public function escapeHTMLAttribute($string) { if (is_object($string) == true) { if (method_exists($string, '__toString') == false) { throw EscapeException::fromBadObject($string); } $string = (string) $string; } if (is_array($string) == true) { throw EscapeException::fromBadArray(); } return $this->zendEscape->escapeHtmlAttr($string); }
/** * Escapes strings based on context * @param string $string The string to escape * @param int $context The context to escape in * @return string The escaped string * @throws \InvalidArgumentException If the context is invalid */ public function escape($string, $context = self::HTML_BODY) { $type = gettype($string); if (in_array($type, array('boolean', 'integer', 'double', 'NULL'), true)) { return $string; } if (in_array($type, array('object', 'resource', 'unknown type'), true)) { throw new \InvalidArgumentException("Unable to escape variable of type {$type}."); } if ($context === self::HTML_STRING) { return parent::escapeHtml($string); } if ($context === self::HTML_ATTR) { return parent::escapeHtmlAttr($string); } if ($context === self::CSS) { return parent::escapeCss($string); } if ($context === self::JS_STRING) { return parent::escapeJs($string); } if ($context === self::URL_PARAM) { return parent::escapeUrl($string); } throw new \InvalidArgumentException('Invalid context.'); }
public function index03Action() { $input = <<<INPUT \t\t' onmouseover='alert(/ZF2!/); INPUT; $escaper = new Escaper(); $output = $escaper->escapeHtmlAttr($input); echo "<span title='{$output}'>ZendVN</span>"; return false; }
public function Index04Action() { /** JS SCRIPT */ $input = <<<INPUT ' onmouseover='alert(/ZF2!/); INPUT; $escaper = new Escape('utf-8'); $output = $escaper->escapeHtmlAttr($input); echo '<span title=' . $output . '>Zend</span>'; return $this->response; }
/** * Escapes strings to make them safe for use * within HTML templates. Used by the auto-escaping * functionality in setVar() and available to * use within your views. * * Uses ZendFramework's Escaper to handle the actual escaping, * based on context. Valid contexts are: * - html * - htmlAttr * - js * - css * - url * * References: * - https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet * - http://framework.zend.com/manual/current/en/modules/zend.escaper.introduction.html * * @param $data * @param $context * @param escaper // An instance of ZF's Escaper to avoid repeated class instantiation. * * @return string */ function esc($data, $context = 'html', $escaper = null) { if (is_array($data)) { foreach ($data as $key => &$value) { $value = esc($value, $context); } } $context = strtolower($context); if (!is_object($escaper)) { $escaper = new Escaper(config_item('charset')); } // Valid context? if (!in_array($context, ['html', 'htmlattr', 'js', 'css', 'url'])) { throw new \InvalidArgumentException('Invalid Context type: ' . $context); } if (!is_string($data)) { return $data; } switch ($context) { case 'html': $data = $escaper->escapeHtml($data); break; case 'htmlattr': $data = $escaper->escapeHtmlAttr($data); break; case 'js': $data = $escaper->escapeJs($data); break; case 'css': $data = $escaper->escapeCss($data); break; case 'url': $data = $escaper->escapeUrl($data); break; default: break; } return $data; }
/** * Closes the table by printing a </table> statement */ protected function printTableEnd() { $html = '</table>'; // Any current column settings? pass them in the form if (in_array('simpleSearch', $this->displaySettings)) { if (isset($_GET['columns'])) { $value = $_GET['columns']; if (is_array($_GET['columns'])) { $value = '['; foreach ($_GET['columns'] as $column) { $value .= '"' . $column . '",'; } $value = rtrim($value, ",") . ']'; } $html .= sprintf("<input type='hidden' name='columns' value='%s'/>", $this->escaper->escapeHtmlAttr($value)); } if (isset($_GET['sort']) && isset($_GET['order'])) { $html .= "<input type='hidden' name='sort' value='" . $this->escaper->escapeHtmlAttr($_GET['sort']) . "' />"; $html .= "<input type='hidden' name='order' value='" . $this->escaper->escapeHtmlAttr($_GET['order']) . "' />"; } $html .= '</form>'; } return $html; }
/** * {@inheritdoc} */ public function escapeHtmlAttr($string) { return $this->escaper->escapeHtmlAttr($string); }
/** * @param Invoice $invoice * @return string[] */ public function format(Invoice $invoice) { $statusFormat = static::$statusMap[$invoice->getStatus()]; return [sprintf('<span class="label label-%s">%s</span>', $statusFormat['class'], $this->escaper->escapeHtml($statusFormat['label'])), sprintf('%s<br /><small>%s</small>', $this->escaper->escapeHtml($this->dateFormatter->format($invoice->getIssueDate())), $this->escaper->escapeHtml($this->getIssueDateAddition($invoice))), $invoice->getInvoiceNumber(), $this->escaper->escapeHtml($invoice->getClient()->getName()), $this->escaper->escapeHtml($this->numberFormatter->formatCurrency($invoice->getTotalAmount(), $invoice->getCurrencyCode())), sprintf('<a href="%s" class="btn btn-xs btn-default">Show</a>', $this->escaper->escapeHtmlAttr($this->router->assemble(['invoiceId' => $invoice->getId()], ['name' => 'invoices/show'])))]; }
/** * @param mixed $input * @return mixed */ public static function escapeAttr($input) { self::init(); return self::$escaper->escapeHtmlAttr($input); }