libraries/js_escape.lib.php

   1 <?php
   2 /* vim: set expandtab sw=4 ts=4 sts=4: */
   3 /**
   4  * Javascript escaping functions.
   5  *
   6  * @package phpMyAdmin
   7  *
   8  * @version $Id$
   9  */
  10
  11 /**
  12  * Format a string so it can be a string inside JavaScript code inside an
  13  * eventhandler (onclick, onchange, on..., ).
  14  * This function is used to displays a javascript confirmation box for
  15  * "DROP/DELETE/ALTER" queries.
  16  *
  17  * @uses    PMA_escapeJsString()
  18  * @uses    PMA_backquote()
  19  * @uses    is_string()
  20  * @uses    htmlspecialchars()
  21  * @uses    str_replace()
  22  * @param   string   $a_string          the string to format
  23  * @param   boolean  $add_backquotes    whether to add backquotes to the string or not
  24  *
  25  * @return  string   the formatted string
  26  *
  27  * @access  public
  28  */
  29 function PMA_jsFormat($a_string = '', $add_backquotes = true)
  30 {
  31     if (is_string($a_string)) {
  32         $a_string = htmlspecialchars($a_string);
  33         $a_string = PMA_escapeJsString($a_string);
  34         /**
  35          * @todo what is this good for?
  36          */
  37         $a_string = str_replace('#', '\\#', $a_string);
  38     }
  39
  40     return (($add_backquotes) ? PMA_backquote($a_string) : $a_string);
  41 } // end of the 'PMA_jsFormat()' function
  42
  43 /**
  44  * escapes a string to be inserted as string a JavaScript block
  45  * enclosed by <![CDATA[ ... ]]>
  46  * this requires only to escape ' with \' and end of script block
  47  *
  48  * We also remove NUL byte as some browsers (namely MSIE) ignore it and
  49  * inserting it anywhere inside </script would allow to bypass this check.
  50  *
  51  * @uses    strtr()
  52  * @uses    preg_replace()
  53  * @param   string  $string the string to be escaped
  54  * @return  string  the escaped string
  55  */
  56 function PMA_escapeJsString($string)
  57 {
  58     return preg_replace('@</script@i', '</\' + \'script',
  59                         strtr($string, array(
  60                                 "\000" => '',
  61                                 '\\' => '\\\\',
  62                                 '\'' => '\\\'',
  63                                 "\n" => '\n',
  64                                 "\r" => '\r')));
  65 }
  66
  67 /**
  68  * Prints an javascript assignment with proper escaping of a value
  69  * and support for assigning array of strings.
  70  *
  71  * @param string $key Name of value to set
  72  * @param mixed $value Value to set, can be either string or array of strings
  73  */
  74 function PMA_printJsValue($key, $value) {
  75     echo $key . ' = ';
  76     if (is_array($value)) {
  77         echo '[';
  78         foreach ($value as $id => $val) {
  79             echo "'" . PMA_escapeJsString($val) . "',";
  80         }
  81         echo "];\n";
  82     } else {
  83         echo "'" . PMA_escapeJsString($value) . "';\n";
  84     }
  85 }
  86
  87 ?>