public static function linkOrButton($url, $message, $tag_params = array(), $new_form = true, $strip_img = false, $target = '', $force_button = false)
{
$url_length = mb_strlen($url);
// with this we should be able to catch case of image upload
// into a (MEDIUM) BLOB; not worth generating even a form for these
if ($url_length > $GLOBALS['cfg']['LinkLengthLimit'] * 100) {
return '';
}
if (!is_array($tag_params)) {
$tmp = $tag_params;
$tag_params = array();
if (!empty($tmp)) {
$tag_params['onclick'] = 'return confirmLink(this, \'' . Sanitize::escapeJsString($tmp) . '\')';
}
unset($tmp);
}
if (!empty($target)) {
$tag_params['target'] = htmlentities($target);
if ($target === '_blank' && strncmp($url, 'url.php?', 8) == 0) {
$tag_params['rel'] = 'noopener noreferrer';
}
}
$displayed_message = '';
// Add text if not already added
if (stristr($message, '<img') && (!$strip_img || $GLOBALS['cfg']['ActionLinksMode'] == 'icons') && strip_tags($message) == $message) {
$displayed_message = '<span>' . htmlspecialchars(preg_replace('/^.*\\salt="([^"]*)".*$/si', '\\1', $message)) . '</span>';
}
// Suhosin: Check that each query parameter is not above maximum
$in_suhosin_limits = true;
if ($url_length <= $GLOBALS['cfg']['LinkLengthLimit']) {
$suhosin_get_MaxValueLength = ini_get('suhosin.get.max_value_length');
if ($suhosin_get_MaxValueLength) {
$query_parts = self::splitURLQuery($url);
foreach ($query_parts as $query_pair) {
if (strpos($query_pair, '=') === false) {
continue;
}
list(, $eachval) = explode('=', $query_pair);
if (mb_strlen($eachval) > $suhosin_get_MaxValueLength) {
$in_suhosin_limits = false;
break;
}
}
}
}
if ($url_length <= $GLOBALS['cfg']['LinkLengthLimit'] && $in_suhosin_limits && !$force_button) {
$tag_params_strings = array();
foreach ($tag_params as $par_name => $par_value) {
// htmlspecialchars() only on non javascript
$par_value = mb_substr($par_name, 0, 2) == 'on' ? $par_value : htmlspecialchars($par_value);
$tag_params_strings[] = $par_name . '="' . $par_value . '"';
}
// no whitespace within an <a> else Safari will make it part of the link
$ret = "\n" . '<a href="' . $url . '" ' . implode(' ', $tag_params_strings) . '>' . $message . $displayed_message . '</a>' . "\n";
} else {
// no spaces (line breaks) at all
// or after the hidden fields
// IE will display them all
if (!isset($query_parts)) {
$query_parts = self::splitURLQuery($url);
}
$url_parts = parse_url($url);
if ($new_form) {
if ($target) {
$target = ' target="' . $target . '"';
}
$ret = '<form action="' . $url_parts['path'] . '" class="link"' . ' method="post"' . $target . ' style="display: inline;">';
$subname_open = '';
$subname_close = '';
$submit_link = '#';
} else {
$query_parts[] = 'redirect=' . $url_parts['path'];
if (empty($GLOBALS['subform_counter'])) {
$GLOBALS['subform_counter'] = 0;
}
$GLOBALS['subform_counter']++;
$ret = '';
$subname_open = 'subform[' . $GLOBALS['subform_counter'] . '][';
$subname_close = ']';
$submit_link = '#usesubform[' . $GLOBALS['subform_counter'] . ']=1';
}
foreach ($query_parts as $query_pair) {
list($eachvar, $eachval) = explode('=', $query_pair);
$ret .= '<input type="hidden" name="' . $subname_open . $eachvar . $subname_close . '" value="' . htmlspecialchars(urldecode($eachval)) . '" />';
}
// end while
if (empty($tag_params['class'])) {
$tag_params['class'] = 'formLinkSubmit';
} else {
$tag_params['class'] .= ' formLinkSubmit';
}
$tag_params_strings = array();
foreach ($tag_params as $par_name => $par_value) {
// htmlspecialchars() only on non javascript
$par_value = mb_substr($par_name, 0, 2) == 'on' ? $par_value : htmlspecialchars($par_value);
$tag_params_strings[] = $par_name . '="' . $par_value . '"';
}
$ret .= "\n" . '<a href="' . $submit_link . '" ' . implode(' ', $tag_params_strings) . '>' . $message . ' ' . $displayed_message . '</a>' . "\n";
if ($new_form) {
$ret .= '</form>';
}
}
// end if... else...
return $ret;
}