- Patch #137236 by merlinofchaos: provide a way to secure the theme variables system.

1 files changed, 5 insertions, 216 deletions

diff --git a/themes/engines/phptemplate/phptemplate.engine b/themes/engines/phptemplate/phptemplate.engine
index 331615967..86f1a002f 100644
--- a/themes/engines/phptemplate/phptemplate.engine
+++ b/themes/engines/phptemplate/phptemplate.engine
@@ -14,18 +14,13 @@ function phptemplate_init($template) {
 }
 
 /**
- * Implementation of hook_themes to tell Drupal what templates the engine
+ * Implementation of hook_theme to tell Drupal what templates the engine
  * and the current theme use. The $existing argument will contain hooks
  * pre-defined by Drupal so that we can use that information if
  * we need to.
  */
 function phptemplate_theme($existing) {
-  $templates = array(
-    'box' => array('file' => 'box'),
-    'node' => array('file' => 'node'),
-    'comment' => array('file' => 'comment'),
-    'block' => array('file' => 'block'),
-  );
+  $templates = array();
 
   // Check for template overrides.
   $files = drupal_system_listing('\.tpl\.php$', path_to_theme(), 'name', 0);
@@ -68,13 +63,12 @@ function phptemplate_templates($directory = 'themes') {
  *
  * Counts how many times certain hooks have been called. Sidebar left / right are special cases.
  *
+ * @param $variables
+ *   A series of key-value value pairs.
  * @param $hook
  *   The name of the theme function being executed.
- * @param $variables
- *   A sequential array of variables passed to the theme function.
  */
-function phptemplate_engine_variables(&$variables, $hook) {
-  global $theme, $sidebar_indicator;
+function phptemplate_engine_preprocess(&$variables, $hook) {
   static $count = array();
 
   // Create variables so anything which is themed can be zebra striped automatically.
@@ -86,208 +80,3 @@ function phptemplate_engine_variables(&$variables, $hook) {
   $variables['directory'] = path_to_theme();
   $variables['is_front'] = drupal_is_front_page();
 }
-
-/**
- * Prepare the variables passed to the page.tpl.php template Uses the arg()
- * function to generate a series of page template files suggestions based on
- * the current path.
- */
-function phptemplate_engine_variables_page(&$variables) {
-  /* Set title and breadcrumb to declared values */
-  if (drupal_is_front_page()) {
-    $variables['mission'] = filter_xss_admin(theme_get_setting('mission'));
-  }
-
-  /* Add favicon */
-  if (theme_get_setting('toggle_favicon')) {
-    drupal_set_html_head('<link rel="shortcut icon" href="'. check_url(theme_get_setting('favicon')) .'" type="image/x-icon" />');
-  }
-
-  /**
-  * Populate sidebars.
-  */
-  $variables['sidebar_left'] = NULL;
-  $variables['sidebar_right'] = NULL;
-  $layout = 'none';
-  if ($variables['show_blocks']) {
-    global $sidebar_indicator;
-    /**
-     * Sidebar_indicator tells the block counting code to count sidebars separately.
-     */
-    $sidebar_indicator = 'left';
-    $variables['sidebar_left'] = theme('blocks', 'left');
-    if ($variables['sidebar_left'] != '') {
-      $layout = 'left';
-    }
-
-    $sidebar_indicator = 'right';
-    $variables['sidebar_right'] = theme('blocks', 'right');
-    if ($variables['sidebar_right'] != '') {
-      $variables['layout'] = ($layout == 'left') ? 'both' : 'right';
-    }
-    $sidebar_indicator = NULL;
-  }
-  $variables['layout'] = $layout;
-
-  global $theme;
-  // Populate the rest of the regions.
-  $regions = system_region_list($theme);
-  // Load all region content assigned via blocks.
-  foreach (array_keys($regions) as $region) {
-    // Skip blocks in this region that have already been loaded.
-    // This pre-loading is necessary because phptemplate uses variable names different from
-    // the region names, e.g., 'sidebar_left' instead of 'left'.
-    if (!in_array($region, array('left', 'right', 'footer'))) {
-      isset($variables[$region]) ? $variables[$region] .= theme('blocks', $region) : $variables[$region] = theme('blocks', $region);
-    }
-  }
-
-  // Construct page title
-  if (drupal_get_title()) {
-    $head_title = array(strip_tags(drupal_get_title()), variable_get('site_name', 'Drupal'));
-  }
-  else {
-    $head_title = array(variable_get('site_name', 'Drupal'));
-    if (variable_get('site_slogan', '')) {
-      $head_title[] = variable_get('site_slogan', '');
-    }
-  }
-  $variables['head_title']        = implode(' | ', $head_title);
-  $variables['base_path']         = base_path();
-  $variables['breadcrumb']        = theme('breadcrumb', drupal_get_breadcrumb());
-  $variables['closure']           = theme('closure');
-  $variables['feed_icons']        = drupal_get_feeds();
-  $variables['footer_message']    = filter_xss_admin(variable_get('site_footer', FALSE)) . "\n" . theme('blocks', 'footer');
-  $variables['head']              = drupal_get_html_head();
-  $variables['help']              = theme('help');
-  $variables['language']          = $GLOBALS['language'];
-  $variables['logo']              = theme_get_setting('logo');
-  $variables['messages']          = theme('status_messages');
-  $variables['mission']           = isset($mission) ? $mission : '';
-  $variables['primary_links']     = menu_primary_links();
-  $variables['search_box']        = (theme_get_setting('toggle_search') ? drupal_get_form('search_theme_form') : '');
-  $variables['secondary_links']   = menu_secondary_links();
-  $variables['site_name']         = (theme_get_setting('toggle_name') ? variable_get('site_name', 'Drupal') : '');
-  $variables['site_slogan']       = (theme_get_setting('toggle_slogan') ? variable_get('site_slogan', '') : '');
-  $variables['css']               = drupal_add_css();
-  $variables['styles']            = drupal_get_css();
-  $variables['scripts']           = drupal_get_js();
-  $variables['tabs']              = theme('menu_local_tasks');
-  $variables['title']             = drupal_get_title();
-
-  if ((arg(0) == 'node') && is_numeric(arg(1))) {
-    $variables['node'] = node_load(arg(1));
-  }
-
-  // Build a list of suggested template files in order of specificity. One
-  // suggestion is made for every element of the current path, though
-  // numeric elements are not carried to subsequent suggestions. For example,
-  // http://www.example.com/node/1/edit would result in the following
-  // suggestions:
-  //
-  // page-node-edit.tpl.php
-  // page-node-1.tpl.php
-  // page-node.tpl.php
-  // page.tpl.php
-  $i = 0;
-  $suggestion = 'page';
-  $suggestions = array();
-  while ($arg = arg($i++)) {
-    $suggestions[] = $suggestion . '-' . $arg;
-    if (!is_numeric($arg)) {
-      $suggestion .= '-' . $arg;
-    }
-  }
-  if (drupal_is_front_page()) {
-    $suggestions[] = 'page-front';
-  }
-
-  if ($suggestions) {
-    $variables['template_files'] = $suggestions;
-  }
-}
-
-/*
- * Prepare the values passed to the theme_node function to be passed
- * into standard template files.
- */
-function phptemplate_engine_variables_node(&$variables) {
-  $node = $variables['node'];
-  if (module_exists('taxonomy')) {
-    $variables['taxonomy'] = taxonomy_link('taxonomy terms', $node);
-  }
-  else {
-    $variables['taxonomy'] = array();
-  }
-
-  if ($variables['teaser'] && $node->teaser) {
-    $variables['content'] = $node->teaser;
-  }
-  elseif (isset($node->body)) {
-    $variables['content'] = $node->body;
-  }
-  else {
-    $variables['content'] = '';
-  }
-
-  $variables['date']      = format_date($node->created);
-  $variables['links']     = !empty($node->links) ? theme('links', $node->links, array('class' => 'links inline')) : '';
-  $variables['name']      = theme('username', $node);
-  $variables['node_url']  = url('node/'. $node->nid);
-  $variables['terms']     = theme('links', $variables['taxonomy'], array('class' => 'links inline'));
-  $variables['title']     = check_plain($node->title);
-
-  // Flatten the node object's member fields.
-  $variables = array_merge((array)$node, $variables);
-
-  // Display info only on certain node types.
-  if (theme_get_setting('toggle_node_info_' . $node->type)) {
-    $variables['submitted'] = t('Submitted by !a on @b.', array('!a' => theme('username', $node), '@b' => format_date($node->created)));
-    $variables['picture'] = theme_get_setting('toggle_node_user_picture') ? theme('user_picture', $node) : '';
-  }
-  else {
-    $variables['submitted'] = '';
-    $variables['picture'] = '';
-  }
-
-  $variables['template_files'][] = 'node-'. $node->type;
-}
-
-/**
- * Prepare the values passed to the theme_comment function to be passed
- * into a pluggable template engine.
- */
-// function phptemplate_comment($comment, $links = 0) {
-function phptemplate_engine_variables_comment(&$variables) {
-  $comment = $variables['comment'];
-  $variables['author']    = theme('username', $comment);
-  $variables['comment']   = $comment;
-  $variables['content']   = $comment->comment;
-  $variables['date']      = format_date($comment->timestamp);
-  $variables['links']     = isset($variables['links']) ? theme('links', $variables['links']) : '';
-  $variables['new']       = $comment->new ? t('new') : '';
-  $variables['picture']   = theme_get_setting('toggle_comment_user_picture') ? theme('user_picture', $comment) : '';
-  $variables['signature'] = $comment->signature;
-  $variables['submitted'] = t('Submitted by !a on @b.',
-                      array('!a' => theme('username', $comment),
-                            '@b' => format_date($comment->timestamp)));
-  $variables['title']     = l($comment->subject, $_GET['q'], array('fragment' => "comment-$comment->cid"));
-}
-
-/**
- * Prepare the values passed to the theme_block function to be passed
- * into a pluggable template engine. Uses block properties to generate a
- * series of template file suggestions. If none are found, the default
- * block.tpl.php is used.
- */
-function phptemplate_engine_variables_block(&$variables) {
-  global $sidebar_indicator;
-  $count['block_counter'][$sidebar_indicator] = isset($count['block_counter'][$sidebar_indicator]) && is_int($count['block_counter'][$sidebar_indicator]) ? $count['block_counter'][$sidebar_indicator] : 1;
-
-  $variables['block_zebra'] = ($count['block_counter'][$sidebar_indicator] % 2) ? 'odd' : 'even';
-
-  $variables['block_id'] = $count['block_counter'][$sidebar_indicator]++;
-  $variables['template_files'][] = 'block-' . $variables['block']->region;
-  $variables['template_files'][] = 'block-' . $variables['block']->module;
-  $variables['template_files'][] = 'block-' . $variables['block']->module .'-'. $variables['block']->delta;
-}