diff --git a/library/think/Template.php b/library/think/Template.php index 75034fa1..c8969e21 100644 --- a/library/think/Template.php +++ b/library/think/Template.php @@ -51,6 +51,7 @@ class Template 'cache_id' => '', // 模板缓存ID 'tpl_replace_string' => [], 'tpl_var_identify' => 'array', // .语法变量识别,array|object|'', 为空时自动识别 + 'default_filter' => 'htmlentities', // 默认过滤方法 用于普通标签输出 ]; private $literal = []; @@ -732,7 +733,7 @@ class Template $array = preg_split('/([!=]={1,2}|(?<]={0,1})/', substr($str, 0, $pos), 2, PREG_SPLIT_DELIM_CAPTURE); $name = $array[0]; $this->parseVar($name); - $this->parseVarFunction($name); + //$this->parseVarFunction($name); $str = trim(substr($str, $pos + 1)); $this->parseVar($str); @@ -745,6 +746,7 @@ class Template } switch ($first) { case '?': + $this->parseVarFunction($name); $str = ''; break; case '=': @@ -760,22 +762,39 @@ class Template } else { $express = false; } + + if (in_array($first, ['?', '=', ':'])) { + $str = trim(substr($str, 1)); + if (strpos($str, '$') === 0) { + $str = $this->parseVarFunction($str); + } + } + // $name为数组 switch ($first) { case '?': // {$varname??'xxx'} $varname有定义则输出$varname,否则输出xxx - $str = ''; + $str = 'parseVarFunction($name) . ' : ' . $str . '; ?>'; break; case '=': // {$varname?='xxx'} $varname为真时才输出xxx - $str = ''; + $str = ''; break; case ':': // {$varname?:'xxx'} $varname为真时输出$varname,否则输出xxx - $str = ''; + $str = 'parseVarFunction($name) . ' : ' . $str . '; ?>'; break; default: - $str = ''; + if (strpos($str, ':')) { + // {$varname ? 'a' : 'b'} $varname为真时输出a,否则输出b + $array = explode(':', $str, 2); + + $array[0] = strpos(trim($array[0]), '$') === 0 ? $this->parseVarFunction($array[0]) : $array[0]; + $array[1] = strpos(trim($array[1]), '$') === 0 ? $this->parseVarFunction($array[1]) : $array[1]; + + $str = implode(' : ', $array); + } + $str = ''; } } } else { @@ -886,13 +905,20 @@ class Template * 格式 {$varname|function1|function2=arg1,arg2} * @access public * @param string $varStr 变量字符串 + * @param bool $autoescape 自动转义 * @return void */ - public function parseVarFunction(&$varStr) + public function parseVarFunction(&$varStr, $autoescape = true) { - if (false == strpos($varStr, '|')) { - return; + if (!$autoescape && strpos($varStr, '|') === false) { + return $varStr; + } elseif ($autoescape && !preg_match('/\|(\s)?raw(\||\s)?/i', $varStr) && $this->config['default_filter']) { + // 如果varStr中不存在默认过滤规则,则应用默认过滤 + if (!preg_match('/\|(\s)?' . $this->config['default_filter'] . '(\||\s)?/i', $varStr)) { + $varStr .= '|' . $this->config['default_filter']; + } } + static $_varFunctionList = []; $_key = md5($varStr); //如果已经解析过该变量字串,则直接返回变量值 @@ -901,7 +927,7 @@ class Template } else { $varArray = explode('|', $varStr); // 取得变量名称 - $name = array_shift($varArray); + $name = trim(array_shift($varArray)); // 对变量使用函数 $length = count($varArray); // 取得模板禁止使用函数列表 @@ -911,6 +937,11 @@ class Template // 模板函数过滤 $fun = trim($args[0]); switch ($fun) { + case 'raw': + break; + case 'htmlentities': + $name = 'htmlentities((string) ' . $name . ')'; + break; case 'default': // 特殊模板函数 if (false === strpos($name, '(')) { $name = '(isset(' . $name . ') && (' . $name . ' !== \'\')?' . $name . ':' . $args[1] . ')'; diff --git a/library/think/template/TagLib.php b/library/think/template/TagLib.php index c5b72f91..fbd6cfb5 100644 --- a/library/think/template/TagLib.php +++ b/library/think/template/TagLib.php @@ -317,7 +317,7 @@ class TagLib $name = '$' . $name; } $this->tpl->parseVar($name); - $this->tpl->parseVarFunction($name); + $this->tpl->parseVarFunction($name, false); return $name; }