libraries/js_escape.lib.php

   1 <?php
   2 /* vim: set expandtab sw=4 ts=4 sts=4: */
   3 /**
   4  * Javascript escaping functions.
   5  *
   6  * @package phpMyAdmin
   7  *
   8  */
   9
  10 /**
  11  * Format a string so it can be a string inside JavaScript code inside an
  12  * eventhandler (onclick, onchange, on..., ).
  13  * This function is used to displays a javascript confirmation box for
  14  * "DROP/DELETE/ALTER" queries.
  15  *
  16  * @uses    PMA_escapeJsString()
  17  * @uses    PMA_backquote()
  18  * @uses    is_string()
  19  * @uses    htmlspecialchars()
  20  * @uses    str_replace()
  21  * @param   string   $a_string          the string to format
  22  * @param   boolean  $add_backquotes    whether to add backquotes to the string or not
  23  *
  24  * @return  string   the formatted string
  25  *
  26  * @access  public
  27  */
  28 function PMA_jsFormat($a_string = '', $add_backquotes = true)
  29 {
  30     if (is_string($a_string)) {
  31         $a_string = htmlspecialchars($a_string);
  32         $a_string = PMA_escapeJsString($a_string);
  33         /**
  34          * @todo what is this good for?
  35          */
  36         $a_string = str_replace('#', '\\#', $a_string);
  37     }
  38
  39     return (($add_backquotes) ? PMA_backquote($a_string) : $a_string);
  40 } // end of the 'PMA_jsFormat()' function
  41
  42 /**
  43  * escapes a string to be inserted as string a JavaScript block
  44  * enclosed by <![CDATA[ ... ]]>
  45  * this requires only to escape ' with \' and end of script block
  46  *
  47  * We also remove NUL byte as some browsers (namely MSIE) ignore it and
  48  * inserting it anywhere inside </script would allow to bypass this check.
  49  *
  50  * @uses    strtr()
  51  * @uses    preg_replace()
  52  * @param   string  $string the string to be escaped
  53  * @return  string  the escaped string
  54  */
  55 function PMA_escapeJsString($string)
  56 {
  57     return preg_replace('@</script@i', '</\' + \'script',
  58                         strtr($string, array(
  59                                 "\000" => '',
  60                                 '\\' => '\\\\',
  61                                 '\'' => '\\\'',
  62                                 "\n" => '\n',
  63                                 "\r" => '\r')));
  64 }
  65
  66 /**
  67  * Prints an javascript assignment with proper escaping of a value
  68  * and support for assigning array of strings.
  69  *
  70  * @param string $key Name of value to set
  71  * @param mixed $value Value to set, can be either string or array of strings
  72  */
  73 function PMA_printJsValue($key, $value) {
  74     echo $key . ' = ';
  75     if (is_array($value)) {
  76         echo '[';
  77         foreach ($value as $id => $val) {
  78             echo "'" . PMA_escapeJsString($val) . "',";
  79         }
  80         echo "];\n";
  81     } else {
  82         echo "'" . PMA_escapeJsString($value) . "';\n";
  83     }
  84 }
  85
  86 ?>