From 8a72c9704f7bb588e57949dc41ba95fe7ce5795f Mon Sep 17 00:00:00 2001 From: Franco Fichtner Date: Tue, 24 May 2016 21:49:25 +0200 Subject: [PATCH] mvc: fix translations by adding an escaping wrapper PR: https://forum.opnsense.org/index.php?topic=3083.0 --- .../OPNsense/Base/ControllerBase.php | 6 +-- .../library/OPNsense/Base/ViewTranslator.php | 45 +++++++++++++++++++ 2 files changed, 48 insertions(+), 3 deletions(-) create mode 100644 src/opnsense/mvc/app/library/OPNsense/Base/ViewTranslator.php diff --git a/src/opnsense/mvc/app/controllers/OPNsense/Base/ControllerBase.php b/src/opnsense/mvc/app/controllers/OPNsense/Base/ControllerBase.php index 0e0ba60eb..238072535 100644 --- a/src/opnsense/mvc/app/controllers/OPNsense/Base/ControllerBase.php +++ b/src/opnsense/mvc/app/controllers/OPNsense/Base/ControllerBase.php @@ -30,8 +30,8 @@ namespace OPNsense\Base; use OPNsense\Core\Config; +use OPNsense\Base\ViewTranslator; use Phalcon\Mvc\Controller; -use Phalcon\Translate\Adapter\Gettext; /** * Class ControllerBase implements core controller for OPNsense framework @@ -42,7 +42,7 @@ class ControllerBase extends ControllerRoot /** * translate a text * @param OPNsense\Core\Config $cnf config handle - * @return Gettext + * @return ViewTranslator */ public function getTranslator($cnf) { @@ -57,7 +57,7 @@ class ControllerBase extends ControllerRoot $lang_encoding = $lang . '.UTF-8'; - $ret = new Gettext(array( + $ret = new ViewTranslator(array( 'directory' => '/usr/local/share/locale', 'defaultDomain' => 'OPNsense', 'locale' => $lang_encoding, diff --git a/src/opnsense/mvc/app/library/OPNsense/Base/ViewTranslator.php b/src/opnsense/mvc/app/library/OPNsense/Base/ViewTranslator.php new file mode 100644 index 000000000..f2c599802 --- /dev/null +++ b/src/opnsense/mvc/app/library/OPNsense/Base/ViewTranslator.php @@ -0,0 +1,45 @@ + + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * + * 1. Redistributions of source code must retain the above copyright notice, + * this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +namespace OPNsense\Base; + +use Phalcon\Translate\Adapter\Gettext; + +/** + * Class ViewTranslator XSS-safe Gettext wrapper + * @package OPNsense\Base + */ +class ViewTranslator extends Gettext +{ + public function _($translateKey, $placeholders = null) + { + $translateValue = parent::_($translateKey, $placeholders); + /* gettext() embedded in JavaScript can cause syntax errors */ + return htmlspecialchars($translateValue, ENT_QUOTES | ENT_HTML401); + } +}