libraries/js_escape.lib.php

   1 <?php
   2 /* vim: set expandtab sw=4 ts=4 sts=4: */
   3 /**
   4  * Javascript escaping functions.
   5  *
   6  * @package phpMyAdmin
   7  *
   8  */
   9
  10 /**
  11  * Format a string so it can be a string inside JavaScript code inside an
  12  * eventhandler (onclick, onchange, on..., ).
  13  * This function is used to displays a javascript confirmation box for
  14  * "DROP/DELETE/ALTER" queries.
  15  *
  16  * @param string   $a_string          the string to format
  17  * @param boolean  $add_backquotes    whether to add backquotes to the string or not
  18  *
  19  * @return  string   the formatted string
  20  *
  21  * @access  public
  22  */
  23 function PMA_jsFormat($a_string = '', $add_backquotes = true)
  24 {
  25     if (is_string($a_string)) {
  26         $a_string = htmlspecialchars($a_string);
  27         $a_string = PMA_escapeJsString($a_string);
  28         // Needed for inline javascript to prevent some browsers
  29         // treating it as a anchor
  30         $a_string = str_replace('#', '\\#', $a_string);
  31     }
  32
  33     return (($add_backquotes) ? PMA_backquote($a_string) : $a_string);
  34 } // end of the 'PMA_jsFormat()' function
  35
  36 /**
  37  * escapes a string to be inserted as string a JavaScript block
  38  * enclosed by <![CDATA[ ... ]]>
  39  * this requires only to escape ' with \' and end of script block
  40  *
  41  * We also remove NUL byte as some browsers (namely MSIE) ignore it and
  42  * inserting it anywhere inside </script would allow to bypass this check.
  43  *
  44  * @param string  $string the string to be escaped
  45  * @return  string  the escaped string
  46  */
  47 function PMA_escapeJsString($string)
  48 {
  49     return preg_replace('@</script@i', '</\' + \'script',
  50                         strtr($string, array(
  51                                 "\000" => '',
  52                                 '\\' => '\\\\',
  53                                 '\'' => '\\\'',
  54                                 '"' => '\"',
  55                                 "\n" => '\n',
  56                                 "\r" => '\r')));
  57 }
  58
  59 /**
  60  * Formats a value for javascript code.
  61  *
  62  * @param string $value String to be formatted.
  63  *
  64  * @retrun string formatted value.
  65  */
  66 function PMA_formatJsVal($value)
  67 {
  68     if (is_bool($value)) {
  69         if ($value) {
  70             return 'true';
  71         } else {
  72             return 'false';
  73         }
  74     } elseif (is_int($value)) {
  75         return (int)$value;
  76     } else {
  77         return '"' . PMA_escapeJsString($value) . '"';
  78     }
  79 }
  80
  81 /**
  82  * Formats an javascript assignment with proper escaping of a value
  83  * and support for assigning array of strings.
  84  *
  85  * @param string $key Name of value to set
  86  * @param mixed $value Value to set, can be either string or array of strings
  87  *
  88  * @return string Javascript code.
  89  */
  90 function PMA_getJsValue($key, $value)
  91 {
  92     $result = $key . ' = ';
  93     if (is_array($value)) {
  94         $result .= '[';
  95         foreach ($value as $id => $val) {
  96             $result .= PMA_formatJsVal($value) . ",";
  97         }
  98         $result .= "];\n";
  99     } else {
 100         $result .= PMA_formatJsVal($value) . ";\n";
 101     }
 102     return $result;
 103 }
 104
 105 /**
 106  * Prints an javascript assignment with proper escaping of a value
 107  * and support for assigning array of strings.
 108  *
 109  * @param string $key Name of value to set
 110  * @param mixed $value Value to set, can be either string or array of strings
 111  *
 112  * @return nothing
 113  */
 114 function PMA_printJsValue($key, $value)
 115 {
 116     echo PMA_getJsValue($key, $value);
 117 }
 118
 119 ?>