1 <?php |
|
2 /** |
|
3 * Smarty plugin |
|
4 * |
|
5 * @package Smarty |
|
6 * @subpackage PluginsModifier |
|
7 */ |
|
8 |
|
9 /** |
|
10 * Smarty escape modifier plugin |
|
11 * Type: modifier<br> |
|
12 * Name: escape<br> |
|
13 * Purpose: escape string for output |
|
14 * |
|
15 * @link http://www.smarty.net/docs/en/language.modifier.escape |
|
16 * @author Monte Ohrt <monte at ohrt dot com> |
|
17 * |
|
18 * @param string $string input string |
|
19 * @param string $esc_type escape type |
|
20 * @param string $char_set character set, used for htmlspecialchars() or htmlentities() |
|
21 * @param boolean $double_encode encode already encoded entitites again, used for htmlspecialchars() or htmlentities() |
|
22 * |
|
23 * @return string escaped input string |
|
24 */ |
|
25 function smarty_modifier_escape($string, $esc_type = 'html', $char_set = null, $double_encode = true) { |
|
26 static $_double_encode = null; |
|
27 if ($_double_encode === null) { |
|
28 $_double_encode = version_compare(PHP_VERSION, '5.2.3', '>='); |
|
29 } |
|
30 |
|
31 if (!$char_set) { |
|
32 $char_set = Smarty::$_CHARSET; |
|
33 } |
|
34 |
|
35 switch ($esc_type) { |
|
36 case 'html': |
|
37 if ($_double_encode) { |
|
38 // php >=5.3.2 - go native |
|
39 return htmlspecialchars($string, ENT_QUOTES, $char_set, $double_encode); |
|
40 } else { |
|
41 if ($double_encode) { |
|
42 // php <5.2.3 - only handle double encoding |
|
43 return htmlspecialchars($string, ENT_QUOTES, $char_set); |
|
44 } else { |
|
45 // php <5.2.3 - prevent double encoding |
|
46 $string = preg_replace('!&(#?\w+);!', '%%%SMARTY_START%%%\\1%%%SMARTY_END%%%', $string); |
|
47 $string = htmlspecialchars($string, ENT_QUOTES, $char_set); |
|
48 $string = str_replace(array('%%%SMARTY_START%%%', '%%%SMARTY_END%%%'), array('&', ';'), $string); |
|
49 |
|
50 return $string; |
|
51 } |
|
52 } |
|
53 |
|
54 case 'htmlall': |
|
55 if (Smarty::$_MBSTRING) { |
|
56 // mb_convert_encoding ignores htmlspecialchars() |
|
57 if ($_double_encode) { |
|
58 // php >=5.3.2 - go native |
|
59 $string = htmlspecialchars($string, ENT_QUOTES, $char_set, $double_encode); |
|
60 } else { |
|
61 if ($double_encode) { |
|
62 // php <5.2.3 - only handle double encoding |
|
63 $string = htmlspecialchars($string, ENT_QUOTES, $char_set); |
|
64 } else { |
|
65 // php <5.2.3 - prevent double encoding |
|
66 $string = preg_replace('!&(#?\w+);!', '%%%SMARTY_START%%%\\1%%%SMARTY_END%%%', $string); |
|
67 $string = htmlspecialchars($string, ENT_QUOTES, $char_set); |
|
68 $string = str_replace(array('%%%SMARTY_START%%%', '%%%SMARTY_END%%%'), array('&', ';'), $string); |
|
69 |
|
70 return $string; |
|
71 } |
|
72 } |
|
73 |
|
74 // htmlentities() won't convert everything, so use mb_convert_encoding |
|
75 return mb_convert_encoding($string, 'HTML-ENTITIES', $char_set); |
|
76 } |
|
77 |
|
78 // no MBString fallback |
|
79 if ($_double_encode) { |
|
80 return htmlentities($string, ENT_QUOTES, $char_set, $double_encode); |
|
81 } else { |
|
82 if ($double_encode) { |
|
83 return htmlentities($string, ENT_QUOTES, $char_set); |
|
84 } else { |
|
85 $string = preg_replace('!&(#?\w+);!', '%%%SMARTY_START%%%\\1%%%SMARTY_END%%%', $string); |
|
86 $string = htmlentities($string, ENT_QUOTES, $char_set); |
|
87 $string = str_replace(array('%%%SMARTY_START%%%', '%%%SMARTY_END%%%'), array('&', ';'), $string); |
|
88 |
|
89 return $string; |
|
90 } |
|
91 } |
|
92 |
|
93 case 'url': |
|
94 return rawurlencode($string); |
|
95 |
|
96 case 'urlpathinfo': |
|
97 return str_replace('%2F', '/', rawurlencode($string)); |
|
98 |
|
99 case 'quotes': |
|
100 // escape unescaped single quotes |
|
101 return preg_replace("%(?<!\\\\)'%", "\\'", $string); |
|
102 |
|
103 case 'hex': |
|
104 // escape every byte into hex |
|
105 // Note that the UTF-8 encoded character รค will be represented as %c3%a4 |
|
106 $return = ''; |
|
107 $_length = strlen($string); |
|
108 for ($x = 0; $x < $_length; $x++) { |
|
109 $return .= '%' . bin2hex($string[$x]); |
|
110 } |
|
111 |
|
112 return $return; |
|
113 |
|
114 case 'hexentity': |
|
115 $return = ''; |
|
116 if (Smarty::$_MBSTRING) { |
|
117 require_once(SMARTY_PLUGINS_DIR . 'shared.mb_unicode.php'); |
|
118 $return = ''; |
|
119 foreach (smarty_mb_to_unicode($string, Smarty::$_CHARSET) as $unicode) { |
|
120 $return .= '&#x' . strtoupper(dechex($unicode)) . ';'; |
|
121 } |
|
122 |
|
123 return $return; |
|
124 } |
|
125 // no MBString fallback |
|
126 $_length = strlen($string); |
|
127 for ($x = 0; $x < $_length; $x++) { |
|
128 $return .= '&#x' . bin2hex($string[$x]) . ';'; |
|
129 } |
|
130 |
|
131 return $return; |
|
132 |
|
133 case 'decentity': |
|
134 $return = ''; |
|
135 if (Smarty::$_MBSTRING) { |
|
136 require_once(SMARTY_PLUGINS_DIR . 'shared.mb_unicode.php'); |
|
137 $return = ''; |
|
138 foreach (smarty_mb_to_unicode($string, Smarty::$_CHARSET) as $unicode) { |
|
139 $return .= '&#' . $unicode . ';'; |
|
140 } |
|
141 |
|
142 return $return; |
|
143 } |
|
144 // no MBString fallback |
|
145 $_length = strlen($string); |
|
146 for ($x = 0; $x < $_length; $x++) { |
|
147 $return .= '&#' . ord($string[$x]) . ';'; |
|
148 } |
|
149 |
|
150 return $return; |
|
151 |
|
152 case 'javascript': |
|
153 // escape quotes and backslashes, newlines, etc. |
|
154 return strtr($string, array('\\' => '\\\\', "'" => "\\'", '"' => '\\"', "\r" => '\\r', "\n" => '\\n', '</' => '<\/')); |
|
155 |
|
156 case 'mail': |
|
157 if (Smarty::$_MBSTRING) { |
|
158 require_once(SMARTY_PLUGINS_DIR . 'shared.mb_str_replace.php'); |
|
159 |
|
160 return smarty_mb_str_replace(array('@', '.'), array(' [AT] ', ' [DOT] '), $string); |
|
161 } |
|
162 // no MBString fallback |
|
163 return str_replace(array('@', '.'), array(' [AT] ', ' [DOT] '), $string); |
|
164 |
|
165 case 'nonstd': |
|
166 // escape non-standard chars, such as ms document quotes |
|
167 $return = ''; |
|
168 if (Smarty::$_MBSTRING) { |
|
169 require_once(SMARTY_PLUGINS_DIR . 'shared.mb_unicode.php'); |
|
170 foreach (smarty_mb_to_unicode($string, Smarty::$_CHARSET) as $unicode) { |
|
171 if ($unicode >= 126) { |
|
172 $return .= '&#' . $unicode . ';'; |
|
173 } else { |
|
174 $return .= chr($unicode); |
|
175 } |
|
176 } |
|
177 |
|
178 return $return; |
|
179 } |
|
180 |
|
181 $_length = strlen($string); |
|
182 for ($_i = 0; $_i < $_length; $_i++) { |
|
183 $_ord = ord(substr($string, $_i, 1)); |
|
184 // non-standard char, escape it |
|
185 if ($_ord >= 126) { |
|
186 $return .= '&#' . $_ord . ';'; |
|
187 } else { |
|
188 $return .= substr($string, $_i, 1); |
|
189 } |
|
190 } |
|
191 |
|
192 return $return; |
|
193 |
|
194 default: |
|
195 return $string; |
|
196 } |
|
197 } |
|