File: js_escape.lib.php

package info (click to toggle)
phpmyadmin 4%3A4.6.6-4%2Bdeb9u1
  • links: PTS, VCS
  • area: main
  • in suites: stretch
  • size: 43,792 kB
  • sloc: php: 196,012; sql: 494; sh: 238; python: 186; makefile: 185; xml: 177
file content (173 lines) | stat: -rw-r--r-- 4,532 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
 
<?php
/* vim: set expandtab sw=4 ts=4 sts=4: */
/**
 * Javascript escaping functions.
 *
 * @package PhpMyAdmin
 *
 */

/**
 * Format a string so it can be a string inside JavaScript code inside an
 * eventhandler (onclick, onchange, on..., ).
 * This function is used to displays a javascript confirmation box for
 * "DROP/DELETE/ALTER" queries.
 *
 * @param string  $a_string       the string to format
 * @param boolean $add_backquotes whether to add backquotes to the string or not
 *
 * @return string   the formatted string
 *
 * @access  public
 */
function PMA_jsFormat($a_string = '', $add_backquotes = true)
{
    $a_string = htmlspecialchars($a_string);
    $a_string = PMA_escapeJsString($a_string);
    // Needed for inline javascript to prevent some browsers
    // treating it as a anchor
    $a_string = str_replace('#', '\\#', $a_string);

    return $add_backquotes
        ? PMA\libraries\Util::backquote($a_string)
        : $a_string;
} // end of the 'PMA_jsFormat()' function

/**
 * escapes a string to be inserted as string a JavaScript block
 * enclosed by <![CDATA[ ... ]]>
 * this requires only to escape ' with \' and end of script block
 *
 * We also remove NUL byte as some browsers (namely MSIE) ignore it and
 * inserting it anywhere inside </script would allow to bypass this check.
 *
 * @param string $string the string to be escaped
 *
 * @return string  the escaped string
 */
function PMA_escapeJsString($string)
{
    return preg_replace(
        '@</script@i', '</\' + \'script',
        strtr(
            $string,
            array(
                "\000" => '',
                '\\' => '\\\\',
                '\'' => '\\\'',
                '"' => '\"',
                "\n" => '\n',
                "\r" => '\r'
            )
        )
    );
}

/**
 * Formats a value for javascript code.
 *
 * @param string $value String to be formatted.
 *
 * @return string formatted value.
 */
function PMA_formatJsVal($value)
{
    if (is_bool($value)) {
        if ($value) {
            return 'true';
        }

        return 'false';
    }

    if (is_int($value)) {
        return (int)$value;
    }

    return '"' . PMA_escapeJsString($value) . '"';
}

/**
 * Formats an javascript assignment with proper escaping of a value
 * and support for assigning array of strings.
 *
 * @param string $key    Name of value to set
 * @param mixed  $value  Value to set, can be either string or array of strings
 * @param bool   $escape Whether to escape value or keep it as it is
 *                       (for inclusion of js code)
 *
 * @return string Javascript code.
 */
function PMA_getJsValue($key, $value, $escape = true)
{
    $result = $key . ' = ';
    if (!$escape) {
        $result .= $value;
    } elseif (is_array($value)) {
        $result .= '[';
        foreach ($value as $val) {
            $result .= PMA_formatJsVal($val) . ",";
        }
        $result .= "];\n";
    } else {
        $result .= PMA_formatJsVal($value) . ";\n";
    }
    return $result;
}

/**
 * Prints an javascript assignment with proper escaping of a value
 * and support for assigning array of strings.
 *
 * @param string $key   Name of value to set
 * @param mixed  $value Value to set, can be either string or array of strings
 *
 * @return void
 */
function PMA_printJsValue($key, $value)
{
    echo PMA_getJsValue($key, $value);
}

/**
 * Formats javascript assignment for form validation api
 * with proper escaping of a value.
 *
 * @param string  $key   Name of value to set
 * @param string  $value Value to set
 * @param boolean $addOn Check if $.validator.format is required or not
 * @param boolean $comma Check if comma is required
 *
 * @return string Javascript code.
 */
function PMA_getJsValueForFormValidation($key, $value, $addOn, $comma)
{
    $result = $key . ': ';
    if ($addOn) {
        $result .= '$.validator.format(';
    }
    $result .= PMA_formatJsVal($value);
    if ($addOn) {
        $result .= ')';
    }
    if ($comma) {
        $result .= ', ';
    }
    return $result;
}

/**
 * Prints javascript assignment for form validation api
 * with proper escaping of a value.
 *
 * @param string  $key   Name of value to set
 * @param string  $value Value to set
 * @param boolean $addOn Check if $.validator.format is required or not
 * @param boolean $comma Check if comma is required
 *
 * @return void
 */
function PMA_printJsValueForFormValidation($key, $value, $addOn=false, $comma=true)
{
    echo PMA_getJsValueForFormValidation($key, $value, $addOn, $comma);
}