Trim down the list of allowed template modifiers

author Alexander Ebert <ebert@woltlab.com>

Fri, 11 Aug 2023 14:46:17 +0000 (16:46 +0200)

committer Alexander Ebert <ebert@woltlab.com>

Fri, 11 Aug 2023 14:46:17 +0000 (16:46 +0200)
author Alexander Ebert <ebert@woltlab.com>
Fri, 11 Aug 2023 14:46:17 +0000 (16:46 +0200)
committer Alexander Ebert <ebert@woltlab.com>
Fri, 11 Aug 2023 14:46:17 +0000 (16:46 +0200)
diff --git a/wcfsetup/install/files/lib/system/template/TemplateScriptingCompiler.class.php b/wcfsetup/install/files/lib/system/template/TemplateScriptingCompiler.class.php

index 867b81137f6e3d9073d43dc948f60426dcc1c7bf..81597306c197df3b8129e6ec4bfb8dddf02f6a64 100644 (file)
--- a/wcfsetup/install/files/lib/system/template/TemplateScriptingCompiler.class.php
+++ b/wcfsetup/install/files/lib/system/template/TemplateScriptingCompiler.class.php
@@ -36,40 +36,29 @@ class TemplateScriptingCompiler
       */
      protected $allowedModifierFunctions = [
          'abs',
-        'addslashes',
-        'array_diff',
-        'array_fill',
          'array_key_exists',
          'array_keys',
          'array_pop',
-        'array_slice',
          'array_values',
          'base64_decode',
          'base64_encode',
          'basename',
          'ceil',
          'concat',
-        'constant',
          'count',
          'currency',
          'current',
          'date',
          'defined',
-        'doubleval',
          'empty',
          'end',
          'explode',
-        'file_exists',
          'filesize',
          'floatval',
          'floor',
          'function_exists',
          'get_class',
          'gmdate',
-        'hash',
-        'htmlspecialchars',
-        'html_entity_decode',
-        'http_build_query',
          'implode',
          'in_array',
          'is_array',
@@ -81,14 +70,10 @@ class TemplateScriptingCompiler
          'intval',
          'is_subclass_of',
          'isset',
-        'json_encode',
          'key',
-        'lcfirst',
          'ltrim',
          'max',
-        'mb_strpos',
          'mb_strlen',
-        'mb_strpos',
          'mb_strtolower',
          'mb_strtoupper',
          'mb_substr',
@@ -96,9 +81,6 @@ class TemplateScriptingCompiler
          'method_exists',
          'microtime',
          'min',
-        'nl2br',
-        'number_format',
-        'parse_url',
          'preg_match',
          'preg_replace',
          'print_r',
@@ -108,29 +90,17 @@ class TemplateScriptingCompiler
          'round',
          'sha1',
          'spl_object_hash',
-        'sprintf',
          'strip_tags',
          'strlen',
-        'strpos',
-        'strtolower',
-        'strtotime',
-        'strtoupper',
          'str_contains',
          'str_ends_with',
-        'str_ireplace',
-        'str_pad',
          'str_repeat',
          'str_replace',
          'str_starts_with',
-        'substr',
          'trim',
-        'ucfirst',
-        'uniqid',
-        'urlencode',
          'var_dump',
          'version_compare',
          'wcfDebug',
-        'wordwrap',
      ];
  
      /**
@@ -1432,8 +1402,7 @@ class TemplateScriptingCompiler
              return $variable;
          } elseif (
              $allowConstants
-            && (
-                $variable == 'true'
+            && ($variable == 'true'
                  || $variable == 'false'
                  || $variable == 'null'
                  || $variable == '[]'
author	Alexander Ebert <ebert@woltlab.com>
	Fri, 11 Aug 2023 14:46:17 +0000 (16:46 +0200)
committer	Alexander Ebert <ebert@woltlab.com>
	Fri, 11 Aug 2023 14:46:17 +0000 (16:46 +0200)