modifier.escape.php 7.3 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188
  1. <?php
  2. /**
  3. * Smarty plugin
  4. *
  5. * @package Smarty
  6. * @subpackage PluginsModifier
  7. */
  8. /**
  9. * Smarty escape modifier plugin
  10. *
  11. * Type: modifier<br>
  12. * Name: escape<br>
  13. * Purpose: escape string for output
  14. *
  15. * @link http://www.smarty.net/manual/en/language.modifier.count.characters.php count_characters (Smarty online manual)
  16. * @author Monte Ohrt <monte at ohrt dot com>
  17. * @param string $string input string
  18. * @param string $esc_type escape type
  19. * @param string $char_set character set, used for htmlspecialchars() or htmlentities()
  20. * @param boolean $double_encode encode already encoded entitites again, used for htmlspecialchars() or htmlentities()
  21. * @return string escaped input string
  22. */
  23. function smarty_modifier_escape($string, $esc_type = 'html', $char_set = null, $double_encode = true)
  24. {
  25. static $_double_encode = null;
  26. if ($_double_encode === null) {
  27. $_double_encode = version_compare(PHP_VERSION, '5.2.3', '>=');
  28. }
  29. if (!$char_set) {
  30. $char_set = Smarty::$_CHARSET;
  31. }
  32. switch ($esc_type) {
  33. case 'html':
  34. if ($_double_encode) {
  35. // php >=5.3.2 - go native
  36. return htmlspecialchars($string, ENT_QUOTES, $char_set, $double_encode);
  37. } else {
  38. if ($double_encode) {
  39. // php <5.3.2 - only handle double encoding
  40. return htmlspecialchars($string, ENT_QUOTES, $char_set);
  41. } else {
  42. // php <5.3.2 - prevent double encoding
  43. $string = preg_replace('!&(#?\w+);!', '%%%SMARTY_START%%%\\1%%%SMARTY_END%%%', $string);
  44. $string = htmlspecialchars($string, ENT_QUOTES, $char_set);
  45. $string = str_replace(array('%%%SMARTY_START%%%', '%%%SMARTY_END%%%'), array('&', ';'), $string);
  46. return $string;
  47. }
  48. }
  49. case 'htmlall':
  50. if (Smarty::$_MBSTRING) {
  51. // mb_convert_encoding ignores htmlspecialchars()
  52. if ($_double_encode) {
  53. // php >=5.3.2 - go native
  54. $string = htmlspecialchars($string, ENT_QUOTES, $char_set, $double_encode);
  55. } else {
  56. if ($double_encode) {
  57. // php <5.3.2 - only handle double encoding
  58. $string = htmlspecialchars($string, ENT_QUOTES, $char_set);
  59. } else {
  60. // php <5.3.2 - prevent double encoding
  61. $string = preg_replace('!&(#?\w+);!', '%%%SMARTY_START%%%\\1%%%SMARTY_END%%%', $string);
  62. $string = htmlspecialchars($string, ENT_QUOTES, $char_set);
  63. $string = str_replace(array('%%%SMARTY_START%%%', '%%%SMARTY_END%%%'), array('&', ';'), $string);
  64. return $string;
  65. }
  66. }
  67. // htmlentities() won't convert everything, so use mb_convert_encoding
  68. return mb_convert_encoding($string, 'HTML-ENTITIES', $char_set);
  69. }
  70. // no MBString fallback
  71. if ($_double_encode) {
  72. return htmlentities($string, ENT_QUOTES, $char_set, $double_encode);
  73. } else {
  74. if ($double_encode) {
  75. return htmlentities($string, ENT_QUOTES, $char_set);
  76. } else {
  77. $string = preg_replace('!&(#?\w+);!', '%%%SMARTY_START%%%\\1%%%SMARTY_END%%%', $string);
  78. $string = htmlentities($string, ENT_QUOTES, $char_set);
  79. $string = str_replace(array('%%%SMARTY_START%%%', '%%%SMARTY_END%%%'), array('&', ';'), $string);
  80. return $string;
  81. }
  82. }
  83. case 'url':
  84. return rawurlencode($string);
  85. case 'urlpathinfo':
  86. return str_replace('%2F', '/', rawurlencode($string));
  87. case 'quotes':
  88. // escape unescaped single quotes
  89. return preg_replace("%(?<!\\\\)'%", "\\'", $string);
  90. case 'hex':
  91. // escape every byte into hex
  92. // Note that the UTF-8 encoded character ä will be represented as %c3%a4
  93. $return = '';
  94. $_length = strlen($string);
  95. for ($x = 0; $x < $_length; $x++) {
  96. $return .= '%' . bin2hex($string[$x]);
  97. }
  98. return $return;
  99. case 'hexentity':
  100. $return = '';
  101. if (Smarty::$_MBSTRING) {
  102. require_once(SMARTY_PLUGINS_DIR . 'shared.mb_unicode.php');
  103. $return = '';
  104. foreach (smarty_mb_to_unicode($string, Smarty::$_CHARSET) as $unicode) {
  105. $return .= '&#x' . strtoupper(dechex($unicode)) . ';';
  106. }
  107. return $return;
  108. }
  109. // no MBString fallback
  110. $_length = strlen($string);
  111. for ($x = 0; $x < $_length; $x++) {
  112. $return .= '&#x' . bin2hex($string[$x]) . ';';
  113. }
  114. return $return;
  115. case 'decentity':
  116. $return = '';
  117. if (Smarty::$_MBSTRING) {
  118. require_once(SMARTY_PLUGINS_DIR . 'shared.mb_unicode.php');
  119. $return = '';
  120. foreach (smarty_mb_to_unicode($string, Smarty::$_CHARSET) as $unicode) {
  121. $return .= '&#' . $unicode . ';';
  122. }
  123. return $return;
  124. }
  125. // no MBString fallback
  126. $_length = strlen($string);
  127. for ($x = 0; $x < $_length; $x++) {
  128. $return .= '&#' . ord($string[$x]) . ';';
  129. }
  130. return $return;
  131. case 'javascript':
  132. // escape quotes and backslashes, newlines, etc.
  133. return strtr($string, array('\\' => '\\\\', "'" => "\\'", '"' => '\\"', "\r" => '\\r', "\n" => '\\n', '</' => '<\/'));
  134. case 'mail':
  135. if (Smarty::$_MBSTRING) {
  136. require_once(SMARTY_PLUGINS_DIR . 'shared.mb_str_replace.php');
  137. return smarty_mb_str_replace(array('@', '.'), array(' [AT] ', ' [DOT] '), $string);
  138. }
  139. // no MBString fallback
  140. return str_replace(array('@', '.'), array(' [AT] ', ' [DOT] '), $string);
  141. case 'nonstd':
  142. // escape non-standard chars, such as ms document quotes
  143. $return = '';
  144. if (Smarty::$_MBSTRING) {
  145. require_once(SMARTY_PLUGINS_DIR . 'shared.mb_unicode.php');
  146. foreach (smarty_mb_to_unicode($string, Smarty::$_CHARSET) as $unicode) {
  147. if ($unicode >= 126) {
  148. $return .= '&#' . $unicode . ';';
  149. } else {
  150. $return .= chr($unicode);
  151. }
  152. }
  153. return $return;
  154. }
  155. $_length = strlen($string);
  156. for ($_i = 0; $_i < $_length; $_i++) {
  157. $_ord = ord(substr($string, $_i, 1));
  158. // non-standard char, escape it
  159. if ($_ord >= 126) {
  160. $return .= '&#' . $_ord . ';';
  161. } else {
  162. $return .= substr($string, $_i, 1);
  163. }
  164. }
  165. return $return;
  166. default:
  167. return $string;
  168. }
  169. }
  170. ?>