1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
|
<?php
/* vim: set expandtab sw=4 ts=4 sts=4: */
/**
* Javascript escaping functions.
*
* @package PhpMyAdmin
*
*/
if (! defined('PHPMYADMIN')) {
exit;
}
/**
* Format a string so it can be a string inside JavaScript code inside an
* eventhandler (onclick, onchange, on..., ).
* This function is used to displays a javascript confirmation box for
* "DROP/DELETE/ALTER" queries.
*
* @param string $a_string the string to format
* @param boolean $add_backquotes whether to add backquotes to the string or not
*
* @return string the formatted string
*
* @access public
*/
function PMA_jsFormat($a_string = '', $add_backquotes = true)
{
if (is_string($a_string)) {
$a_string = htmlspecialchars($a_string);
$a_string = PMA_escapeJsString($a_string);
// Needed for inline javascript to prevent some browsers
// treating it as a anchor
$a_string = str_replace('#', '\\#', $a_string);
}
return (($add_backquotes) ? PMA_Util::backquote($a_string) : $a_string);
} // end of the 'PMA_jsFormat()' function
/**
* escapes a string to be inserted as string a JavaScript block
* enclosed by <![CDATA[ ... ]]>
* this requires only to escape ' with \' and end of script block
*
* We also remove NUL byte as some browsers (namely MSIE) ignore it and
* inserting it anywhere inside </script would allow to bypass this check.
*
* @param string $string the string to be escaped
*
* @return string the escaped string
*/
function PMA_escapeJsString($string)
{
return preg_replace(
'@</script@i', '</\' + \'script',
strtr(
$string,
array(
"\000" => '',
'\\' => '\\\\',
'\'' => '\\\'',
'"' => '\"',
"\n" => '\n',
"\r" => '\r'
)
)
);
}
/**
* Formats a value for javascript code.
*
* @param string $value String to be formatted.
*
* @return string formatted value.
*/
function PMA_formatJsVal($value)
{
if (is_bool($value)) {
if ($value) {
return 'true';
} else {
return 'false';
}
} elseif (is_int($value)) {
return (int)$value;
} else {
return '"' . PMA_escapeJsString($value) . '"';
}
}
/**
* Formats an javascript assignment with proper escaping of a value
* and support for assigning array of strings.
*
* @param string $key Name of value to set
* @param mixed $value Value to set, can be either string or array of strings
* @param bool $escape Whether to escape value or keep it as it is
* (for inclusion of js code)
*
* @return string Javascript code.
*/
function PMA_getJsValue($key, $value, $escape = true)
{
$result = $key . ' = ';
if (!$escape) {
$result .= $value;
} elseif (is_array($value)) {
$result .= '[';
foreach ($value as $val) {
$result .= PMA_formatJsVal($val) . ",";
}
$result .= "];\n";
} else {
$result .= PMA_formatJsVal($value) . ";\n";
}
return $result;
}
/**
* Prints an javascript assignment with proper escaping of a value
* and support for assigning array of strings.
*
* @param string $key Name of value to set
* @param mixed $value Value to set, can be either string or array of strings
*
* @return void
*/
function PMA_printJsValue($key, $value)
{
echo PMA_getJsValue($key, $value);
}
?>
|