EscapingHelper.php 3.4 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110
  1. <?php
  2. /*
  3. * This file is part of the symfony package.
  4. * (c) 2004-2006 Fabien Potencier <fabien.potencier@symfony-project.com>
  5. *
  6. * For the full copyright and license information, please view the LICENSE
  7. * file that was distributed with this source code.
  8. */
  9. /**
  10. * The functions are primarily used by the output escaping component.
  11. *
  12. * Each function specifies a way for applying a transformation to a string
  13. * passed to it. The purpose is for the string to be "escaped" so it is
  14. * suitable for the format it is being displayed in.
  15. *
  16. * For example, the string: "It's required that you enter a username & password.\n"
  17. * If this were to be displayed as HTML it would be sensible to turn the
  18. * ampersand into '&amp;' and the apostrophe into '&aps;'. However if it were
  19. * going to be used as a string in JavaScript to be displayed in an alert box
  20. * it would be right to leave the string as-is, but c-escape the apostrophe and
  21. * the new line.
  22. *
  23. * For each function there is a define to avoid problems with strings being
  24. * incorrectly specified.
  25. *
  26. * @package symfony
  27. * @subpackage helper
  28. * @author Mike Squire <mike@somosis.co.uk>
  29. * @version SVN: $Id: EscapingHelper.php 9101 2008-05-20 08:38:20Z FabianLange $
  30. */
  31. /**
  32. * Runs the PHP function htmlentities on the value passed.
  33. *
  34. * @param string $value the value to escape
  35. * @return string the escaped value
  36. */
  37. function esc_entities($value)
  38. {
  39. // Numbers and boolean values get turned into strings which can cause problems
  40. // with type comparisons (e.g. === or is_int() etc).
  41. return is_string($value) ? htmlentities($value, ENT_QUOTES, sfConfig::get('sf_charset')) : $value;
  42. }
  43. define('ESC_ENTITIES', 'esc_entities');
  44. /**
  45. * Runs the PHP function htmlspecialchars on the value passed.
  46. *
  47. * @param string $value the value to escape
  48. * @return string the escaped value
  49. */
  50. function esc_specialchars($value)
  51. {
  52. // Numbers and boolean values get turned into strings which can cause problems
  53. // with type comparisons (e.g. === or is_int() etc).
  54. return is_string($value) ? htmlspecialchars($value, ENT_QUOTES, sfConfig::get('sf_charset')) : $value;
  55. }
  56. define('ESC_SPECIALCHARS', 'esc_specialchars');
  57. /**
  58. * An identity function that merely returns that which it is given, the purpose
  59. * being to be able to specify that the value is not to be escaped in any way.
  60. *
  61. * @param string $value the value to escape
  62. * @return string the escaped value
  63. */
  64. function esc_raw($value)
  65. {
  66. return $value;
  67. }
  68. define('ESC_RAW', 'esc_raw');
  69. /**
  70. * A function that c-escapes a string after applying {@link esc_entities()}. The
  71. * assumption is that the value will be used to generate dynamic HTML in some
  72. * way and the safest way to prevent mishap is to assume the value should have
  73. * HTML entities set properly.
  74. *
  75. * The {@link esc_js_no_entities()} method should be used to escape a string
  76. * that is ultimately not going to end up as text in an HTML document.
  77. *
  78. * @param string $value the value to escape
  79. * @return string the escaped value
  80. */
  81. function esc_js($value)
  82. {
  83. return esc_js_no_entities(esc_entities($value));
  84. }
  85. define('ESC_JS', 'esc_js');
  86. /**
  87. * A function the c-escapes a string, making it suitable to be placed in a
  88. * JavaScript string.
  89. *
  90. * @param string $value the value to escape
  91. * @return string the escaped value
  92. */
  93. function esc_js_no_entities($value)
  94. {
  95. return addcslashes($value, "\0..\37\\'\"\177..\377\/");
  96. }
  97. define('ESC_JS_NO_ENTITIES', 'esc_js_no_entities');