phpmyadmin/libraries/js_escape.lib.php

   1 <?php
   2 /* vim: set expandtab sw=4 ts=4 sts=4: */
   3 /**
   4  * Javascript escaping functions.
   5  *
   6  * @author Michal Čihař <michal@cihar.com>
   7  * @package phpMyAdmin
   8  *
   9  * @version $Id$
  10  */
  11
  12 /**
  13  * Format a string so it can be a string inside JavaScript code inside an
  14  * eventhandler (onclick, onchange, on..., ).
  15  * This function is used to displays a javascript confirmation box for
  16  * "DROP/DELETE/ALTER" queries.
  17  *
  18  * @uses    PMA_escapeJsString()
  19  * @uses    PMA_backquote()
  20  * @uses    is_string()
  21  * @uses    htmlspecialchars()
  22  * @uses    str_replace()
  23  * @param   string   $a_string          the string to format
  24  * @param   boolean  $add_backquotes    whether to add backquotes to the string or not
  25  *
  26  * @return  string   the formatted string
  27  *
  28  * @access  public
  29  */
  30 function PMA_jsFormat($a_string = '', $add_backquotes = true)
  31 {
  32     if (is_string($a_string)) {
  33         $a_string = htmlspecialchars($a_string);
  34         $a_string = PMA_escapeJsString($a_string);
  35         /**
  36          * @todo what is this good for?
  37          */
  38         $a_string = str_replace('#', '\\#', $a_string);
  39     }
  40
  41     return (($add_backquotes) ? PMA_backquote($a_string) : $a_string);
  42 } // end of the 'PMA_jsFormat()' function
  43
  44 /**
  45  * escapes a string to be inserted as string a JavaScript block
  46  * enclosed by <![CDATA[ ... ]]>
  47  * this requires only to escape ' with \' and end of script block
  48  *
  49  * We also remove NUL byte as some browsers (namely MSIE) ignore it and
  50  * inserting it anywhere inside </script would allow to bypass this check.
  51  *
  52  * @uses    strtr()
  53  * @uses    preg_replace()
  54  * @param   string  $string the string to be escaped
  55  * @return  string  the escaped string
  56  */
  57 function PMA_escapeJsString($string)
  58 {
  59     return preg_replace('@</script@i', '</\' + \'script',
  60                         strtr($string, array(
  61                                 "\000" => '',
  62                                 '\\' => '\\\\',
  63                                 '\'' => '\\\'',
  64                                 "\n" => '\n',
  65                                 "\r" => '\r')));
  66 }
  67
  68 ?>