首頁 探索 說明
登入
TC
/
TeaBag
1
0
複刻 0
檔案 問題管理 0 合併請求 0 Wiki
目錄樹: bd6cc200ae
分支列表 標籤列表
TeaBag
/
run
/
phpapps
/
phpmyadmin
/
libraries
/
js_escape.lib.php

js_escape.lib.php 3.4 KB
文件歷史 原始文件

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135 
  1. <?php
    2. 

  2. /* vim: set expandtab sw=4 ts=4 sts=4: */
    3. 

  3. /**
    4. 

  4.  * Javascript escaping functions.
    5. 

  5.  *
    6. 

  6.  * @package PhpMyAdmin
    7. 

  7.  *
    8. 

  8.  */
    9. 

  9. if (! defined('PHPMYADMIN')) {
    10. 

  10.     exit;
    11. 

  11. }
    12. 

  12. 

  13. /**
    14. 

  14.  * Format a string so it can be a string inside JavaScript code inside an
    15. 

  15.  * eventhandler (onclick, onchange, on..., ).
    16. 

  16.  * This function is used to displays a javascript confirmation box for
    17. 

  17.  * "DROP/DELETE/ALTER" queries.
    18. 

  18.  *
    19. 

  19.  * @param string  $a_string       the string to format
    20. 

  20.  * @param boolean $add_backquotes whether to add backquotes to the string or not
    21. 

  21.  *
    22. 

  22.  * @return string   the formatted string
    23. 

  23.  *
    24. 

  24.  * @access  public
    25. 

  25.  */
    26. 

  26. function PMA_jsFormat($a_string = '', $add_backquotes = true)
    27. 

  27. {
    28. 

  28.     if (is_string($a_string)) {
    29. 

  29.         $a_string = htmlspecialchars($a_string);
    30. 

  30.         $a_string = PMA_escapeJsString($a_string);
    31. 

  31.         // Needed for inline javascript to prevent some browsers
    32. 

  32.         // treating it as a anchor
    33. 

  33.         $a_string = str_replace('#', '\\#', $a_string);
    34. 

  34.     }
    35. 

  35. 

  36.     return (($add_backquotes) ? PMA_Util::backquote($a_string) : $a_string);
    37. 

  37. } // end of the 'PMA_jsFormat()' function
    38. 

  38. 

  39. /**
    40. 

  40.  * escapes a string to be inserted as string a JavaScript block
    41. 

  41.  * enclosed by <![CDATA[ ... ]]>
    42. 

  42.  * this requires only to escape ' with \' and end of script block
    43. 

  43.  *
    44. 

  44.  * We also remove NUL byte as some browsers (namely MSIE) ignore it and
    45. 

  45.  * inserting it anywhere inside </script would allow to bypass this check.
    46. 

  46.  *
    47. 

  47.  * @param string $string the string to be escaped
    48. 

  48.  *
    49. 

  49.  * @return string  the escaped string
    50. 

  50.  */
    51. 

  51. function PMA_escapeJsString($string)
    52. 

  52. {
    53. 

  53.     return preg_replace(
    54. 

  54.         '@</script@i', '</\' + \'script',
    55. 

  55.         strtr(
    56. 

  56.             $string,
    57. 

  57.             array(
    58. 

  58.                 "\000" => '',
    59. 

  59.                 '\\' => '\\\\',
    60. 

  60.                 '\'' => '\\\'',
    61. 

  61.                 '"' => '\"',
    62. 

  62.                 "\n" => '\n',
    63. 

  63.                 "\r" => '\r'
    64. 

  64.             )
    65. 

  65.         )
    66. 

  66.     );
    67. 

  67. }
    68. 

  68. 

  69. /**
    70. 

  70.  * Formats a value for javascript code.
    71. 

  71.  *
    72. 

  72.  * @param string $value String to be formatted.
    73. 

  73.  *
    74. 

  74.  * @return string formatted value.
    75. 

  75.  */
    76. 

  76. function PMA_formatJsVal($value)
    77. 

  77. {
    78. 

  78.     if (is_bool($value)) {
    79. 

  79.         if ($value) {
    80. 

  80.             return 'true';
    81. 

  81.         }
    82. 

  82. 

  83.         return 'false';
    84. 

  84.     }
    85. 

  85. 

  86.     if (is_int($value)) {
    87. 

  87.         return (int)$value;
    88. 

  88.     }
    89. 

  89. 

  90.     return '"' . PMA_escapeJsString($value) . '"';
    91. 

  91. }
    92. 

  92. 

  93. /**
    94. 

  94.  * Formats an javascript assignment with proper escaping of a value
    95. 

  95.  * and support for assigning array of strings.
    96. 

  96.  *
    97. 

  97.  * @param string $key    Name of value to set
    98. 

  98.  * @param mixed  $value  Value to set, can be either string or array of strings
    99. 

  99.  * @param bool   $escape Whether to escape value or keep it as it is
    100. 

  100.  *                       (for inclusion of js code)
    101. 

  101.  *
    102. 

  102.  * @return string Javascript code.
    103. 

  103.  */
    104. 

  104. function PMA_getJsValue($key, $value, $escape = true)
    105. 

  105. {
    106. 

  106.     $result = $key . ' = ';
    107. 

  107.     if (!$escape) {
    108. 

  108.         $result .= $value;
    109. 

  109.     } elseif (is_array($value)) {
    110. 

  110.         $result .= '[';
    111. 

  111.         foreach ($value as $val) {
    112. 

  112.             $result .= PMA_formatJsVal($val) . ",";
    113. 

  113.         }
    114. 

  114.         $result .= "];\n";
    115. 

  115.     } else {
    116. 

  116.         $result .= PMA_formatJsVal($value) . ";\n";
    117. 

  117.     }
    118. 

  118.     return $result;
    119. 

  119. }
    120. 

  120. 

  121. /**
    122. 

  122.  * Prints an javascript assignment with proper escaping of a value
    123. 

  123.  * and support for assigning array of strings.
    124. 

  124.  *
    125. 

  125.  * @param string $key   Name of value to set
    126. 

  126.  * @param mixed  $value Value to set, can be either string or array of strings
    127. 

  127.  *
    128. 

  128.  * @return void
    129. 

  129.  */
    130. 

  130. function PMA_printJsValue($key, $value)
    131. 

  131. {
    132. 

  132.     echo PMA_getJsValue($key, $value);
    133. 

  133. }
    134. 

  134. 

  135. ?>
    136.