public function escapeHTMLAttribute($string)
{
if (is_object($string) == true) {
if (method_exists($string, '__toString') == false) {
throw EscapeException::fromBadObject($string);
}
$string = (string) $string;
}
if (is_array($string) == true) {
throw EscapeException::fromBadArray();
}
return $this->zendEscape->escapeHtmlAttr($string);
}
/**
* Escapes strings based on context
* @param string $string The string to escape
* @param int $context The context to escape in
* @return string The escaped string
* @throws \InvalidArgumentException If the context is invalid
*/
public function escape($string, $context = self::HTML_BODY)
{
$type = gettype($string);
if (in_array($type, array('boolean', 'integer', 'double', 'NULL'), true)) {
return $string;
}
if (in_array($type, array('object', 'resource', 'unknown type'), true)) {
throw new \InvalidArgumentException("Unable to escape variable of type {$type}.");
}
if ($context === self::HTML_STRING) {
return parent::escapeHtml($string);
}
if ($context === self::HTML_ATTR) {
return parent::escapeHtmlAttr($string);
}
if ($context === self::CSS) {
return parent::escapeCss($string);
}
if ($context === self::JS_STRING) {
return parent::escapeJs($string);
}
if ($context === self::URL_PARAM) {
return parent::escapeUrl($string);
}
throw new \InvalidArgumentException('Invalid context.');
}
public function index03Action()
{
$input = <<<INPUT
\t\t' onmouseover='alert(/ZF2!/);
INPUT;
$escaper = new Escaper();
$output = $escaper->escapeHtmlAttr($input);
echo "<span title='{$output}'>ZendVN</span>";
return false;
}
public function Index04Action()
{
/** JS SCRIPT */
$input = <<<INPUT
' onmouseover='alert(/ZF2!/);
INPUT;
$escaper = new Escape('utf-8');
$output = $escaper->escapeHtmlAttr($input);
echo '<span title=' . $output . '>Zend</span>';
return $this->response;
}
/**
* Escapes strings to make them safe for use
* within HTML templates. Used by the auto-escaping
* functionality in setVar() and available to
* use within your views.
*
* Uses ZendFramework's Escaper to handle the actual escaping,
* based on context. Valid contexts are:
* - html
* - htmlAttr
* - js
* - css
* - url
*
* References:
* - https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
* - http://framework.zend.com/manual/current/en/modules/zend.escaper.introduction.html
*
* @param $data
* @param $context
* @param escaper // An instance of ZF's Escaper to avoid repeated class instantiation.
*
* @return string
*/
function esc($data, $context = 'html', $escaper = null)
{
if (is_array($data)) {
foreach ($data as $key => &$value) {
$value = esc($value, $context);
}
}
$context = strtolower($context);
if (!is_object($escaper)) {
$escaper = new Escaper(config_item('charset'));
}
// Valid context?
if (!in_array($context, ['html', 'htmlattr', 'js', 'css', 'url'])) {
throw new \InvalidArgumentException('Invalid Context type: ' . $context);
}
if (!is_string($data)) {
return $data;
}
switch ($context) {
case 'html':
$data = $escaper->escapeHtml($data);
break;
case 'htmlattr':
$data = $escaper->escapeHtmlAttr($data);
break;
case 'js':
$data = $escaper->escapeJs($data);
break;
case 'css':
$data = $escaper->escapeCss($data);
break;
case 'url':
$data = $escaper->escapeUrl($data);
break;
default:
break;
}
return $data;
}
/**
* Closes the table by printing a </table> statement
*/
protected function printTableEnd()
{
$html = '</table>';
// Any current column settings? pass them in the form
if (in_array('simpleSearch', $this->displaySettings)) {
if (isset($_GET['columns'])) {
$value = $_GET['columns'];
if (is_array($_GET['columns'])) {
$value = '[';
foreach ($_GET['columns'] as $column) {
$value .= '"' . $column . '",';
}
$value = rtrim($value, ",") . ']';
}
$html .= sprintf("<input type='hidden' name='columns' value='%s'/>", $this->escaper->escapeHtmlAttr($value));
}
if (isset($_GET['sort']) && isset($_GET['order'])) {
$html .= "<input type='hidden' name='sort' value='" . $this->escaper->escapeHtmlAttr($_GET['sort']) . "' />";
$html .= "<input type='hidden' name='order' value='" . $this->escaper->escapeHtmlAttr($_GET['order']) . "' />";
}
$html .= '</form>';
}
return $html;
}
/**
* {@inheritdoc}
*/
public function escapeHtmlAttr($string)
{
return $this->escaper->escapeHtmlAttr($string);
}
/**
* @param Invoice $invoice
* @return string[]
*/
public function format(Invoice $invoice)
{
$statusFormat = static::$statusMap[$invoice->getStatus()];
return [sprintf('<span class="label label-%s">%s</span>', $statusFormat['class'], $this->escaper->escapeHtml($statusFormat['label'])), sprintf('%s<br /><small>%s</small>', $this->escaper->escapeHtml($this->dateFormatter->format($invoice->getIssueDate())), $this->escaper->escapeHtml($this->getIssueDateAddition($invoice))), $invoice->getInvoiceNumber(), $this->escaper->escapeHtml($invoice->getClient()->getName()), $this->escaper->escapeHtml($this->numberFormatter->formatCurrency($invoice->getTotalAmount(), $invoice->getCurrencyCode())), sprintf('<a href="%s" class="btn btn-xs btn-default">Show</a>', $this->escaper->escapeHtmlAttr($this->router->assemble(['invoiceId' => $invoice->getId()], ['name' => 'invoices/show'])))];
}
/**
* @param mixed $input
* @return mixed
*/
public static function escapeAttr($input)
{
self::init();
return self::$escaper->escapeHtmlAttr($input);
}
