function _webform_filter_values in Webform 6.3
Same name and namespace in other branches
- 5.2 webform.module \_webform_filter_values()
- 6.2 webform.module \_webform_filter_values()
- 7.4 webform.module \_webform_filter_values()
- 7.3 webform.module \_webform_filter_values()
Filters all special tokens provided by webform, such as %post and %profile.
Parameters
$string: The string to have its tokens replaced.
$node: If replacing node-level tokens, the node for which tokens will be created.
$submission: If replacing submission-level tokens, the submission for which tokens will be created.
$email: If replacing tokens within the context of an e-mail, the Webform e-mail settings array.
$strict: Boolean value indicating if the results should be run through check_plain. This is used any time the values will be output as HTML, but not in default values or e-mails.
$allow_anonymous: Boolean value indicating if all tokens should be replaced for anonymous users, even if they contain sensitive user information such as %session or %ip_address. This is disabled by default to prevent user data from being preserved in the anonymous page cache and should only be used in non-cached situations, such as e-mails.
17 calls to _webform_filter_values()
- webform_client_form_submit in ./
webform.module - Submit handler for saving the form values and sending e-mails.
- webform_email_edit_form in includes/
webform.emails.inc - Form for configuring an e-mail setting and template.
- webform_format_email_address in ./
webform.module - Given an email address and a name, format an e-mail address.
- webform_format_email_subject in ./
webform.module - Given an email subject, format it with any needed replacements.
- webform_submission_send_mail in includes/
webform.submissions.inc - Send related e-mails related to a submission.
File
- ./
webform.module, line 2757
Code
function _webform_filter_values($string, $node = NULL, $submission = NULL, $email = NULL, $strict = TRUE, $allow_anonymous = FALSE) {
global $user;
static $replacements;
// Don't do any filtering if the string is empty.
if (strlen(trim($string)) == 0) {
return $string;
}
// Setup default token replacements.
if (!isset($replacements)) {
$replacements['unsafe'] = array();
$replacements['safe']['%site'] = variable_get('site_name', 'drupal');
$replacements['safe']['%date'] = format_date(time(), 'large');
}
// Node replacements.
if (isset($node) && !array_key_exists('%nid', $replacements['safe'])) {
$replacements['safe']['%nid'] = $node->nid;
$replacements['safe']['%title'] = $node->title;
}
// Determine the display format.
$format = isset($email['html']) && $email['html'] ? 'html' : 'text';
// Submission replacements.
if (isset($submission) && (!isset($replacements['email'][$format]) || isset($replacements['unsafe']['%sid']) && $replacements['unsafe']['%sid'] != $submission->sid)) {
module_load_include('inc', 'webform', 'includes/webform.components');
// Set the submission ID.
$replacements['unsafe']['%sid'] = $submission->sid;
// E-mails may be sent in two formats, keep tokens separate for each one.
$replacements['email'][$format] = array();
// Populate token values for each component.
foreach ($submission->data as $cid => $value) {
$component = $node->webform['components'][$cid];
// Find by form key.
$parents = webform_component_parent_keys($node, $component);
$form_key = implode('][', $parents);
$display_element = webform_component_invoke($component['type'], 'display', $component, $value['value'], $format);
// Ensure the component is added as a property.
$display_element['#webform_component'] = $component;
if (empty($display_element['#parents'])) {
$display_element['#parents'] = array_merge(array(
'submitted',
), $parents);
}
if (empty($display_element['#id'])) {
$display_element['#id'] = form_clean_id('edit-' . implode('-', $display_element['#parents']));
}
$replacements['email'][$format]['%email[' . $form_key . ']'] = drupal_render($display_element);
$replacements['email'][$format]['%value[' . $form_key . ']'] = isset($display_element['#children']) ? $display_element['#children'] : '';
}
// Provide blanks for components in the webform but not in the submission.
$missing_components = array_diff_key($node->webform['components'], $submission->data);
foreach ($missing_components as $component) {
$parents = webform_component_parent_keys($node, $component);
$form_key = implode('][', $parents);
$replacements['email'][$format]['%email[' . $form_key . ']'] = '';
$replacements['email'][$format]['%value[' . $form_key . ']'] = '';
}
// Submission edit URL.
$replacements['unsafe']['%submission_url'] = url('node/' . $node->nid . '/submission/' . $submission->sid, array(
'absolute' => TRUE,
));
}
// Token for the entire form tree for e-mails.
if (isset($submission) && isset($email)) {
$replacements['email'][$format]['%email_values'] = webform_submission_render($node, $submission, $email, $format);
}
// Provide a list of candidates for token replacement.
$special_tokens = array(
'safe' => array(
'%get' => $_GET,
'%post' => $_POST,
),
'unsafe' => array(
'%cookie' => isset($_COOKIE) ? $_COOKIE : array(),
'%session' => isset($_SESSION) ? $_SESSION : array(),
'%request' => $_REQUEST,
'%server' => $_SERVER,
'%profile' => (array) $user,
),
);
// Replacements of global variable tokens.
if (!isset($replacements['specials_set'])) {
$replacements['specials_set'] = TRUE;
// Load profile information if available.
if ($user->uid) {
$account = user_load($user->uid);
$special_tokens['unsafe']['%profile'] = (array) $account;
}
// User replacements.
if (!array_key_exists('%uid', $replacements['unsafe'])) {
$replacements['unsafe']['%uid'] = !empty($user->uid) ? $user->uid : '';
$replacements['unsafe']['%username'] = isset($user->name) ? $user->name : '';
$replacements['unsafe']['%useremail'] = isset($user->mail) ? $user->mail : '';
$replacements['unsafe']['%ip_address'] = ip_address();
}
// Populate the replacements array with special variables.
foreach ($special_tokens as $safe_state => $tokens) {
foreach ($tokens as $token => $variable) {
// Safety check in case $_POST or some other global has been removed
// by a naughty module, in which case $variable may be NULL.
if (!is_array($variable)) {
continue;
}
foreach ($variable as $key => $value) {
// This special case for profile module dates.
if ($token == '%profile' && is_array($value) && isset($value['year'])) {
$replacement = webform_strtodate(webform_date_format(), $value['month'] . '/' . $value['day'] . '/' . $value['year'], 'UTC');
}
else {
// Checking for complex types (arrays and objects) fails here with
// incomplete objects (see http://php.net/is_object), so we check
// for simple types instead.
$replacement = is_string($value) || is_bool($value) || is_numeric($value) ? $value : '';
}
$replacements[$safe_state][$token . '[' . $key . ']'] = $replacement;
}
}
}
}
// Make a copy of the replacements so we don't affect the static version.
$safe_replacements = $replacements['safe'];
// Restrict replacements for anonymous users. Not all tokens can be used
// because they may expose session or other private data to other users when
// anonymous page caching is enabled.
if ($user->uid || $allow_anonymous) {
$safe_replacements += $replacements['unsafe'];
if (isset($replacements['email'][$format])) {
$safe_replacements += $replacements['email'][$format];
}
}
else {
foreach ($replacements['unsafe'] as $key => $value) {
$safe_replacements[$key] = '';
}
}
$find = array_keys($safe_replacements);
$replace = array_values($safe_replacements);
$string = str_replace($find, $replace, $string);
// Clean up any unused tokens.
foreach ($special_tokens as $safe_state => $tokens) {
foreach (array_keys($tokens) as $token) {
$string = preg_replace('/\\' . $token . '\\[\\w+\\]/', '', $string);
}
}
return $strict ? _webform_filter_xss($string) : $string;
}