Zend 框架的自动变量转义器

Question

Can you recommend any good solution for automatic view variable escaping for Zend Framework 1.x?您能为 Zend Framework 1.x 的自动视图变量 escaping 推荐任何好的解决方案吗？

I have tried so far:到目前为止我已经尝试过：

ZF2 implementation; ZF2实施； looks like it does not escape variables syntax like this: $this->var->object()->string看起来它不会像这样转义变量语法： $this->var->object()->string
gnix-view , very nice, but has a nasty recursion bug gnix-view ，非常好，但是有一个讨厌的递归错误
custom solutions based on view streams , similar to Rob Allen's escaper , but parsing syntax with regex always fails基于view streams的自定义解决方案，类似于Rob Allen 的 escaper ，但使用 regex 解析语法总是失败
Twig (no good support for view helpers and layout) Twig（对视图助手和布局没有很好的支持）

Answer 1

Here is my solution这是我的解决方案

/**
 * Purifies all data passed to view
 *
 * @author miholeus
 */
class HTMLPurifier_View extends Zend_View {
    protected $_vars = array();

    public function __set($key, $val)
    {

        if(is_string($val)) {
            $purified = $this->escape($val);
        } elseif(is_array($val)) {
            $purified = array_map(array($this, 'traverseSingle'), $val);
        } else { // other types: integers, bools, objects
            $purified = $this->traverseSingle($val);
        }

        $this->_vars[$key] = array(
            'raw' => $val,
            'purified' => $purified
        );

        return $this;
    }

    public function getRaw($key)
    {
        if(isset($this->_vars[$key])) {
            return $this->_vars[$key]['raw'];
        }
        return null;
    }

    public function __get($key)
    {
        if(isset($this->_vars[$key])) {
            return $this->_vars[$key]['purified'];
        }
        return null;
    }

    private function traverseSingle($element)
    {
        if(is_object($element)) {
            $reflect = new ReflectionObject($element);
            foreach ($reflect->getProperties(ReflectionProperty::IS_PUBLIC) as $prop) {
              $element->{$prop->getName()} = $this->escape($element->{$prop->getName()});
            }
            return $element;
        } else {
            return $this->escape($element);
        }
    }
}

All you need to do is to set it as your view in bootstrap.您需要做的就是在引导程序中将其设置为您的视图。

Answer 2

if i would think to make an automatic escaper i would create a ZF plugin that run in postDispatch :如果我想制作一个自动转义器，我会创建一个在postDispatch中运行的 ZF 插件：

postDispatch() is called after an action is dispatched by the dispatcher. postDispatch() 在调度程序调度操作后调用。 This callback allows for proxy or filter behavior.此回调允许代理或过滤器行为。 By altering the request and resetting its dispatched flag (via Zend_Controller_Request_Abstract::setDispatched(false)), a new action may be specified for dispatching.通过改变请求并重置它的调度标志（通过 Zend_Controller_Request_Abstract::setDispatched(false)），可以指定一个新的动作来调度。 source资源

mybe some use of htmlprifier would be a smart job:) mybe 对 htmlprifier 的一些使用将是一个聪明的工作:)

class Automatic_Escaper extends Zend_Controller_Plugin_Abstract{
   public function postDispatch(Zend_Controller_Request_Abstract $request)
    {
        $response = $this->getResponse();
        $htmlpurifier = Zend_Registry::get('purifier');
        $safe = $htmlpurifier->purify($response);
        return $this->setResponse($safe);
    }
}

I hope I explained my idea regardless of the status the sample above.我希望无论上述示例的状态如何，我都能解释我的想法。

Zend 框架的自动变量转义器

问题描述

2 个解决方案

解决方案1
1 2011-07-05 11:16:44

解决方案2
0 已采纳 2011-07-04 13:26:39

Zend 框架的自动变量转义器

问题描述

2 个解决方案

解决方案1 1 2011-07-05 11:16:44

解决方案2 0 已采纳 2011-07-04 13:26:39

解决方案1
1 2011-07-05 11:16:44

解决方案2
0 已采纳 2011-07-04 13:26:39