Bug #19699
closed
Non-static method RemoveXSS::RemoveXSS() cannot be called statically
0%
Description
MailformPlus will produce the fatal error (but it's not MailformPlus, it's in the TYPO3 Core):
PHP Fatal error: Non-static method RemoveXSS::RemoveXSS() cannot be called statically, assuming $this from incompatible context in TYPO3_SRC/t3lib/class.t3lib_div.php on line 383
t3lib_div:
public function removeXSS($string) {
require_once(PATH_typo3.'contrib/RemoveXSS/RemoveXSS.php');
$string = RemoveXSS::RemoveXSS($string);
return $string;
}
removeXSS.php:
class RemoveXSS {
function RemoveXSS($val) {
[...]
}
}
(issue imported from #M9945)
Files
Updated by Michael Leibenson over 15 years ago
I have this issue as well. Functionality worked fine at PHP 5.2.5, but when I upgraded to 5.2.8 I got this error in scope of th_mailformplus and sr_freecap
Updated by Michael Leibenson over 15 years ago
If you will run it on PHP4 everything will be fine, because every method in PHP4 is static by default if you do not use $this inside the method.
Also in our case RemoveXSS::RemoveXSS() it's constructor for php4 (compatible mode - if php5 can't find construct() it will search for function __CLASS), so it's can't be static.
So, we need to define default empty constructor for php5.
removeXSS.php:
class RemoveXSS {
function __construct() {}
static function RemoveXSS($val) {
[...]
}
}
but if we will use "static" keyword it wouldn't work fine for php4, so, we need to choose which version of php to use. I vote for PHP5. I think RemoveXSS and t3lid_div have a lot of legacy code and definitely need to be refactored. Also TYPO3 v4.2.x oriented to "GoPHP5" initiative, so, I think we need to forget about PHP4 support and use all power of PHP5.
Updated by Michael Leibenson over 15 years ago
I made small patch on my working copy and my local svn, so, revision number is differ to real typo3 repository and this patch might not working for everyone.
sorry about that, but i have no ability to fix it with real revision number in patch text, but i hope moderators will review it and fix it a bit.
Updated by Paul Bartschi over 15 years ago
I made a patch creating the object with "new" to match the PHP5 syntax. For some reasons it seems PHP 5.2.8 does not support the old style construction call. E.G.
Change -> RemoveXSS::RemoveXSS($string)
To -> new RemoveXSS($string)
This must be done in "class.t3lib_div.php" as well as in "class.tx_thmailformplus_pi1.php"
Someone responsible for the mentioned files please update this or use the fix Michael submitted if it seems more reasonable.
Updated by Michael Leibenson over 15 years ago
Hi, Paul.
Your solution is pretty good. I like it. It's compatible with PHP4 and PHP5.
But seems it will be pretty hard to fix all calls of RemoveXSS constructor. For our case it's enough to fix only two files, but in case of more 3rd part extensions used RemoveXSS they should be fixed too.
Maybe core developers has any idea how to deal with it?
Updated by Marcus Krause over 15 years ago
TYPO3 does not create new objects with "new" keyword!
So Paul's patch won't be accepted.
A fix should work across TYPO3 versions, e.g. running 4.1 an PHP5 and 4.2 on PHP5, too.
Updated by Michael Leibenson over 15 years ago
I think my patch will work fine with TYPO3 4.x on PHP5 and wouldn't work on PHP4 because of "static" keyword.
Updated by Oliver Hader over 15 years ago
- integrate a method "public static process($val)" in class RemoveXSS for 4.2
- use RemoveXSS($val) as wrapper for process($val) for 4.2 (like it's done for 4.3)
- integrate the __constructor() hack and define it as @deprecated
- use RemoveXSS::process($val) in t3lib_div
Updated by
Updated by Benni Mack almost 6 years ago
- Status changed from Resolved to Closed