From 01c8b14a44d211a7bb14f9f909c8187e12bc85c6 Mon Sep 17 00:00:00 2001
From: David Goodwin <david@palepurple.co.uk>
Date: Thu, 27 Dec 2018 22:01:35 +0000
Subject: [PATCH] PFASmarty class

---
 lib/PFASmarty.php | 91 +++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 91 insertions(+)
 create mode 100644 lib/PFASmarty.php

diff --git a/lib/PFASmarty.php b/lib/PFASmarty.php
new file mode 100644
index 00000000..218e8f05
--- /dev/null
+++ b/lib/PFASmarty.php
@@ -0,0 +1,91 @@
+<?php
+
+/**
+ * Turn on sanitisation of all data by default so it's not possible for XSS flaws to occur in PFA
+ */
+class PFASmarty {
+
+    /**
+     * @var Smarty
+     */
+    protected $template = null;
+
+    /**
+     * @param string $template_theme 
+     */
+    public function __construct($template_theme = 'default') {
+        $this->template = new Smarty();
+
+        //$this->template->debugging = true;
+        if($template_theme == 'default') {
+            $this->template->setTemplateDir(dirname(__FILE__) . '/../templates');
+        }
+        else {
+            $this->template->setTemplateDir(dirname(__FILE__) . '/../templates/'. $template_theme);
+        }
+
+        // if it's not present or writeable, smarty should just not cache.
+        $templates_c = dirname(__FILE__) . '/../templates_c';
+        if (is_dir($templates_c) && is_writeable($templates_c)) {
+            $this->template->setCompileDir($templates_c);
+        } else {
+            # unfortunately there's no sane way to just disable compiling of templates
+            clearstatcache(); // just incase someone just fixed it; on their next refresh it should work.
+            error_log("ERROR: directory $templates_c doesn't exist or isn't writeable for the webserver");
+            die("ERROR: the templates_c directory doesn't exist or isn't writeable for the webserver");
+        }
+
+        $this->template->setConfigDir(dirname(__FILE__) . '/../configs');
+    }
+
+    /**
+     * @param string $key
+     * @param mixed $value
+     * @param bool $sanitise
+     */
+    public function assign($key, $value, $sanitise = true) {
+        $this->template->assign("RAW_$key", $value);
+        if ($sanitise == false) {
+            return $this->template->assign($key, $value);
+        }
+        $clean = $this->sanitise($value);
+        /* we won't run the key through sanitise() here... some might argue we should */
+        return $this->template->assign($key, $clean);
+    }
+
+    /**
+     * @return void
+     * @param string $template
+     */
+    public function display($template) {
+        header("Expires: Sun, 16 Mar 2003 05:00:00 GMT");
+        header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT");
+        header("Cache-Control: no-store, no-cache, must-revalidate");
+        header("Cache-Control: post-check=0, pre-check=0", false);
+        header("Pragma: no-cache");
+        header("Content-Type: text/html; charset=UTF-8");
+
+        $this->template->display($template);
+        unset($_SESSION['flash']); # cleanup flash messages
+    }
+    /**
+     * Recursive cleaning of data, using htmlentities - this assumes we only ever output to HTML and we're outputting in UTF-8 charset
+     *
+     * @param mixed $data - array or primitive type; objects not supported.
+     * @return mixed $data
+     * */
+    public function sanitise($data) {
+        if (!is_array($data)) {
+            return htmlentities($data, ENT_QUOTES, 'UTF-8', false);
+        }
+        if (is_array($data)) {
+            $clean = array();
+            foreach ($data as $key => $value) {
+                /* as this is a nested data structure it's more likely we'll output the key too (at least in my opinion, so we'll sanitise it too */
+                $clean[$this->sanitise($key)] = $this->sanitise($value);
+            }
+            return $clean;
+        }
+    }
+}
+