachBehaviors(),
attachClassBehavior(),
attachEventHandler(),
canGetProperty(),
canSetProperty(),
clearBehaviors(),
createdOnTemplate(),
detachBehavior(),
detachBehaviors(),
detachClassBehavior(),
detachEventHandler(),
disableBehavior(),
disableBehaviors(),
enableBehavior(),
enableBehaviors(),
evaluateExpression(),
evaluateStatements(),
fxAttachClassBehavior(),
fxDetachClassBehavior(),
getAutoGlobalListen(),
getBehaviorsEnabled(),
getClassHierarchy(),
getEventHandlers(),
getListeningToGlobalEvents(),
getSubProperty(),
hasEvent(),
hasEventHandler(),
hasProperty(),
isa(),
listen(),
raiseEvent(),
setSubProperty(),
unlisten()
|
Constants inherited from TControl
AUTOMATIC_ID_PREFIX,
CLIENT_ID_SEPARATOR,
CS_CHILD_INITIALIZED,
CS_CONSTRUCTED,
CS_INITIALIZED,
CS_LOADED,
CS_PRERENDERED,
CS_STATE_LOADED,
ID_FORMAT,
ID_SEPARATOR,
IS_CHILD_CREATED,
IS_CREATING_CHILD,
IS_DISABLE_THEMING,
IS_DISABLE_VIEWSTATE,
IS_ID_SET,
IS_SKIN_APPLIED,
IS_STYLESHEET_APPLIED,
RF_ADAPTER,
RF_AUTO_BINDINGS,
RF_CHILD_STATE,
RF_CONTROLS,
RF_CONTROLSTATE,
RF_DATA_BINDINGS,
RF_EVENTS,
RF_NAMED_CONTROLS,
RF_NAMED_CONTROLS_ID,
RF_NAMED_OBJECTS,
RF_SKIN_ID
|
|