/** * Sets the current charset. * * @param string $charset The current charset */ public static function setCharset($charset) { self::$charset = $charset; }
/** * Initializes the built-in escapers. * * Each function specifies a way for applying a transformation to a string * passed to it. The purpose is for the string to be "escaped" so it is * suitable for the format it is being displayed in. * * For example, the string: "It's required that you enter a username & password.\n" * If this were to be displayed as HTML it would be sensible to turn the * ampersand into '&' and the apostrophe into '&aps;'. However if it were * going to be used as a string in JavaScript to be displayed in an alert box * it would be right to leave the string as-is, but c-escape the apostrophe and * the new line. * * For each function there is a define to avoid problems with strings being * incorrectly specified. */ static function initializeEscapers() { self::$escapers = array('htmlspecialchars' => function ($value) { // Numbers and boolean values get turned into strings which can cause problems // with type comparisons (e.g. === or is_int() etc). return is_string($value) ? htmlspecialchars($value, ENT_QUOTES, Escaper::getCharset()) : $value; }, 'entities' => function ($value) { // Numbers and boolean values get turned into strings which can cause problems // with type comparisons (e.g. === or is_int() etc). return is_string($value) ? htmlentities($value, ENT_QUOTES, Escaper::getCharset()) : $value; }, 'raw' => function ($value) { return $value; }, 'js' => function ($value) { return str_replace(array("\\", "\n", "\r", "\"", "'"), array("\\\\", "\\n", "\\r", "\\\"", "\\'"), is_string($value) ? htmlentities($value, ENT_QUOTES, Escaper::getCharset()) : $value); }, 'js_no_entities' => function ($value) { return str_replace(array("\\", "\n", "\r", "\"", "'"), array("\\\\", "\\n", "\\r", "\\\"", "\\'"), $value); }); }
/** * Initializes the built-in escapers. * * Each function specifies a way for applying a transformation to a string * passed to it. The purpose is for the string to be "escaped" so it is * suitable for the format it is being displayed in. * * For example, the string: "It's required that you enter a username & password.\n" * If this were to be displayed as HTML it would be sensible to turn the * ampersand into '&' and the apostrophe into '&aps;'. However if it were * going to be used as a string in JavaScript to be displayed in an alert box * it would be right to leave the string as-is, but c-escape the apostrophe and * the new line. * * For each function there is a define to avoid problems with strings being * incorrectly specified. */ static function initializeEscapers() { self::$escapers = array( 'htmlspecialchars' => /** * Runs the PHP function htmlspecialchars on the value passed. * * @param string $value the value to escape * * @return string the escaped value */ function ($value) { // Numbers and boolean values get turned into strings which can cause problems // with type comparisons (e.g. === or is_int() etc). return is_string($value) ? htmlspecialchars($value, ENT_QUOTES, Escaper::getCharset()) : $value; }, 'entities' => /** * Runs the PHP function htmlentities on the value passed. * * @param string $value the value to escape * @return string the escaped value */ function ($value) { // Numbers and boolean values get turned into strings which can cause problems // with type comparisons (e.g. === or is_int() etc). return is_string($value) ? htmlentities($value, ENT_QUOTES, Escaper::getCharset()) : $value; }, 'raw' => /** * An identity function that merely returns that which it is given, the purpose * being to be able to specify that the value is not to be escaped in any way. * * @param string $value the value to escape * @return string the escaped value */ function ($value) { return $value; }, 'js' => /** * A function that c-escapes a string after applying (cf. entities). The * assumption is that the value will be used to generate dynamic HTML in some * way and the safest way to prevent mishap is to assume the value should have * HTML entities set properly. * * The (cf. js_no_entities) method should be used to escape a string * that is ultimately not going to end up as text in an HTML document. * * @param string $value the value to escape * @return string the escaped value */ function ($value) { return str_replace(array("\\" , "\n" , "\r" , "\"" , "'" ), array("\\\\", "\\n" , "\\r", "\\\"", "\\'"), (is_string($value) ? htmlentities($value, ENT_QUOTES, Escaper::getCharset()) : $value)); }, 'js_no_entities' => /** * A function the c-escapes a string, making it suitable to be placed in a * JavaScript string. * * @param string $value the value to escape * @return string the escaped value */ function ($value) { return str_replace(array("\\" , "\n" , "\r" , "\"" , "'" ), array("\\\\", "\\n" , "\\r", "\\\"", "\\'"), $value); }, ); }