banananetwork
/
roundcubemail
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Merge pull request #67 from andywer/master

Browse Source 
Replaced nasty eval() code
pull/15/merge
Aleksander Machniak 12 years ago
parent 969cb03f9a de6585eb77
commit 06c2d0add5
1 changed files with 23 additions and 15 deletions
Show Stats Download Patch File Download Diff File

38
program/include/rcmail_output_html.php
Unescape Escape View File

@ -731,14 +731,13 @@ class rcmail_output_html extends rcmail_output
/** /**
* Determines if a given condition is met * Determines if a given condition is met
* *
* @todo Get rid off eval() once I understand what this does.
* @todo Extend this to allow real conditions, not just "set" * @todo Extend this to allow real conditions, not just "set"
* @param string Condition statement * @param string Condition statement
* @return boolean True if condition is met, False if not * @return boolean True if condition is met, False if not
*/ */
protected function check_condition($condition) protected function check_condition($condition)
{ {
return eval("return (".$this->parse_expression($condition).");"); return $this->eval_expression($condition);
} }
@ -760,14 +759,11 @@ class rcmail_output_html extends rcmail_output
/** /**
* Parses expression and replaces variables * Parse & evaluate a given expression and return its result.
*
* @param string Expression statement * @param string Expression statement
* @return string Expression value
*/ */
protected function parse_expression($expression) protected function eval_expression ($expression) {
{ $expression = preg_replace(
return preg_replace(
array( array(
'/session:([a-z0-9_]+)/i', '/session:([a-z0-9_]+)/i',
'/config:([a-z0-9_]+)(:([a-z0-9_]+))?/i', '/config:([a-z0-9_]+)(:([a-z0-9_]+))?/i',
@ -779,14 +775,27 @@ class rcmail_output_html extends rcmail_output
), ),
array( array(
"\$_SESSION['\\1']", "\$_SESSION['\\1']",
"\$this->app->config->get('\\1',rcube_utils::get_boolean('\\3'))", "\$app->config->get('\\1',rcube_utils::get_boolean('\\3'))",
"\$this->env['\\1']", "\$env['\\1']",
"rcube_utils::get_input_value('\\1', rcube_utils::INPUT_GPC)", "rcube_utils::get_input_value('\\1', rcube_utils::INPUT_GPC)",
"\$_COOKIE['\\1']", "\$_COOKIE['\\1']",
"\$this->browser->{'\\1'}", "\$browser->{'\\1'}",
$this->template_name, $this->template_name,
), ),
$expression); $expression
);
$fn = create_function('$app,$browser,$env', "return ($expression);");
if(!$fn) {
rcube::raise_error(array(
'code' => 505,
'type' => 'php',
'file' => __FILE__,
'line' => __LINE__,
'message' => "Expression parse error on: ($expression)"), true, false);
}
return $fn($this->app, $this->browser, $this->env);
} }
@ -839,7 +848,7 @@ class rcmail_output_html extends rcmail_output
// show a label // show a label
case 'label': case 'label':
if ($attrib['expression']) if ($attrib['expression'])
$attrib['name'] = eval("return " . $this->parse_expression($attrib['expression']) .";"); $attrib['name'] = $this->eval_expression($attrib['expression']);
if ($attrib['name'] || $attrib['command']) { if ($attrib['name'] || $attrib['command']) {
// @FIXME: 'noshow' is useless, remove? // @FIXME: 'noshow' is useless, remove?
@ -971,8 +980,7 @@ class rcmail_output_html extends rcmail_output
// return code for a specified eval expression // return code for a specified eval expression
case 'exp': case 'exp':
$value = $this->parse_expression($attrib['expression']); return html::quote( $this->eval_expression($attrib['expression']) );
return eval("return html::quote($value);");
// return variable // return variable
case 'var': case 'var':

Write Preview
Loading…
Cancel
Save