Development

/branches/1.0/lib/helper/EscapingHelper.php

You must first sign up to be able to contribute.

root/branches/1.0/lib/helper/EscapingHelper.php

Revision 2669, 2.9 kB (checked in by fabien, 7 years ago)

fixed esc_js_no_entities() strips ending </select> and other ending tags (closes #1056 - patch from Draven)

  • Property svn:mime-type set to text/x-php
  • Property svn:eol-style set to native
  • Property svn:keywords set to Id
Line 
1 <?php
2
3 /*
4  * This file is part of the symfony package.
5  * (c) 2004-2006 Fabien Potencier <fabien.potencier@symfony-project.com>
6  *
7  * For the full copyright and license information, please view the LICENSE
8  * file that was distributed with this source code.
9  */
10
11 /**
12  * The functions are primarily used by the output escaping component.
13  *
14  * Each function specifies a way for applying a transformation to a string
15  * passed to it. The purpose is for the string to be "escaped" so it is
16  * suitable for the format it is being displayed in.
17  *
18  * For example, the string: "It's required that you enter a username & password.\n"
19  * If this were to be displayed as HTML it would be sensible to turn the
20  * ampersand into '&amp;' and the apostrophe into '&aps;'. However if it were
21  * going to be used as a string in JavaScript to be displayed in an alert box
22  * it would be right to leave the string as-is, but c-escape the apostrophe and
23  * the new line.
24  *
25  * For each function there is a define to avoid problems with strings being
26  * incorrectly specified.
27  *
28  * @package    symfony
29  * @subpackage helper
30  * @author     Mike Squire <mike@somosis.co.uk>
31  * @version    SVN: $Id$
32  */
33
34 /**
35  * Runs the PHP function htmlentities on the value passed.
36  *
37  * @param string $value the value to escape
38  * @return string the escaped value
39  */
40 function esc_entities($value)
41 {
42   // Numbers and boolean values get turned into strings which can cause problems
43   // with type comparisons (e.g. === or is_int() etc).
44   return is_string($value) ? htmlentities($value, ENT_QUOTES, sfConfig::get('sf_charset')) : $value;
45 }
46
47 define('ESC_ENTITIES', 'esc_entities');
48
49 /**
50  * An identity function that merely returns that which it is given, the purpose
51  * being to be able to specify that the value is not to be escaped in any way.
52  *
53  * @param string $value the value to escape
54  * @return string the escaped value
55  */
56 function esc_raw($value)
57 {
58   return $value;
59 }
60
61 define('ESC_RAW', 'esc_raw');
62
63 /**
64  * A function that c-escapes a string after applying {@link esc_entities()}. The
65  * assumption is that the value will be used to generate dynamic HTML in some
66  * way and the safest way to prevent mishap is to assume the value should have
67  * HTML entities set properly.
68  *
69  * The {@link esc_js_no_entities()} method should be used to escape a string
70  * that is ultimately not going to end up as text in an HTML document.
71  *
72  * @param string $value the value to escape
73  * @return string the escaped value
74  */
75 function esc_js($value)
76 {
77   return esc_js_no_entities(esc_entities($value));
78 }
79
80 define('ESC_JS', 'esc_js');
81
82 /**
83  * A function the c-escapes a string, making it suitable to be placed in a
84  * JavaScript string.
85  *
86  * @param string $value the value to escape
87  * @return string the escaped value
88  */
89 function esc_js_no_entities($value)
90 {
91   return addcslashes($value, "\0..\37\\'\"\177..\377\/");
92 }
93
94 define('ESC_JS_NO_ENTITIES', 'esc_js_no_entities');
95
Note: See TracBrowser for help on using the browser.