ensure diff formatters escape their output

60056e69 · Christopher Smith · 07a7d21a · 60056e69
Commit 60056e69 authored 12 years ago by Christopher Smith
--- a/inc/DifferenceEngine.php
+++ b/inc/DifferenceEngine.php
@@ -797,7 +797,7 @@ class DiffFormatter {

    function _lines($lines, $prefix = ' ') {
        foreach ($lines as $line)
-            echo "$prefix $line\n";
+            echo "$prefix ".$this->_escape($line)."\n";
    }

    function _context($lines) {
@@ -816,6 +816,10 @@ class DiffFormatter {
        echo "---\n";
        $this->_added($closing);
    }
+
+    function _escape($str){
+        return $str;
+    }
 }

 /**
@@ -871,13 +875,13 @@ class _HWLDF_WordAccumulator {
    function _flushGroup($new_tag) {
        if ($this->_group !== '') {
            if ($this->_tag == 'mark')
-                $this->_line .= '<strong '.HTMLDiff::css('diff-mark').'>'.$this->_group.'</strong>';
+                $this->_line .= '<strong '.HTMLDiff::css('diff-mark').'>'.$this->_escape($this->_group).'</strong>';
            elseif ($this->_tag == 'add')
-                $this->_line .= '<span '.HTMLDiff::css('diff-addedline').'>'.$this->_group.'</span>';
+                $this->_line .= '<span '.HTMLDiff::css('diff-addedline').'>'.$this->_escape($this->_group).'</span>';
            elseif ($this->_tag == 'del')
-                $this->_line .= '<span '.HTMLDiff::css('diff-deletedline').'><del>'.$this->_group.'</del></span>';
+                $this->_line .= '<span '.HTMLDiff::css('diff-deletedline').'><del>'.$this->_escape($this->_group).'</del></span>';
            else
-                $this->_line .= $this->_group;
+                $this->_line .= $this->_escape($this->_group);
        }
        $this->_group = '';
        $this->_tag = $new_tag;
@@ -912,6 +916,10 @@ class _HWLDF_WordAccumulator {
        $this->_flushLine('~done');
        return $this->_lines;
    }
+
+    function _escape($str){
+        return hsc($str);
+    }
 }

 class WordLevelDiff extends MappedDiff {
@@ -1069,11 +1077,17 @@ class TableDiffFormatter extends DiffFormatter {
    function _lines($lines, $prefix=' ', $color="white") {
    }

-    function addedLine($line) {
+    function addedLine($line,$escaped=false) {
+        if (!$escaped){
+            $line = $this->_escape($line);
+        }
        return '<td>+</td><td '.HTMLDiff::css('diff-addedline').'>' .  $line.'</td>';
    }

-    function deletedLine($line) {
+    function deletedLine($line,$escaped=false) {
+        if (!$escaped){
+            $line = $this->_escape($line);
+        }
        return '<td>-</td><td '.HTMLDiff::css('diff-deletedline').'>' .  $line.'</td>';
    }

@@ -1082,12 +1096,16 @@ class TableDiffFormatter extends DiffFormatter {
    }

    function contextLine($line) {
-        return '<td> </td><td '.HTMLDiff::css('diff-context').'>'.$line.'</td>';
+        return '<td> </td><td '.HTMLDiff::css('diff-context').'>'.$this->_escape($line).'</td>';
    }

    function _added($lines) {
+        $this->_addedLines($lines,false);
+    }
+
+    function _addedLines($lines,$escaped=false){
        foreach ($lines as $line) {
-            print('<tr>' . $this->emptyLine() . $this->addedLine($line) . "</tr>\n");
+            print('<tr>' . $this->emptyLine() . $this->addedLine($line,$escaped) . "</tr>\n");
        }
    }

@@ -1104,15 +1122,19 @@ class TableDiffFormatter extends DiffFormatter {
    }

    function _changed($orig, $closing) {
-        $diff = new WordLevelDiff($orig, $closing);
+        $diff = new WordLevelDiff($orig, $closing);  // this escapes the diff data
        $del = $diff->orig();
        $add = $diff->closing();

        while ($line = array_shift($del)) {
            $aline = array_shift($add);
-            print('<tr>' . $this->deletedLine($line) . $this->addedLine($aline) . "</tr>\n");
+            print('<tr>' . $this->deletedLine($line,true) . $this->addedLine($aline,true) . "</tr>\n");
        }
-        $this->_added($add); # If any leftovers
+        $this->_addedLines($add,true); # If any leftovers
+    }
+
+    function _escape($str) {
+        return hsc($str);
    }
 }

@@ -1167,29 +1189,33 @@ class InlineDiffFormatter extends DiffFormatter {

    function _added($lines) {
        foreach ($lines as $line) {
-            print('<tr><td colspan="'.$this->colspan.'" '.HTMLDiff::css('diff-addedline').'>'. $line . "</td></tr>\n");
+            print('<tr><td colspan="'.$this->colspan.'" '.HTMLDiff::css('diff-addedline').'>'. $this->_escape($line) . "</td></tr>\n");
        }
    }

    function _deleted($lines) {
        foreach ($lines as $line) {
-            print('<tr><td colspan="'.$this->colspan.'" '.HTMLDiff::css('diff-deletedline').'><del>' . $line . "</del></td></tr>\n");
+            print('<tr><td colspan="'.$this->colspan.'" '.HTMLDiff::css('diff-deletedline').'><del>' . $this->_escape($line) . "</del></td></tr>\n");
        }
    }

    function _context($lines) {
        foreach ($lines as $line) {
-            print('<tr><td colspan="'.$this->colspan.'" '.HTMLDiff::css('diff-context').'>'.$line."</td></tr>\n");
+            print('<tr><td colspan="'.$this->colspan.'" '.HTMLDiff::css('diff-context').'>'.$this->_escape($line)."</td></tr>\n");
        }
    }

    function _changed($orig, $closing) {
-        $diff = new InlineWordLevelDiff($orig, $closing);
+        $diff = new InlineWordLevelDiff($orig, $closing);  // this escapes the diff data
        $add = $diff->inline();

        foreach ($add as $line)
            print('<tr><td colspan="'.$this->colspan.'">'.$line."</td></tr>\n");
    }
+
+    function _escape($str) {
+        return hsc($str);
+    }
 }