library/htmlspecialchars.inc.php

   1 <?php
   2
   3 /**
   4  * Escaping Functions
   5  *
   6  * @package   OpenEMR
   7  * @link      https://www.open-emr.org
   8  * @author    Boyd Stephen Smith Jr.
   9  * @author    Brady Miller <brady.g.miller@gmail.com>
  10  * @copyright Copyright (c) 2011 Boyd Stephen Smith Jr.
  11  * @copyright Copyright (c) 2018 Brady Miller <brady.g.miller@gmail.com>
  12  * @license   https://github.com/openemr/openemr/blob/master/LICENSE GNU General Public License 3
  13  */
  14
  15 /**
  16  * Escape a javascript literal.
  17  */
  18 function js_escape($text)
  19 {
  20     return json_encode($text);
  21 }
  22
  23 /**
  24  * Escape a javascript literal within html onclick attribute.
  25  */
  26 function attr_js($text)
  27 {
  28     return attr(json_encode($text));
  29 }
  30
  31 /**
  32  * Escape html and url encode a url item.
  33  */
  34 function attr_url($text)
  35 {
  36     return attr(urlencode($text));
  37 }
  38
  39 /**
  40  * Escape js and url encode a url item.
  41  */
  42 function js_url($text)
  43 {
  44     return js_escape(urlencode($text));
  45 }
  46
  47 /**
  48  * Escape variables that are outputted into the php error log.
  49  */
  50 function errorLogEscape($text)
  51 {
  52     return attr($text);
  53 }
  54
  55 /**
  56  * Escape variables that are outputted into csv and spreadsheet files.
  57  * See here: https://www.owasp.org/index.php/CSV_Injection
  58  * Based mitigation strategy on this report: https://asecurityz.blogspot.com/2017/12/csv-injection-mitigations.html
  59  *  1. Remove all the following characters:  = + " |
  60  *  2. Only remove leading - characters (since need in dates)
  61  *  3. Only remove leading @ characters (since need in email addresses)
  62  *  4. Surround with double quotes (no reference link, but seems very reasonable, which will prevent commas from breaking things).
  63  * If needed in future, will add a second parameter called 'options' which will be an array of option tokens that will allow
  64  * less stringent (or more stringent) mechanisms to escape for csv.
  65  */
  66 function csvEscape($text)
  67 {
  68     // 1. Remove all the following characters:  = + " |
  69     $text = preg_replace('/[=+"|]/', '', $text);
  70
  71     // 2. Only remove leading - characters (since need in dates)
  72     // 3. Only remove leading @ characters (since need in email addresses)
  73     $text = preg_replace('/^[\-@]+/', '', $text);
  74
  75     // 4. Surround with double quotes (no reference link, but seems very reasonable, which will prevent commas from breaking things).
  76     return '"' . $text . '"';
  77 }
  78
  79 /**
  80  *
  81  * references: https://stackoverflow.com/questions/3426090/how-do-you-make-strings-xml-safe
  82  *             https://www.php.net/htmlspecialchars
  83  *             https://www.php.net/XMLWriter
  84  *
  85  *
  86  * Escapes & < > ' "
  87  * TODO: not sure if need to escape ' and ", which are escaping for now (via the ENT_QUOTES flag)
  88  */
  89 function xmlEscape($text)
  90 {
  91     return htmlspecialchars($text, ENT_XML1 | ENT_QUOTES);
  92 }
  93
  94 /**
  95  * Escape a PHP string for use as (part of) an HTML / XML text node.
  96  *
  97  * It only escapes a few special chars: the ampersand (&) and both the left-
  98  * pointing angle bracket (<) and the right-pointing angle bracket (>), since
  99  * these are the only characters that are special in a text node.  Minimal
 100  * quoting is preferred because it produces smaller and more easily human-
 101  * readable output.
 102  *
 103  * Some characters simply cannot appear in valid XML documents, even
 104  * as entities but, this function does not attempt to handle them.
 105  *
 106  * NOTE: Attribute values are NOT text nodes, and require additional escaping.
 107  *
 108  * @param string $text The string to escape, possibly including "&", "<",
 109  *                     or ">".
 110  * @return string The string, with "&", "<", and ">" escaped.
 111  */
 112 function text($text)
 113 {
 114     return htmlspecialchars($text, ENT_NOQUOTES);
 115 }
 116
 117 /**
 118  * Escape a PHP string for use as (part of) an HTML / XML attribute value.
 119  *
 120  * It escapes several special chars: the ampersand (&), the double quote
 121  * ("), the singlequote ('), and both the left-pointing angle bracket (<)
 122  * and the right-pointing angle bracket (>), since these are the characters
 123  * that are special in an attribute value.
 124  *
 125  * Some characters simply cannot appear in valid XML documents, even
 126  * as entities but, this function does not attempt to handle them.
 127  *
 128  * NOTE: This can be used as a "generic" HTML escape since it does maximal
 129  * quoting.  However, some HTML and XML contexts (CDATA) don't provide
 130  * escape mechanisms.  Also, further pre- or post-escaping might need to
 131  * be done when embdedded other languages (like JavaScript) inside HTML /
 132  * XML documents.
 133  *
 134  * @param string $text The string to escape, possibly including (&), (<),
 135  *                     (>), ('), and (").
 136  * @return string The string, with (&), (<), (>), ("), and (') escaped.
 137  */
 138 function attr($text)
 139 {
 140     return htmlspecialchars($text, ENT_QUOTES);
 141 }
 142
 143 /**
 144  * Don't call this function.  You don't see this function.  This function
 145  * doesn't exist.
 146  *
 147  * TODO: Hide this function so it can be called from this file but not from
 148  * PHP that includes / requires this file.  Either that, or write reasonable
 149  * documentation and clean up the name.
 150  */
 151 function hsc_private_xl_or_warn($key)
 152 {
 153     if (function_exists('xl')) {
 154         return xl($key);
 155     } else {
 156         trigger_error(
 157             'Translation via xl() was requested, but the xl()'
 158             . ' function is not defined, yet.',
 159             E_USER_WARNING
 160         );
 161         return $key;
 162     }
 163 }
 164
 165 /**
 166  * Translate via xl() and then escape via text().
 167  *
 168  * @param string $key The string to escape, possibly including "&", "<",
 169  *                    or ">".
 170  * @return string The string, with "&", "<", and ">" escaped.
 171  */
 172 function xlt($key)
 173 {
 174     return text(hsc_private_xl_or_warn($key));
 175 }
 176
 177 /**
 178  * Translate via xl() and then escape via attr().
 179  *
 180  * @param string $key The string to escape, possibly including (&), (<),
 181  *                    (>), ('), and (").
 182  * @return string The string, with (&), (<), (>), ("), and (') escaped.
 183  */
 184 function xla($key)
 185 {
 186     return attr(hsc_private_xl_or_warn($key));
 187 }
 188
 189 /*
 190  * Translate via xl() and then escape via js_escape for use with javascript literals
 191  */
 192 function xlj($key)
 193 {
 194     return js_escape(hsc_private_xl_or_warn($key));
 195 }
 196
 197 /*
 198  * Deprecated
 199  *Translate via xl() and then escape via addslashes for use with javascript literals
 200  */
 201 function xls($key)
 202 {
 203     return addslashes(hsc_private_xl_or_warn($key));
 204 }