libraries/js_escape.lib.php

   1 <?php
   2 /* vim: set expandtab sw=4 ts=4 sts=4: */
   3 /**
   4  * Javascript escaping functions.
   5  *
   6  * @package phpMyAdmin
   7  *
   8  */
   9
  10 /**
  11  * Format a string so it can be a string inside JavaScript code inside an
  12  * eventhandler (onclick, onchange, on..., ).
  13  * This function is used to displays a javascript confirmation box for
  14  * "DROP/DELETE/ALTER" queries.
  15  *
  16  * @param string   $a_string          the string to format
  17  * @param boolean  $add_backquotes    whether to add backquotes to the string or not
  18  *
  19  * @return  string   the formatted string
  20  *
  21  * @access  public
  22  */
  23 function PMA_jsFormat($a_string = '', $add_backquotes = true)
  24 {
  25     if (is_string($a_string)) {
  26         $a_string = htmlspecialchars($a_string);
  27         $a_string = PMA_escapeJsString($a_string);
  28         // Needed for inline javascript to prevent some browsers
  29         // treating it as a anchor
  30         $a_string = str_replace('#', '\\#', $a_string);
  31     }
  32
  33     return (($add_backquotes) ? PMA_backquote($a_string) : $a_string);
  34 } // end of the 'PMA_jsFormat()' function
  35
  36 /**
  37  * escapes a string to be inserted as string a JavaScript block
  38  * enclosed by <![CDATA[ ... ]]>
  39  * this requires only to escape ' with \' and end of script block
  40  *
  41  * We also remove NUL byte as some browsers (namely MSIE) ignore it and
  42  * inserting it anywhere inside </script would allow to bypass this check.
  43  *
  44  * @param string  $string the string to be escaped
  45  * @return  string  the escaped string
  46  */
  47 function PMA_escapeJsString($string)
  48 {
  49     return preg_replace('@</script@i', '</\' + \'script',
  50                         strtr($string, array(
  51                                 "\000" => '',
  52                                 '\\' => '\\\\',
  53                                 '\'' => '\\\'',
  54                                 '"' => '\"',
  55                                 "\n" => '\n',
  56                                 "\r" => '\r')));
  57 }
  58
  59 /**
  60  * Formats a value for javascript code.
  61  *
  62  * @param string $value String to be formatted.
  63  *
  64  * @retrun string formatted value.
  65  */
  66 function PMA_formatJsVal($value)
  67 {
  68     if (is_bool($value)) {
  69         if ($value) {
  70             return 'true';
  71         } else {
  72             return 'false';
  73         }
  74     } elseif (is_int($value)) {
  75         return (int)$value;
  76     } else {
  77         return '"' . PMA_escapeJsString($value) . '"';
  78     }
  79 }
  80
  81 /**
  82  * Formats an javascript assignment with proper escaping of a value
  83  * and support for assigning array of strings.
  84  *
  85  * @param string $key    Name of value to set
  86  * @param mixed  $value  Value to set, can be either string or array of strings
  87  * @param bool   $escape Whether to escape value or keep it as it is (for inclusion of js code)
  88  *
  89  * @return string Javascript code.
  90  */
  91 function PMA_getJsValue($key, $value, $escape = true)
  92 {
  93     $result = $key . ' = ';
  94     if (!$escape) {
  95         $result .= $value;
  96     } elseif (is_array($value)) {
  97         $result .= '[';
  98         foreach ($value as $id => $val) {
  99             $result .= PMA_formatJsVal($val) . ",";
 100         }
 101         $result .= "];\n";
 102     } else {
 103         $result .= PMA_formatJsVal($value) . ";\n";
 104     }
 105     return $result;
 106 }
 107
 108 /**
 109  * Prints an javascript assignment with proper escaping of a value
 110  * and support for assigning array of strings.
 111  *
 112  * @param string $key Name of value to set
 113  * @param mixed $value Value to set, can be either string or array of strings
 114  *
 115  * @return nothing
 116  */
 117 function PMA_printJsValue($key, $value)
 118 {
 119     echo PMA_getJsValue($key, $value);
 120 }
 121
 122 ?>