/phpmyadmin/libraries/js_escape.lib.php

https://gitlab.com/luyxtran264/myproject · PHP · 175 lines · 81 code · 11 blank · 83 comment · 9 complexity · 1c4d3cc377b281a4b65ade379b27b19b MD5 · raw file 

    

  1. <?php
    2. 

  2. /* vim: set expandtab sw=4 ts=4 sts=4: */
    3. 

  3. /**
    4. 

  4.  * Javascript escaping functions.
    5. 

  5.  *
    6. 

  6.  * @package PhpMyAdmin
    7. 

  7.  *
    8. 

  8.  */
    9. 

  9. 

  10. /**
    11. 

  11.  * Format a string so it can be a string inside JavaScript code inside an
    12. 

  12.  * eventhandler (onclick, onchange, on..., ).
    13. 

  13.  * This function is used to displays a javascript confirmation box for
    14. 

  14.  * "DROP/DELETE/ALTER" queries.
    15. 

  15.  *
    16. 

  16.  * @param string  $a_string       the string to format
    17. 

  17.  * @param boolean $add_backquotes whether to add backquotes to the string or not
    18. 

  18.  *
    19. 

  19.  * @return string   the formatted string
    20. 

  20.  *
    21. 

  21.  * @access  public
    22. 

  22.  */
    23. 

  23. function PMA_jsFormat($a_string = '', $add_backquotes = true)
    24. 

  24. {
    25. 

  25.     if (is_string($a_string)) {
    26. 

  26.         $a_string = htmlspecialchars($a_string);
    27. 

  27.         $a_string = PMA_escapeJsString($a_string);
    28. 

  28.         // Needed for inline javascript to prevent some browsers
    29. 

  29.         // treating it as a anchor
    30. 

  30.         $a_string = str_replace('#', '\\#', $a_string);
    31. 

  31.     }
    32. 

  32. 

  33.     return $add_backquotes
    34. 

  34.         ? PMA\libraries\Util::backquote($a_string)
    35. 

  35.         : $a_string;
    36. 

  36. } // end of the 'PMA_jsFormat()' function
    37. 

  37. 

  38. /**
    39. 

  39.  * escapes a string to be inserted as string a JavaScript block
    40. 

  40.  * enclosed by <![CDATA[ ... ]]>
    41. 

  41.  * this requires only to escape ' with \' and end of script block
    42. 

  42.  *
    43. 

  43.  * We also remove NUL byte as some browsers (namely MSIE) ignore it and
    44. 

  44.  * inserting it anywhere inside </script would allow to bypass this check.
    45. 

  45.  *
    46. 

  46.  * @param string $string the string to be escaped
    47. 

  47.  *
    48. 

  48.  * @return string  the escaped string
    49. 

  49.  */
    50. 

  50. function PMA_escapeJsString($string)
    51. 

  51. {
    52. 

  52.     return preg_replace(
    53. 

  53.         '@</script@i', '</\' + \'script',
    54. 

  54.         strtr(
    55. 

  55.             $string,
    56. 

  56.             array(
    57. 

  57.                 "\000" => '',
    58. 

  58.                 '\\' => '\\\\',
    59. 

  59.                 '\'' => '\\\'',
    60. 

  60.                 '"' => '\"',
    61. 

  61.                 "\n" => '\n',
    62. 

  62.                 "\r" => '\r'
    63. 

  63.             )
    64. 

  64.         )
    65. 

  65.     );
    66. 

  66. }
    67. 

  67. 

  68. /**
    69. 

  69.  * Formats a value for javascript code.
    70. 

  70.  *
    71. 

  71.  * @param string $value String to be formatted.
    72. 

  72.  *
    73. 

  73.  * @return string formatted value.
    74. 

  74.  */
    75. 

  75. function PMA_formatJsVal($value)
    76. 

  76. {
    77. 

  77.     if (is_bool($value)) {
    78. 

  78.         if ($value) {
    79. 

  79.             return 'true';
    80. 

  80.         }
    81. 

  81. 

  82.         return 'false';
    83. 

  83.     }
    84. 

  84. 

  85.     if (is_int($value)) {
    86. 

  86.         return (int)$value;
    87. 

  87.     }
    88. 

  88. 

  89.     return '"' . PMA_escapeJsString($value) . '"';
    90. 

  90. }
    91. 

  91. 

  92. /**
    93. 

  93.  * Formats an javascript assignment with proper escaping of a value
    94. 

  94.  * and support for assigning array of strings.
    95. 

  95.  *
    96. 

  96.  * @param string $key    Name of value to set
    97. 

  97.  * @param mixed  $value  Value to set, can be either string or array of strings
    98. 

  98.  * @param bool   $escape Whether to escape value or keep it as it is
    99. 

  99.  *                       (for inclusion of js code)
    100. 

  100.  *
    101. 

  101.  * @return string Javascript code.
    102. 

  102.  */
    103. 

  103. function PMA_getJsValue($key, $value, $escape = true)
    104. 

  104. {
    105. 

  105.     $result = $key . ' = ';
    106. 

  106.     if (!$escape) {
    107. 

  107.         $result .= $value;
    108. 

  108.     } elseif (is_array($value)) {
    109. 

  109.         $result .= '[';
    110. 

  110.         foreach ($value as $val) {
    111. 

  111.             $result .= PMA_formatJsVal($val) . ",";
    112. 

  112.         }
    113. 

  113.         $result .= "];\n";
    114. 

  114.     } else {
    115. 

  115.         $result .= PMA_formatJsVal($value) . ";\n";
    116. 

  116.     }
    117. 

  117.     return $result;
    118. 

  118. }
    119. 

  119. 

  120. /**
    121. 

  121.  * Prints an javascript assignment with proper escaping of a value
    122. 

  122.  * and support for assigning array of strings.
    123. 

  123.  *
    124. 

  124.  * @param string $key   Name of value to set
    125. 

  125.  * @param mixed  $value Value to set, can be either string or array of strings
    126. 

  126.  *
    127. 

  127.  * @return void
    128. 

  128.  */
    129. 

  129. function PMA_printJsValue($key, $value)
    130. 

  130. {
    131. 

  131.     echo PMA_getJsValue($key, $value);
    132. 

  132. }
    133. 

  133. 

  134. /**
    135. 

  135.  * Formats javascript assignment for form validation api
    136. 

  136.  * with proper escaping of a value.
    137. 

  137.  *
    138. 

  138.  * @param string  $key   Name of value to set
    139. 

  139.  * @param string  $value Value to set
    140. 

  140.  * @param boolean $addOn Check if $.validator.format is required or not
    141. 

  141.  * @param boolean $comma Check if comma is required
    142. 

  142.  *
    143. 

  143.  * @return string Javascript code.
    144. 

  144.  */
    145. 

  145. function PMA_getJsValueForFormValidation($key, $value, $addOn, $comma)
    146. 

  146. {
    147. 

  147.     $result = $key . ': ';
    148. 

  148.     if ($addOn) {
    149. 

  149.         $result .= '$.validator.format(';
    150. 

  150.     }
    151. 

  151.     $result .= PMA_formatJsVal($value);
    152. 

  152.     if ($addOn) {
    153. 

  153.         $result .= ')';
    154. 

  154.     }
    155. 

  155.     if ($comma) {
    156. 

  156.         $result .= ', ';
    157. 

  157.     }
    158. 

  158.     return $result;
    159. 

  159. }
    160. 

  160. 

  161. /**
    162. 

  162.  * Prints javascript assignment for form validation api
    163. 

  163.  * with proper escaping of a value.
    164. 

  164.  *
    165. 

  165.  * @param string  $key   Name of value to set
    166. 

  166.  * @param string  $value Value to set
    167. 

  167.  * @param boolean $addOn Check if $.validator.format is required or not
    168. 

  168.  * @param boolean $comma Check if comma is required
    169. 

  169.  *
    170. 

  170.  * @return void
    171. 

  171.  */
    172. 

  172. function PMA_printJsValueForFormValidation($key, $value, $addOn=false, $comma=true)
    173. 

  173. {
    174. 

  174.     echo PMA_getJsValueForFormValidation($key, $value, $addOn, $comma);
    175. 

  175. }
    176.