libraries/js_escape.lib.php

   1 <?php
   2 /* vim: set expandtab sw=4 ts=4 sts=4: */
   3 /**
   4  * Javascript escaping functions.
   5  *
   6  * @package phpMyAdmin
   7  *
   8  */
   9
  10 /**
  11  * Format a string so it can be a string inside JavaScript code inside an
  12  * eventhandler (onclick, onchange, on..., ).
  13  * This function is used to displays a javascript confirmation box for
  14  * "DROP/DELETE/ALTER" queries.
  15  *
  16  * @param string   $a_string          the string to format
  17  * @param boolean  $add_backquotes    whether to add backquotes to the string or not
  18  *
  19  * @return  string   the formatted string
  20  *
  21  * @access  public
  22  */
  23 function PMA_jsFormat($a_string = '', $add_backquotes = true)
  24 {
  25     if (is_string($a_string)) {
  26         $a_string = htmlspecialchars($a_string);
  27         $a_string = PMA_escapeJsString($a_string);
  28         /**
  29          * @todo what is this good for?
  30          */
  31         $a_string = str_replace('#', '\\#', $a_string);
  32     }
  33
  34     return (($add_backquotes) ? PMA_backquote($a_string) : $a_string);
  35 } // end of the 'PMA_jsFormat()' function
  36
  37 /**
  38  * escapes a string to be inserted as string a JavaScript block
  39  * enclosed by <![CDATA[ ... ]]>
  40  * this requires only to escape ' with \' and end of script block
  41  *
  42  * We also remove NUL byte as some browsers (namely MSIE) ignore it and
  43  * inserting it anywhere inside </script would allow to bypass this check.
  44  *
  45  * @param string  $string the string to be escaped
  46  * @return  string  the escaped string
  47  */
  48 function PMA_escapeJsString($string)
  49 {
  50     return preg_replace('@</script@i', '</\' + \'script',
  51                         strtr($string, array(
  52                                 "\000" => '',
  53                                 '\\' => '\\\\',
  54                                 '\'' => '\\\'',
  55                                 '"' => '\"',
  56                                 "\n" => '\n',
  57                                 "\r" => '\r')));
  58 }
  59
  60 /**
  61  * Prints an javascript assignment with proper escaping of a value
  62  * and support for assigning array of strings.
  63  *
  64  * @param string $key Name of value to set
  65  * @param mixed $value Value to set, can be either string or array of strings
  66  */
  67 function PMA_printJsValue($key, $value) {
  68     echo $key . ' = ';
  69     if (is_array($value)) {
  70         echo '[';
  71         foreach ($value as $id => $val) {
  72             echo "'" . PMA_escapeJsString($val) . "',";
  73         }
  74         echo "];\n";
  75     } else {
  76         echo "'" . PMA_escapeJsString($value) . "';\n";
  77     }
  78 }
  79
  80 ?>