PHP Class Escape

Class to handle context specific output escaping per OWASP recommendations. Most of this class is based on methods from Zend\Escaper, but modified for Kirby. Copyrighted (c) 2005-2014 Zend Technologies USA Inc. (http://www.zend.com) under the New BSD License (http://framework.zend.com/license/new-bsd).
See link: https://github.com/zendframework/zf2/blob/master/library/Zend/Escaper/Escaper.php
See link: https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
See link: http://getkirby.com
Author: Ezra Verheijen ([email protected])
Datei anzeigen Open project: getkirby/toolkit Class Usage Examples

Public Methods

Method Description
attr ( string $string, string $strict = true ) : string Escape common HTML attributes data
charIsUndefined ( string $char ) : boolean Check if a character is undefined in HTML
convertEncoding ( string $char ) : string Convert a character from UTF-8 to UTF-16BE
css ( string $string ) : string Escape HTML style property values
html ( string $string ) : string Escape HTML element content
js ( string $string ) : string Escape JavaScript data values
noNeedToEscape ( string $string ) : boolean Check if a string needs to be escaped or not
url ( string $string ) : string Escape URL parameter values
xml ( string $string ) : string Escape XML element content

Protected Methods

Method Description
escapeAttrChar ( array $matches ) : mixed Escape character for HTML attribute
escapeCSSChar ( array $matches ) : string Escape character for CSS
escapeJSChar ( array $matches ) : string Escape character for JavaScript

Method Details

attr() public static method

This can be used to put untrusted data into typical attribute values like width, name, value, etc. This should not be used for complex attributes like href, src, style, or any of the event handlers like onmouseover. Use esc($string, 'js') for event handler attributes, esc($string, 'url') for src attributes and esc($string, 'css') for style attributes.
content
content
content
public static attr ( string $string, string $strict = true ) : string
$string string
$strict string Whether to escape characters like [space] % * + , - / ; < = > ^ and | which is necessary in case of unquoted HTML attributes.
return string

charIsUndefined() public static method

Check if a character is undefined in HTML
public static charIsUndefined ( string $char ) : boolean
$char string
return boolean

convertEncoding() public static method

Convert a character from UTF-8 to UTF-16BE
public static convertEncoding ( string $char ) : string
$char string
return string

css() public static method

This can be used to put untrusted data into a stylesheet or a style tag. Stay away from putting untrusted data into complex properties like url, behavior, and custom (-moz-binding). You should also not put untrusted data into IE’s expression property value which allows JavaScript. text
public static css ( string $string ) : string
$string string
return string

escapeAttrChar() protected static method

Callback function for preg_replace_callback() that applies HTML attribute escaping to all matches.
protected static escapeAttrChar ( array $matches ) : mixed
$matches array
return mixed Unicode replacement if character is undefined in HTML, named HTML entity if available (only those that XML supports), upper hex entity if a named entity does not exist or entity with the &#xHH; format if ASCII value is less than 256.

escapeCSSChar() protected static method

Callback function for preg_replace_callback() that applies CSS escaping to all matches.
protected static escapeCSSChar ( array $matches ) : string
$matches array
return string

escapeJSChar() protected static method

Callback function for preg_replace_callback() that applies Javascript escaping to all matches.
protected static escapeJSChar ( array $matches ) : string
$matches array
return string

html() public static method

This can be used to put untrusted data directly into the HTML body somewhere. This includes inside normal tags like div, p, b, td, etc. Escapes &, <, >, ", and ' with HTML entity encoding to prevent switching into any execution context, such as script, style, or event handlers. ...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...
...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...
public static html ( string $string ) : string
$string string
return string

js() public static method

This can be used to put dynamically generated JavaScript code into both script blocks and event-handler attributes.
public static js ( string $string ) : string
$string string
return string

noNeedToEscape() public static method

Check if a string needs to be escaped or not
public static noNeedToEscape ( string $string ) : boolean
$string string
return boolean

url() public static method

This can be used to put untrusted data into HTTP GET parameter values. This should not be used to escape an entire URI. link
public static url ( string $string ) : string
$string string
return string

xml() public static method

Removes offending characters that could be wrongfully interpreted as XML markup. The following characters are reserved in XML and will be replaced with their corresponding XML entities: ' is replaced with ' " is replaced with " & is replaced with & < is replaced with < > is replaced with >
public static xml ( string $string ) : string
$string string
return string