$t = new lime_test(11); sfConfig::set('sf_charset', 'UTF-8'); // esc_entities() $t->diag('esc_entities()'); $t->is(esc_entities(10), 10, 'esc_entities() does not escape integers'); $t->is(esc_entities(false), false, 'esc_entities() does not escape booleans'); $t->is(esc_entities('foo bar'), 'foo bar', 'esc_entities() only escapes strings'); $t->is(esc_entities('<b>foo</b> bar'), '<b>foo</b> bar', 'esc_entities() only escapes strings'); // esc_raw() $t->diag('esc_raw()'); $t->is(esc_raw('foo'), 'foo', 'esc_raw() returns the first argument as is'); // esc_js() $t->diag('esc_js()'); $t->is(esc_js('alert(\'foo\' + "bar")'), 'alert('foo' + "bar")', 'esc_js() escapes javascripts'); // esc_js_no_entities() $t->diag('esc_js_no_entities()'); $t->is(esc_js_no_entities('alert(\'foo\' + "bar")'), 'alert(\\\'foo\\\' + \\"bar\\")', 'esc_js_no_entities() escapes javascripts'); $t->is(esc_js_no_entities('alert("hi\\there")'), 'alert(\\"hi\\\\there\\")', 'esc_js_no_entities() handles slashes correctly'); $t->is(esc_js_no_entities('alert("été")'), 'alert(\\"été\\")', 'esc_js_no_entities() preserves utf-8'); $output = <<<EOF alert('hello world') EOF; $t->is(esc_js_no_entities(fix_linebreaks($output)), 'alert(\\\'hello\\nworld\\\')', 'esc_js_no_entities() handles linebreaks correctly'); $t->is(esc_js_no_entities("alert('hello\nworld')"), 'alert(\\\'hello\\nworld\\\')', 'esc_js_no_entities() handles linebreaks correctly');
/** * Mark the end of a block that should only be shown in the browser if JavaScript * is switched on. */ function end_if_javascript() { if (!sfContext::getInstance()->getRequest()->isXmlHttpRequest()) { $content = ob_get_clean(); echo javascript_tag("document.write('" . esc_js_no_entities($content) . "');"); } }
/** * A function that c-escapes a string after applying {@link esc_entities()}. The * assumption is that the value will be used to generate dynamic HTML in some * way and the safest way to prevent mishap is to assume the value should have * HTML entities set properly. * * The {@link esc_js_no_entities()} method should be used to escape a string * that is ultimately not going to end up as text in an HTML document. * * @param string $value the value to escape * @return string the escaped value */ function esc_js($value) { return esc_js_no_entities(esc_entities($value)); }
/** * Mark the end of a block that should only be shown in the browser if JavaScript * is switched on. */ function end_if_javascript() { $content = ob_get_clean(); echo javascript_tag("document.write('" . esc_js_no_entities($content) . "');"); }
<?php /* * This file is part of the symfony package. * (c) 2004-2006 Fabien Potencier <*****@*****.**> * * For the full copyright and license information, please view the LICENSE * file that was distributed with this source code. */ require_once dirname(__FILE__) . '/../../bootstrap/unit.php'; require_once dirname(__FILE__) . '/../../../lib/helper/EscapingHelper.php'; $t = new lime_test(7, new lime_output_color()); sfConfig::set('sf_charset', 'UTF-8'); // esc_entities() $t->diag('esc_entities()'); $t->is(esc_entities(10), 10, 'esc_entities() does not escape integers'); $t->is(esc_entities(false), false, 'esc_entities() does not escape booleans'); $t->is(esc_entities('foo bar'), 'foo bar', 'esc_entities() only escapes strings'); $t->is(esc_entities('<b>foo</b> bar'), '<b>foo</b> bar', 'esc_entities() only escapes strings'); // esc_raw() $t->diag('esc_raw()'); $t->is(esc_raw('foo'), 'foo', 'esc_raw() returns the first argument as is'); // esc_js() $t->diag('esc_js()'); $t->is(esc_js('alert(\'foo\' + "bar")'), 'alert('foo' + "bar")', 'esc_js() escapes javascripts'); // esc_js() $t->diag('esc_js_no_entities()'); $t->is(esc_js_no_entities('alert(\'foo\' + "bar")'), 'alert(\\\'foo\\\' + \\"bar\\")', 'esc_js_no_entities() escapes javascripts');
<?php use_helper('JavascriptBase'); ?> <div id="tags_data" class="block"> <h3><?php echo __('Tags'); ?> </h3> <?php echo $invoiceForm['tags']; echo ' ' . gButton_to_function(__('Add'), "\$('#invoice_tags_input').trigger('ComputeTags')", 'class=action-clear addTag'); echo $invoiceForm['tags']->renderError(); $tagTemplate = esc_js_no_entities(get_partial('common/tagSpan', array('tag' => '#{tag}'))); echo javascript_tag("\n \$('#invoice_tags').tagSelector({\n autocompletionUrl : '" . url_for('common/ajaxTagsAutocomplete') . "',\n tagsContainer : 'the_tags_div',\n tagTemplate : '{$tagTemplate}'\n });\n "); ?> <div id="the_tags_div" class="taglist"> <?php foreach ($invoice->getTags() as $tag) { ?> <?php include_partial('common/tagSpan', array('tag' => $tag)); ?> <?php } ?> </div> </div>
public static function esc_js_no_entities($content) { return esc_js_no_entities($content); }