Home Explore Help
Sign In
hanzhengyi
/
usky-website
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Branch: master
Branches Tags
usky-website
/
web
/
pa
/
libraries
/
js_escape.lib.php

js_escape.lib.php 3.4 KB
Permalink History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133 
  1. <?php
    2. 

  2. /* vim: set expandtab sw=4 ts=4 sts=4: */
    3. 

  3. /**
    4. 

  4.  * Javascript escaping functions.
    5. 

  5.  *
    6. 

  6.  * @package PhpMyAdmin
    7. 

  7.  *
    8. 

  8.  */
    9. 

  9. if (! defined('PHPMYADMIN')) {
    10. 

  10.     exit;
    11. 

  11. }
    12. 

  12. 

  13. /**
    14. 

  14.  * Format a string so it can be a string inside JavaScript code inside an
    15. 

  15.  * eventhandler (onclick, onchange, on..., ).
    16. 

  16.  * This function is used to displays a javascript confirmation box for
    17. 

  17.  * "DROP/DELETE/ALTER" queries.
    18. 

  18.  *
    19. 

  19.  * @param string  $a_string       the string to format
    20. 

  20.  * @param boolean $add_backquotes whether to add backquotes to the string or not
    21. 

  21.  *
    22. 

  22.  * @return string   the formatted string
    23. 

  23.  *
    24. 

  24.  * @access  public
    25. 

  25.  */
    26. 

  26. function PMA_jsFormat($a_string = '', $add_backquotes = true)
    27. 

  27. {
    28. 

  28.     if (is_string($a_string)) {
    29. 

  29.         $a_string = htmlspecialchars($a_string);
    30. 

  30.         $a_string = PMA_escapeJsString($a_string);
    31. 

  31.         // Needed for inline javascript to prevent some browsers
    32. 

  32.         // treating it as a anchor
    33. 

  33.         $a_string = str_replace('#', '\\#', $a_string);
    34. 

  34.     }
    35. 

  35. 

  36.     return (($add_backquotes) ? PMA_Util::backquote($a_string) : $a_string);
    37. 

  37. } // end of the 'PMA_jsFormat()' function
    38. 

  38. 

  39. /**
    40. 

  40.  * escapes a string to be inserted as string a JavaScript block
    41. 

  41.  * enclosed by <![CDATA[ ... ]]>
    42. 

  42.  * this requires only to escape ' with \' and end of script block
    43. 

  43.  *
    44. 

  44.  * We also remove NUL byte as some browsers (namely MSIE) ignore it and
    45. 

  45.  * inserting it anywhere inside </script would allow to bypass this check.
    46. 

  46.  *
    47. 

  47.  * @param string $string the string to be escaped
    48. 

  48.  *
    49. 

  49.  * @return string  the escaped string
    50. 

  50.  */
    51. 

  51. function PMA_escapeJsString($string)
    52. 

  52. {
    53. 

  53.     return preg_replace(
    54. 

  54.         '@</script@i', '</\' + \'script',
    55. 

  55.         strtr(
    56. 

  56.             $string,
    57. 

  57.             array(
    58. 

  58.                 "\000" => '',
    59. 

  59.                 '\\' => '\\\\',
    60. 

  60.                 '\'' => '\\\'',
    61. 

  61.                 '"' => '\"',
    62. 

  62.                 "\n" => '\n',
    63. 

  63.                 "\r" => '\r'
    64. 

  64.             )
    65. 

  65.         )
    66. 

  66.     );
    67. 

  67. }
    68. 

  68. 

  69. /**
    70. 

  70.  * Formats a value for javascript code.
    71. 

  71.  *
    72. 

  72.  * @param string $value String to be formatted.
    73. 

  73.  *
    74. 

  74.  * @return string formatted value.
    75. 

  75.  */
    76. 

  76. function PMA_formatJsVal($value)
    77. 

  77. {
    78. 

  78.     if (is_bool($value)) {
    79. 

  79.         if ($value) {
    80. 

  80.             return 'true';
    81. 

  81.         } else {
    82. 

  82.             return 'false';
    83. 

  83.         }
    84. 

  84.     } elseif (is_int($value)) {
    85. 

  85.         return (int)$value;
    86. 

  86.     } else {
    87. 

  87.         return '"' . PMA_escapeJsString($value) . '"';
    88. 

  88.     }
    89. 

  89. }
    90. 

  90. 

  91. /**
    92. 

  92.  * Formats an javascript assignment with proper escaping of a value
    93. 

  93.  * and support for assigning array of strings.
    94. 

  94.  *
    95. 

  95.  * @param string $key    Name of value to set
    96. 

  96.  * @param mixed  $value  Value to set, can be either string or array of strings
    97. 

  97.  * @param bool   $escape Whether to escape value or keep it as it is
    98. 

  98.  *                       (for inclusion of js code)
    99. 

  99.  *
    100. 

  100.  * @return string Javascript code.
    101. 

  101.  */
    102. 

  102. function PMA_getJsValue($key, $value, $escape = true)
    103. 

  103. {
    104. 

  104.     $result = $key . ' = ';
    105. 

  105.     if (!$escape) {
    106. 

  106.         $result .= $value;
    107. 

  107.     } elseif (is_array($value)) {
    108. 

  108.         $result .= '[';
    109. 

  109.         foreach ($value as $val) {
    110. 

  110.             $result .= PMA_formatJsVal($val) . ",";
    111. 

  111.         }
    112. 

  112.         $result .= "];\n";
    113. 

  113.     } else {
    114. 

  114.         $result .= PMA_formatJsVal($value) . ";\n";
    115. 

  115.     }
    116. 

  116.     return $result;
    117. 

  117. }
    118. 

  118. 

  119. /**
    120. 

  120.  * Prints an javascript assignment with proper escaping of a value
    121. 

  121.  * and support for assigning array of strings.
    122. 

  122.  *
    123. 

  123.  * @param string $key   Name of value to set
    124. 

  124.  * @param mixed  $value Value to set, can be either string or array of strings
    125. 

  125.  *
    126. 

  126.  * @return void
    127. 

  127.  */
    128. 

  128. function PMA_printJsValue($key, $value)
    129. 

  129. {
    130. 

  130.     echo PMA_getJsValue($key, $value);
    131. 

  131. }
    132. 

  132. 

  133. ?>
    134.