diff options
Diffstat (limited to 'hugo/libraries/js_escape.lib.php')
| -rw-r--r-- | hugo/libraries/js_escape.lib.php | 133 |
1 files changed, 133 insertions, 0 deletions
diff --git a/hugo/libraries/js_escape.lib.php b/hugo/libraries/js_escape.lib.php new file mode 100644 index 0000000..42d7fed --- /dev/null +++ b/hugo/libraries/js_escape.lib.php @@ -0,0 +1,133 @@ +<?php +/* vim: set expandtab sw=4 ts=4 sts=4: */ +/** + * Javascript escaping functions. + * + * @package PhpMyAdmin + * + */ +if (! defined('PHPMYADMIN')) { + exit; +} + +/** + * Format a string so it can be a string inside JavaScript code inside an + * eventhandler (onclick, onchange, on..., ). + * This function is used to displays a javascript confirmation box for + * "DROP/DELETE/ALTER" queries. + * + * @param string $a_string the string to format + * @param boolean $add_backquotes whether to add backquotes to the string or not + * + * @return string the formatted string + * + * @access public + */ +function PMA_jsFormat($a_string = '', $add_backquotes = true) +{ + if (is_string($a_string)) { + $a_string = htmlspecialchars($a_string); + $a_string = PMA_escapeJsString($a_string); + // Needed for inline javascript to prevent some browsers + // treating it as a anchor + $a_string = str_replace('#', '\\#', $a_string); + } + + return (($add_backquotes) ? PMA_Util::backquote($a_string) : $a_string); +} // end of the 'PMA_jsFormat()' function + +/** + * escapes a string to be inserted as string a JavaScript block + * enclosed by <![CDATA[ ... ]]> + * this requires only to escape ' with \' and end of script block + * + * We also remove NUL byte as some browsers (namely MSIE) ignore it and + * inserting it anywhere inside </script would allow to bypass this check. + * + * @param string $string the string to be escaped + * + * @return string the escaped string + */ +function PMA_escapeJsString($string) +{ + return preg_replace( + '@</script@i', '</\' + \'script', + strtr( + $string, + array( + "\000" => '', + '\\' => '\\\\', + '\'' => '\\\'', + '"' => '\"', + "\n" => '\n', + "\r" => '\r' + ) + ) + ); +} + +/** + * Formats a value for javascript code. + * + * @param string $value String to be formatted. + * + * @return string formatted value. + */ +function PMA_formatJsVal($value) +{ + if (is_bool($value)) { + if ($value) { + return 'true'; + } else { + return 'false'; + } + } elseif (is_int($value)) { + return (int)$value; + } else { + return '"' . PMA_escapeJsString($value) . '"'; + } +} + +/** + * Formats an javascript assignment with proper escaping of a value + * and support for assigning array of strings. + * + * @param string $key Name of value to set + * @param mixed $value Value to set, can be either string or array of strings + * @param bool $escape Whether to escape value or keep it as it is + * (for inclusion of js code) + * + * @return string Javascript code. + */ +function PMA_getJsValue($key, $value, $escape = true) +{ + $result = $key . ' = '; + if (!$escape) { + $result .= $value; + } elseif (is_array($value)) { + $result .= '['; + foreach ($value as $val) { + $result .= PMA_formatJsVal($val) . ","; + } + $result .= "];\n"; + } else { + $result .= PMA_formatJsVal($value) . ";\n"; + } + return $result; +} + +/** + * Prints an javascript assignment with proper escaping of a value + * and support for assigning array of strings. + * + * @param string $key Name of value to set + * @param mixed $value Value to set, can be either string or array of strings + * + * @return void + */ +function PMA_printJsValue($key, $value) +{ + echo PMA_getJsValue($key, $value); +} + +?> |