SECURITY: remove XSS vulnerability

This commit is contained in:
czaks 2014-03-30 16:40:14 +02:00
parent 96d6504cba
commit 207543754c
10 changed files with 0 additions and 413 deletions

View File

@ -1,27 +0,0 @@
<html>
<head>
<title>PHP-gettext examples</title>
</head>
<body>
<h1>PHP-gettext</h1>
<h2>Introduction</h2>
<p>PHP-gettext provides a simple gettext replacement that works independently from the system's gettext abilities.
It can read MO files and use them for translating strings.</p>
<p>This version has the ability to cache all strings and translations to speed up the string lookup.
While the cache is enabled by default, it can be switched off with the second parameter in the constructor (e.g. when using very large MO files
that you don't want to keep in memory)</p>
<h2>Examples</h2>
<ul>
<li><a href="pigs_dropin.php">PHP-gettext as a dropin replacement</a></li>
<li><a href="pigs_fallback.php">PHP-gettext as a fallback solution</a></li>
</ul>
<hr />
<p>Copyright (c) 2003-2006 Danilo Segan</p>
<p>Copyright (c) 2005-2006 Steven Armstrong</p>
</body>
</html>

View File

@ -1,30 +0,0 @@
# Sample translation for PHP-gettext 1.0
# Copyright (c) 2003 Danilo Segan <danilo@kvota.net>
#
msgid ""
msgstr ""
"Project-Id-Version: pigs\n"
"Report-Msgid-Bugs-To: \n"
"POT-Creation-Date: 2003-10-23 04:50+0200\n"
"PO-Revision-Date: 2003-11-01 23:40+0100\n"
"Last-Translator: Danilo Segan <danilo@kvota.net>\n"
"Language-Team: Serbian (sr) <danilo@kvota.net>\n"
"MIME-Version: 1.0\n"
"Content-Type: text/plain; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
#"Plural-Forms: nplurals=2; plural=n != 1;\n"
#: pigs.php:19
msgid ""
"This is how the story goes.\n"
"\n"
msgstr ""
"Und so geht die Geschichte.\n"
"\n"
#: pigs.php:21
#, php-format
msgid "%d pig went to the market\n"
msgid_plural "%d pigs went to the market\n"
msgstr[0] "%d Schwein ging zum Markt\n"
msgstr[1] "%d Schweine gingen zum Markt\n"

View File

@ -1,30 +0,0 @@
# Sample translation for PHP-gettext 1.0
# Copyright (c) 2003,2006 Danilo Segan <danilo@kvota.net>
#
msgid ""
msgstr ""
"Project-Id-Version: pigs\n"
"Report-Msgid-Bugs-To: \n"
"POT-Creation-Date: 2003-10-23 04:50+0200\n"
"PO-Revision-Date: 2006-02-02 21:06+0100\n"
"Last-Translator: Danilo Segan <danilo@kvota.net>\n"
"Language-Team: Serbian (sr) <danilo@kvota.net>\n"
"MIME-Version: 1.0\n"
"Content-Type: text/plain; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
"Plural-Forms: nplurals=3; plural=n%10==1 && n%100!=11 ? 0 : n%10>=2 && "
"n%10<=4 && (n%100<10 || n%100>=20) ? 1 : 2;\n"
#: pigs.php:19
msgid ""
"This is how the story goes.\n"
"\n"
msgstr "Овако иде прича.\n\n"
#: pigs.php:21
#, php-format
msgid "%d pig went to the market\n"
msgid_plural "%d pigs went to the market\n"
msgstr[0] "%d мало прасе је отишло на пијац\n"
msgstr[1] "%d мала прасета су отишла на пијац\n"
msgstr[2] "%d малих прасића је отишло на пијац\n"

View File

@ -1,89 +0,0 @@
<?php
/*
Copyright (c) 2003,2004,2005,2009 Danilo Segan <danilo@kvota.net>.
Copyright (c) 2005,2006 Steven Armstrong <sa@c-area.ch>
This file is part of PHP-gettext.
PHP-gettext is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
PHP-gettext is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with PHP-gettext; if not, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
error_reporting(E_ALL | E_STRICT);
// define constants
define('PROJECT_DIR', realpath('./'));
define('LOCALE_DIR', PROJECT_DIR .'/locale');
define('DEFAULT_LOCALE', 'en_US');
require_once('../gettext.inc');
$supported_locales = array('en_US', 'sr_CS', 'de_CH');
$encoding = 'UTF-8';
$locale = (isset($_GET['lang']))? $_GET['lang'] : DEFAULT_LOCALE;
// gettext setup
T_setlocale(LC_MESSAGES, $locale);
// Set the text domain as 'messages'
$domain = 'messages';
bindtextdomain($domain, LOCALE_DIR);
// bind_textdomain_codeset is supported only in PHP 4.2.0+
if (function_exists('bind_textdomain_codeset'))
bind_textdomain_codeset($domain, $encoding);
textdomain($domain);
header("Content-type: text/html; charset=$encoding");
?>
<html>
<head>
<title>PHP-gettext dropin example</title>
</head>
<body>
<h1>PHP-gettext as a dropin replacement</h1>
<p>Example showing how to use PHP-gettext as a dropin replacement for the native gettext library.</p>
<?php
print "<p>";
foreach($supported_locales as $l) {
print "[<a href=\"?lang=$l\">$l</a>] ";
}
print "</p>\n";
if (!locale_emulation()) {
print "<p>locale '$locale' is supported by your system, using native gettext implementation.</p>\n";
}
else {
print "<p>locale '$locale' is _not_ supported on your system, using the default locale '". DEFAULT_LOCALE ."'.</p>\n";
}
?>
<hr />
<?php
// using PHP-gettext
print "<pre>";
print _("This is how the story goes.\n\n");
for ($number=6; $number>=0; $number--) {
print sprintf(T_ngettext("%d pig went to the market\n",
"%d pigs went to the market\n", $number),
$number );
}
print "</pre>\n";
?>
<hr />
<p>&laquo; <a href="./">back</a></p>
</body>
</html>

View File

@ -1,88 +0,0 @@
<?php
/*
Copyright (c) 2003,2004,2005,2009 Danilo Segan <danilo@kvota.net>.
Copyright (c) 2005,2006 Steven Armstrong <sa@c-area.ch>
This file is part of PHP-gettext.
PHP-gettext is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
PHP-gettext is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with PHP-gettext; if not, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
error_reporting(E_ALL | E_STRICT);
// define constants
define('PROJECT_DIR', realpath('./'));
define('LOCALE_DIR', PROJECT_DIR .'/locale');
define('DEFAULT_LOCALE', 'en_US');
require_once('../gettext.inc');
$supported_locales = array('en_US', 'sr_CS', 'de_CH');
$encoding = 'UTF-8';
$locale = (isset($_GET['lang']))? $_GET['lang'] : DEFAULT_LOCALE;
// gettext setup
T_setlocale(LC_MESSAGES, $locale);
// Set the text domain as 'messages'
$domain = 'messages';
T_bindtextdomain($domain, LOCALE_DIR);
T_bind_textdomain_codeset($domain, $encoding);
T_textdomain($domain);
header("Content-type: text/html; charset=$encoding");
?>
<html>
<head>
<title>PHP-gettext fallback example</title>
</head>
<body>
<h1>PHP-gettext as a fallback solution</h1>
<p>Example showing how to use PHP-gettext as a fallback solution if the native gettext library is not available or the system does not support the requested locale.</p>
<?php
print "<p>";
foreach($supported_locales as $l) {
print "[<a href=\"?lang=$l\">$l</a>] ";
}
print "</p>\n";
if (!locale_emulation()) {
print "<p>locale '$locale' is supported by your system, using native gettext implementation.</p>\n";
}
else {
print "<p>locale '$locale' is <strong>not</strong> supported on your system, using custom gettext implementation.</p>\n";
}
?>
<hr />
<?php
// using PHP-gettext
print "<pre>";
print T_("This is how the story goes.\n\n");
for ($number=6; $number>=0; $number--) {
print sprintf( T_ngettext("%d pig went to the market\n",
"%d pigs went to the market\n", $number),
$number );
}
print "</pre>\n";
?>
<hr />
<p>&laquo; <a href="./">back</a></p>
</body>
</html>

View File

@ -1,14 +0,0 @@
#!/bin/sh
TEMPLATE=pigs.pot
xgettext -kT_ngettext:1,2 -kT_ -L PHP -o $TEMPLATE pigs_dropin.php
if [ "x$1" = "x-p" ]; then
msgfmt --statistics $TEMPLATE
else
if [ -f $1.po ]; then
msgmerge -o .tmp$1.po $1.po $TEMPLATE
mv .tmp$1.po $1.po
msgfmt --statistics $1.po
else
echo "Usage: $0 [-p|<basename>]"
fi
fi

View File

@ -1,75 +0,0 @@
<?php
require_once('PHPUnit/Framework.php');
require_once('gettext.inc');
class LocaleTest extends PHPUnit_Framework_TestCase
{
public function test_setlocale()
{
putenv("LC_ALL=");
// _setlocale defaults to a locale name from environment variable LANG.
putenv("LANG=sr_RS");
$this->assertEquals('sr_RS', _setlocale(LC_MESSAGES, 0));
}
public function test_setlocale_system()
{
putenv("LC_ALL=");
// For an existing locale, it never needs emulation.
putenv("LANG=C");
_setlocale(LC_MESSAGES, "");
$this->assertEquals(0, locale_emulation());
}
public function test_setlocale_emulation()
{
putenv("LC_ALL=");
// If we set it to a non-existent locale, it still works, but uses
// emulation.
_setlocale(LC_MESSAGES, "xxx_XXX");
$this->assertEquals('xxx_XXX', _setlocale(LC_MESSAGES, 0));
$this->assertEquals(1, locale_emulation());
}
public function test_get_list_of_locales()
{
// For a locale containing country code, we prefer
// full locale name, but if that's not found, fall back
// to the language only locale name.
$this->assertEquals(array("sr_RS", "sr"),
get_list_of_locales("sr_RS"));
// If language code is used, it's the only thing returned.
$this->assertEquals(array("sr"),
get_list_of_locales("sr"));
// There is support for language and charset only.
$this->assertEquals(array("sr.UTF-8", "sr"),
get_list_of_locales("sr.UTF-8"));
// It can also split out character set from the full locale name.
$this->assertEquals(array("sr_RS.UTF-8", "sr_RS", "sr"),
get_list_of_locales("sr_RS.UTF-8"));
// There is support for @modifier in locale names as well.
$this->assertEquals(array("sr_RS.UTF-8@latin", "sr_RS@latin", "sr@latin",
"sr_RS.UTF-8", "sr_RS", "sr"),
get_list_of_locales("sr_RS.UTF-8@latin"));
// We can pass in only language and modifier.
$this->assertEquals(array("sr@latin", "sr"),
get_list_of_locales("sr@latin"));
// If locale name is not following the regular POSIX pattern,
// it's used verbatim.
$this->assertEquals(array("something"),
get_list_of_locales("something"));
// Passing in an empty string returns an empty array.
$this->assertEquals(array(),
get_list_of_locales(""));
}
}
?>

View File

@ -1,60 +0,0 @@
<?php
require_once('PHPUnit/Framework.php');
//require_once('gettext.php');
class ParsingTest extends PHPUnit_Framework_TestCase
{
public function test_extract_plural_forms_header_from_po_header()
{
$parser = new gettext_reader(NULL);
// It defaults to a "Western-style" plural header.
$this->assertEquals(
'nplurals=2; plural=n == 1 ? 0 : 1;',
$parser->extract_plural_forms_header_from_po_header(""));
// Extracting it from the middle of the header works.
$this->assertEquals(
'nplurals=1; plural=0;',
$parser->extract_plural_forms_header_from_po_header(
"Content-type: text/html; charset=UTF-8\n"
."Plural-Forms: nplurals=1; plural=0;\n"
."Last-Translator: nobody\n"
));
// It's also case-insensitive.
$this->assertEquals(
'nplurals=1; plural=0;',
$parser->extract_plural_forms_header_from_po_header(
"PLURAL-forms: nplurals=1; plural=0;\n"
));
// It falls back to default if it's not on a separate line.
$this->assertEquals(
'nplurals=2; plural=n == 1 ? 0 : 1;',
$parser->extract_plural_forms_header_from_po_header(
"Content-type: text/html; charset=UTF-8" // note the missing \n here
."Plural-Forms: nplurals=1; plural=0;\n"
."Last-Translator: nobody\n"
));
}
/**
* @dataProvider data_provider_test_npgettext
*/
public function test_npgettext($number, $expected) {
$parser = new gettext_reader(NULL);
$result = $parser->npgettext("context",
"%d pig went to the market\n",
"%d pigs went to the market\n",
$number);
$this->assertSame($expected, $result);
}
public static function data_provider_test_npgettext() {
return array(
array(1, "%d pig went to the market\n"),
array(2, "%d pigs went to the market\n"),
);
}
}
?>