class Template

Used to hold variables that will be inserted into templates, and to render templates for display.

Traits

Validates that a filename or path does NOT contain directory traversals in any form.
Provides methods for validating UTF-8 character encoding and string composition.

Properties

$variables

Methods

bool
hasTraversalorNullByte(string $path)

Check if a file path contains traversals (including encoded traversals) or null bytes.

string
encodeEscapeUrl(string $url)

URL-encode and escape a query string for use in a URL.

bool
isAlnum(string $alnum)

Check that a string is comprised solely of alphanumeric characters.

bool
isAlnumUnderscore(string $alnumUnderscore)

Check that a string is comprised solely of alphanumeric characters and underscores.

bool
isAlpha(string $alpha)

Check that a string is comprised solely of alphabetical characters.

bool
isUtf8(string $text)

Check if the character encoding of text is UTF-8.

string
trimString(mixed $text)

Cast to string, check UTF-8 encoding and strip trailing whitespace and control characters.

__construct(string $template, string $theme)

Constructor

assign(string $key, mixed $value)

Assign a variable (value) to the template.

string
render()

Render the template.

validPath()

Check the theme and template for director traversals.

Details

in TraversalCheck at line 46
bool hasTraversalorNullByte(string $path)

Check if a file path contains traversals (including encoded traversals) or null bytes.

Directory traversals are not permitted in Tuskfish method parameters. If a path is found to contain a traversal it is presumed to be an attack. Encoded traversals are a clear sign of attempted abuse.

In general untrusted data should never be used to construct a file path. This method exists as a second line safety measure.

Parameters

string $path

Return Value

bool True if a traversal or null byte is found, otherwise false.

See also

in ValidateString at line 41
string encodeEscapeUrl(string $url)

URL-encode and escape a query string for use in a URL.

Trims, checks for UTF-8 compliance, rawurlencodes and then escapes with htmlspecialchars(). If you wish to use the data on a landing page you must decode it with htmlspecialchars_decode() followed by rawurldecode() in that order. But really, if you are using any characters that need to be encoded in the first place you should probably just stop.

Parameters

string $url Unescaped input URL.

Return Value

string Encoded and escaped URL.

in ValidateString at line 59
bool isAlnum(string $alnum)

Check that a string is comprised solely of alphanumeric characters.

Accented regional characters are rejected. This method is designed to be used to check database identifiers or object property names.

Parameters

string $alnum Input to be tested.

Return Value

bool True if valid alphanumerical string, false otherwise.

in ValidateString at line 77
bool isAlnumUnderscore(string $alnumUnderscore)

Check that a string is comprised solely of alphanumeric characters and underscores.

Accented regional characters are rejected. This method is designed to be used to check database identifiers or object property names.

Parameters

string $alnumUnderscore Input to be tested.

Return Value

bool True if valid alphanumerical or underscore string, false otherwise.

in ValidateString at line 95
bool isAlpha(string $alpha)

Check that a string is comprised solely of alphabetical characters.

Tolerates vanilla ASCII only. Accented regional characters are rejected. This method is designed to be used to check database identifiers or object property names.

Parameters

string $alpha Input to be tested.

Return Value

bool True if valid alphabetical string, false otherwise.

in ValidateString at line 113
bool isUtf8(string $text)

Check if the character encoding of text is UTF-8.

All strings received from external sources must be passed through this function, particularly prior to storage in the database.

Parameters

string $text Input string to check.

Return Value

bool True if string is UTF-8 encoded otherwise false.

in ValidateString at line 131
string trimString(mixed $text)

Cast to string, check UTF-8 encoding and strip trailing whitespace and control characters.

Removes trailing whitespace and control characters (ASCII <= 32 / UTF-8 points 0-32 inclusive), checks for UTF-8 character set and casts input to a string. Note that the data returned by this function still requires escaping at the point of use; it is not database or XSS safe.

As the input is cast to a string do NOT apply this function to non-string types (int, float, bool, object, resource, null, array, etc).

Parameters

mixed $text Input to be trimmed.

Return Value

string Trimmed and UTF-8 validated string.

at line 50
__construct(string $template, string $theme)

Constructor

Parameters

string $template Name of the template to render for this page.
string $theme Name of the theme to use for this page.

at line 65
assign(string $key, mixed $value)

Assign a variable (value) to the template.

Assigned variabless are extracted for insertion in the template on render.

Parameters

string $key Variable name.
mixed $value Variable value.

at line 78
string render()

Render the template.

Variables assigned to the template are extracted to make them available for use in the template.

Return Value

string

at line 89
validPath()

Check the theme and template for director traversals.