From 80263a91dc5476baafa7b2a1282e40aebe9fed12 Mon Sep 17 00:00:00 2001
From: Daniel Rudolf <github.com@daniel-rudolf.de>
Date: Sat, 24 Feb 2018 14:02:59 +0100
Subject: [PATCH] Disallow the use of the callback filter for the url_param and
 form_param Twig functions

---
 lib/PicoTwigExtension.php | 60 +++++++++++++++++++++++++++++++++++++--
 1 file changed, 58 insertions(+), 2 deletions(-)

diff --git a/lib/PicoTwigExtension.php b/lib/PicoTwigExtension.php
index f4662b2..9d499cb 100644
--- a/lib/PicoTwigExtension.php
+++ b/lib/PicoTwigExtension.php
@@ -89,8 +89,8 @@ class PicoTwigExtension extends Twig_Extension
     public function getFunctions()
     {
         return array(
-            'url_param' => new Twig_SimpleFunction('url_param', array($this->pico, 'getUrlParameter')),
-            'form_param' => new Twig_SimpleFunction('form_param', array($this->pico, 'getFormParameter'))
+            'url_param' => new Twig_SimpleFunction('url_param', array($this, 'urlParamFunction')),
+            'form_param' => new Twig_SimpleFunction('form_param', array($this, 'formParamFunction'))
         );
     }
 
@@ -281,4 +281,60 @@ class PicoTwigExtension extends Twig_Extension
 
         return $var;
     }
+
+    /**
+     * Filters a URL GET parameter with a specified filter
+     *
+     * The Twig function disallows the use of the `callback` filter.
+     *
+     * @see Pico::getUrlParameter()
+     *
+     * @param string                    $name    name of the URL GET parameter
+     *     to filter
+     * @param int|string                $filter  the filter to apply
+     * @param mixed|array               $options either a associative options
+     *     array to be used by the filter or a scalar default value
+     * @param int|string|int[]|string[] $flags   flags and flag strings to be
+     *     used by the filter
+     *
+     * @return mixed either the filtered data, FALSE if the filter fails, or
+     *     NULL if the URL GET parameter doesn't exist and no default value is
+     *     given
+     */
+    public function urlParamFunction($name, $filter = '', $options = null, $flags = null)
+    {
+        if (($filter === 'callback') || ($filter === FILTER_CALLBACK)) {
+            return false;
+        }
+
+        return $this->pico->getUrlParameter($name, $filter, $options, $flags);
+    }
+
+    /**
+     * Filters a HTTP POST parameter with a specified filter
+     *
+     * The Twig function disallows the use of the `callback` filter.
+     *
+     * @see Pico::getFormParameter()
+     *
+     * @param string                    $name    name of the HTTP POST
+     *     parameter to filter
+     * @param int|string                $filter  the filter to apply
+     * @param mixed|array               $options either a associative options
+     *     array to be used by the filter or a scalar default value
+     * @param int|string|int[]|string[] $flags   flags and flag strings to be
+     *     used by the filter
+     *
+     * @return mixed either the filtered data, FALSE if the filter fails, or
+     *     NULL if the HTTP POST parameter doesn't exist and no default value
+     *     is given
+     */
+    public function formParamFunction($name, $filter = '', $options = null, $flags = null)
+    {
+        if (($filter === 'callback') || ($filter === FILTER_CALLBACK)) {
+            return false;
+        }
+
+        return $this->pico->getFormParameter($name, $filter, $options, $flags);
+    }
 }