private static void EvaluateChildren(
XDoc script,
XmlElement node,
DekiScriptEvalContext context,
DekiScriptEnv env,
DekiScriptRuntime runtime,
out bool scripted,
ref bool error
)
{
scripted = false;
// recurse first to evaluate nested script content
XmlNode child = node.FirstChild;
while (child != null)
{
XmlNode next = child.NextSibling;
if (child.NodeType == XmlNodeType.Element)
{
bool childScripted;
next = Evaluate(script, (XmlElement)child, context, env, runtime, out childScripted, ref error);
scripted = scripted || childScripted;
}
child = next;
}
}
//--- Class Methods ---
public static XmlNode Evaluate(
XDoc script,
XmlElement node,
DekiScriptEvalContext context,
DekiScriptEnv env,
DekiScriptRuntime runtime,
out bool scripted,
ref bool error
) {
if((context.Mode != DekiScriptEvalMode.Verify) && (context.Mode != DekiScriptEvalMode.EvaluateEditOnly) && (context.Mode != DekiScriptEvalMode.EvaluateSaveOnly)) {
throw new InvalidOperationException("DekiScript interpreter can only used for save, edit, or verify evaluations.");
}
scripted = false;
XmlNode next = node.NextSibling;
try {
// check if element needs to be evaluated
if(StringUtil.EqualsInvariant(node.NamespaceURI, XDekiScript.ScriptNS)) {
scripted = true;
// NOTE (steveb): <eval:xyz> nodes are not processed by the interpreter anymore
} else {
XDoc current = script[node];
bool hasScriptClass = StringUtil.EqualsInvariant(node.GetAttribute("class"), "script");
#region <elem class="script" init="..." if="..." foreach="..." where="..." block="...">
// check if element has form <elem class="script" init="..." if="..." foreach="..." where="..." block="...">
scripted = node.HasAttribute("init") || node.HasAttribute("if") || node.HasAttribute("foreach") || node.HasAttribute("block");
if(context.Mode == DekiScriptEvalMode.Verify) {
// check if "block" is present
string blockAttr = node.GetAttribute("block");
if(!string.IsNullOrEmpty(blockAttr)) {
// TODO (steveb): validate script expression
}
// check if "foreach" is present
string foreachAttr = node.GetAttribute("foreach");
if(!string.IsNullOrEmpty(foreachAttr)) {
// TODO (steveb): validate script expression
}
// check if "if" is present
string ifAttr = node.GetAttribute("if");
if(!string.IsNullOrEmpty(ifAttr)) {
// TODO (steveb): validate script expression
}
// check if "init" is present
string initAttr = node.GetAttribute("init");
if(!string.IsNullOrEmpty(initAttr)) {
// TODO (steveb): validate script expression
}
}
#endregion
// evaluate child nodes
EvaluateChildren(script, node, context, env, runtime, out scripted, ref error);
#region evaluate attributes
for(int i = 0; i < node.Attributes.Count; ++i) {
XmlAttribute attribute = node.Attributes[i];
// check if attribute needs to be evaluated
if(attribute.NamespaceURI == XDekiScript.ScriptNS) {
scripted = true;
// NOTE (steveb): eval:xyz="abc" attributes are not processed by the interpreter anymore
} else if(StringUtil.StartsWithInvariant(attribute.Value, "{{") && StringUtil.EndsWithInvariant(attribute.Value, "}}")) {
scripted = true;
// NOTE (steveb): key="{{value}}"
string code = attribute.Value.Substring(2, attribute.Value.Length - 4).Trim();
// check if script content is substituted
bool isPermanentReplacement = false;
if(StringUtil.StartsWithInvariantIgnoreCase(code, DekiScriptRuntime.ON_SAVE_PATTERN)) {
isPermanentReplacement = (context.Mode == DekiScriptEvalMode.EvaluateSaveOnly);
code = code.Substring(DekiScriptRuntime.ON_SAVE_PATTERN.Length);
} else if(StringUtil.StartsWithInvariantIgnoreCase(code, DekiScriptRuntime.ON_SUBST_PATTERN)) {
isPermanentReplacement = (context.Mode == DekiScriptEvalMode.EvaluateSaveOnly);
code = code.Substring(DekiScriptRuntime.ON_SUBST_PATTERN.Length);
} else if(StringUtil.StartsWithInvariantIgnoreCase(code, DekiScriptRuntime.ON_EDIT_PATTERN)) {
isPermanentReplacement = (context.Mode == DekiScriptEvalMode.EvaluateEditOnly);
code = code.Substring(DekiScriptRuntime.ON_EDIT_PATTERN.Length);
}
// parse expression
if((context.Mode == DekiScriptEvalMode.Verify) || isPermanentReplacement) {
DekiScriptExpression expression = DekiScriptParser.Parse(ComputeNodeLocation(attribute), code);
if(isPermanentReplacement) {
DekiScriptLiteral eval = runtime.Evaluate(expression, DekiScriptEvalMode.EvaluateSafeMode, env);
// determine what the outcome value is
string value = eval.AsString();
// check if we have a value to replace the current attribute with
if((value != null) && !DekiScriptLibrary.ContainsXSSVulnerability(attribute.LocalName, value)) {
attribute.Value = value;
} else {
node.Attributes.RemoveAt(i);
--i;
}
}
}
}
}
#endregion
#region evaluate <span class="script"> or <pre class="script">
if(hasScriptClass && (StringUtil.EqualsInvariant(node.LocalName, "pre") || StringUtil.EqualsInvariant(node.LocalName, "span")) && !node.HasAttribute("function")) {
// replace the non-breaking space character with space
string code = node.InnerText.ReplaceAll("\u00A0", " ", "\u00AD", "").Trim();
// check if script content is substituted
bool isPermanentReplacement = false;
if(StringUtil.StartsWithInvariantIgnoreCase(code, DekiScriptRuntime.ON_SAVE_PATTERN)) {
isPermanentReplacement = (context.Mode == DekiScriptEvalMode.EvaluateSaveOnly);
code = code.Substring(DekiScriptRuntime.ON_SAVE_PATTERN.Length);
} else if(StringUtil.StartsWithInvariantIgnoreCase(code, DekiScriptRuntime.ON_SUBST_PATTERN)) {
isPermanentReplacement = (context.Mode == DekiScriptEvalMode.EvaluateSaveOnly);
code = code.Substring(DekiScriptRuntime.ON_SUBST_PATTERN.Length);
} else if(StringUtil.StartsWithInvariantIgnoreCase(code, DekiScriptRuntime.ON_EDIT_PATTERN)) {
isPermanentReplacement = (context.Mode == DekiScriptEvalMode.EvaluateEditOnly);
code = code.Substring(DekiScriptRuntime.ON_EDIT_PATTERN.Length);
}
// parse expression
if((context.Mode == DekiScriptEvalMode.Verify) || isPermanentReplacement) {
DekiScriptExpression expression = DekiScriptParser.Parse(ComputeNodeLocation(node), code);
if(isPermanentReplacement) {
DekiScriptLiteral value = runtime.Evaluate(expression, DekiScriptEvalMode.EvaluateSafeMode, env);
context.ReplaceNodeWithValue(node, value);
}
if(!isPermanentReplacement) {
scripted = true;
}
}
}
#endregion
}
} catch(Exception e) {
// only embed error in verify mode, not in save/edit modes
if(context.Mode == DekiScriptEvalMode.Verify) {
context.InsertExceptionMessageBeforeNode(env, node.ParentNode, node, ComputeNodeLocation(node), e);
node.ParentNode.RemoveChild(node);
}
error |= true;
}
return next;
}
private static void EvaluateChildren(
XDoc script,
XmlElement node,
DekiScriptEvalContext context,
DekiScriptEnv env,
DekiScriptRuntime runtime,
out bool scripted,
ref bool error
) {
scripted = false;
// recurse first to evaluate nested script content
XmlNode child = node.FirstChild;
while(child != null) {
XmlNode next = child.NextSibling;
if(child.NodeType == XmlNodeType.Element) {
bool childScripted;
next = Evaluate(script, (XmlElement)child, context, env, runtime, out childScripted, ref error);
scripted = scripted || childScripted;
}
child = next;
}
}
//--- Class Methods ---
public static XmlNode Evaluate(
XDoc script,
XmlElement node,
DekiScriptEvalContext context,
DekiScriptEnv env,
DekiScriptRuntime runtime,
out bool scripted,
ref bool error
)
{
if ((context.Mode != DekiScriptEvalMode.Verify) && (context.Mode != DekiScriptEvalMode.EvaluateEditOnly) && (context.Mode != DekiScriptEvalMode.EvaluateSaveOnly))
{
throw new InvalidOperationException("DekiScript interpreter can only used for save, edit, or verify evaluations.");
}
scripted = false;
XmlNode next = node.NextSibling;
try {
// check if element needs to be evaluated
if (StringUtil.EqualsInvariant(node.NamespaceURI, XDekiScript.ScriptNS))
{
scripted = true;
// NOTE (steveb): <eval:xyz> nodes are not processed by the interpreter anymore
}
else
{
XDoc current = script[node];
bool hasScriptClass = StringUtil.EqualsInvariant(node.GetAttribute("class"), "script");
#region <elem class="script" init="..." if="..." foreach="..." where="..." block="...">
// check if element has form <elem class="script" init="..." if="..." foreach="..." where="..." block="...">
scripted = node.HasAttribute("init") || node.HasAttribute("if") || node.HasAttribute("foreach") || node.HasAttribute("block");
if (context.Mode == DekiScriptEvalMode.Verify)
{
// check if "block" is present
string blockAttr = node.GetAttribute("block");
if (!string.IsNullOrEmpty(blockAttr))
{
// TODO (steveb): validate script expression
}
// check if "foreach" is present
string foreachAttr = node.GetAttribute("foreach");
if (!string.IsNullOrEmpty(foreachAttr))
{
// TODO (steveb): validate script expression
}
// check if "if" is present
string ifAttr = node.GetAttribute("if");
if (!string.IsNullOrEmpty(ifAttr))
{
// TODO (steveb): validate script expression
}
// check if "init" is present
string initAttr = node.GetAttribute("init");
if (!string.IsNullOrEmpty(initAttr))
{
// TODO (steveb): validate script expression
}
}
#endregion
// evaluate child nodes
EvaluateChildren(script, node, context, env, runtime, out scripted, ref error);
#region evaluate attributes
for (int i = 0; i < node.Attributes.Count; ++i)
{
XmlAttribute attribute = node.Attributes[i];
// check if attribute needs to be evaluated
if (attribute.NamespaceURI == XDekiScript.ScriptNS)
{
scripted = true;
// NOTE (steveb): eval:xyz="abc" attributes are not processed by the interpreter anymore
}
else if (StringUtil.StartsWithInvariant(attribute.Value, "{{") && StringUtil.EndsWithInvariant(attribute.Value, "}}"))
{
scripted = true;
// NOTE (steveb): key="{{value}}"
string code = attribute.Value.Substring(2, attribute.Value.Length - 4).Trim();
// check if script content is substituted
bool isPermanentReplacement = false;
if (StringUtil.StartsWithInvariantIgnoreCase(code, DekiScriptRuntime.ON_SAVE_PATTERN))
{
isPermanentReplacement = (context.Mode == DekiScriptEvalMode.EvaluateSaveOnly);
code = code.Substring(DekiScriptRuntime.ON_SAVE_PATTERN.Length);
}
else if (StringUtil.StartsWithInvariantIgnoreCase(code, DekiScriptRuntime.ON_SUBST_PATTERN))
{
isPermanentReplacement = (context.Mode == DekiScriptEvalMode.EvaluateSaveOnly);
code = code.Substring(DekiScriptRuntime.ON_SUBST_PATTERN.Length);
}
else if (StringUtil.StartsWithInvariantIgnoreCase(code, DekiScriptRuntime.ON_EDIT_PATTERN))
{
isPermanentReplacement = (context.Mode == DekiScriptEvalMode.EvaluateEditOnly);
code = code.Substring(DekiScriptRuntime.ON_EDIT_PATTERN.Length);
}
// parse expression
if ((context.Mode == DekiScriptEvalMode.Verify) || isPermanentReplacement)
{
DekiScriptExpression expression = DekiScriptParser.Parse(ComputeNodeLocation(attribute), code);
if (isPermanentReplacement)
{
DekiScriptLiteral eval = runtime.Evaluate(expression, DekiScriptEvalMode.EvaluateSafeMode, env);
// determine what the outcome value is
string value = eval.AsString();
// check if we have a value to replace the current attribute with
if ((value != null) && !DekiScriptLibrary.ContainsXSSVulnerability(attribute.LocalName, value))
{
attribute.Value = value;
}
else
{
node.Attributes.RemoveAt(i);
--i;
}
}
}
}
}
#endregion
#region evaluate <span class="script"> or <pre class="script">
if (hasScriptClass && (StringUtil.EqualsInvariant(node.LocalName, "pre") || StringUtil.EqualsInvariant(node.LocalName, "span")) && !node.HasAttribute("function"))
{
// replace the non-breaking space character with space
string code = node.InnerText.ReplaceAll("\u00A0", " ", "\u00AD", "").Trim();
// check if script content is substituted
bool isPermanentReplacement = false;
if (StringUtil.StartsWithInvariantIgnoreCase(code, DekiScriptRuntime.ON_SAVE_PATTERN))
{
isPermanentReplacement = (context.Mode == DekiScriptEvalMode.EvaluateSaveOnly);
code = code.Substring(DekiScriptRuntime.ON_SAVE_PATTERN.Length);
}
else if (StringUtil.StartsWithInvariantIgnoreCase(code, DekiScriptRuntime.ON_SUBST_PATTERN))
{
isPermanentReplacement = (context.Mode == DekiScriptEvalMode.EvaluateSaveOnly);
code = code.Substring(DekiScriptRuntime.ON_SUBST_PATTERN.Length);
}
else if (StringUtil.StartsWithInvariantIgnoreCase(code, DekiScriptRuntime.ON_EDIT_PATTERN))
{
isPermanentReplacement = (context.Mode == DekiScriptEvalMode.EvaluateEditOnly);
code = code.Substring(DekiScriptRuntime.ON_EDIT_PATTERN.Length);
}
// parse expression
if ((context.Mode == DekiScriptEvalMode.Verify) || isPermanentReplacement)
{
DekiScriptExpression expression = DekiScriptParser.Parse(ComputeNodeLocation(node), code);
if (isPermanentReplacement)
{
DekiScriptLiteral value = runtime.Evaluate(expression, DekiScriptEvalMode.EvaluateSafeMode, env);
context.ReplaceNodeWithValue(node, value);
}
if (!isPermanentReplacement)
{
scripted = true;
}
}
}
#endregion
}
} catch (Exception e) {
// only embed error in verify mode, not in save/edit modes
if (context.Mode == DekiScriptEvalMode.Verify)
{
context.InsertExceptionMessageBeforeNode(env, node.ParentNode, node, ComputeNodeLocation(node), e);
node.ParentNode.RemoveChild(node);
}
error |= true;
}
return(next);
}
public void EvaluateContent(XDoc script, DekiScriptEnv env, DekiScriptEvalMode mode, out bool scripted) {
scripted = false;
switch(mode) {
case DekiScriptEvalMode.None:
break;
case DekiScriptEvalMode.Evaluate:
case DekiScriptEvalMode.EvaluateSafeMode: {
var expr = DekiScriptParser.Parse(script);
try {
expr = DekiContext.Current.Instance.ScriptRuntime.Evaluate(expr, mode, env);
} catch(Exception e) {
var error = DekiScriptLibrary.MakeErrorObject(e, env);
DekiContext.Current.Instance.ScriptRuntime.LogExceptionInOutput(error);
expr = DekiScriptExpression.Constant(DekiScriptLibrary.WebShowError((Hashtable)error.NativeValue));
}
// check if outcome is an XML document
var xml = expr as DekiScriptXml;
if(xml != null) {
// check if outcome is the expected content document
if(xml.Value.HasName("content")) {
script.Replace(((DekiScriptXml)expr).Value);
} else {
// remove all contents from existing document and append new document
script.RemoveNodes();
script.Start("body").Add(xml.Value).End();
}
} else if(expr is DekiScriptString) {
// remove all contents from existing document and append new document
script.RemoveNodes();
script.Start("body").Value(((DekiScriptString)expr).Value).End();
} else {
// remove all contents from existing document and append new document
script.RemoveNodes();
script.Start("body").Value(expr.ToString()).End();
}
}
break;
case DekiScriptEvalMode.EvaluateEditOnly:
case DekiScriptEvalMode.EvaluateSaveOnly:
case DekiScriptEvalMode.Verify: {
DekiScriptEvalContext context = new DekiScriptEvalContext(script, mode, false, DekiContext.Current.Instance.ScriptRuntime.GetMaxOutputSize(mode));
// add <head> and <tail> sections
context.AddHeadElements(script);
context.AddTailElements(script);
script["head"].RemoveNodes();
script["tail"].RemoveNodes();
// evaluate the script
bool error = false;
DekiScriptInterpreter.Evaluate(script, (XmlElement)script.Root.AsXmlNode, context, env, DekiContext.Current.Instance.ScriptRuntime, out scripted, ref error);
if((mode == DekiScriptEvalMode.Verify) || !error) {
context.MergeContextIntoDocument(script.AsXmlNode.OwnerDocument);
}
}
break;
default:
throw new InvalidOperationException(string.Format("unrecognized evaluation mode '{0}'", mode));
}
}
