PHP Class Escape

Class to handle context specific output escaping per OWASP recommendations. Most of this class is based on methods from Zend\Escaper, but modified for Kirby. Copyrighted (c) 2005-2014 Zend Technologies USA Inc. (http://www.zend.com) under the New BSD License (http://framework.zend.com/license/new-bsd).
See link: https://github.com/zendframework/zf2/blob/master/library/Zend/Escaper/Escaper.php
See link: https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
See link: http://getkirby.com
Author: Ezra Verheijen ([email protected])
Afficher le fichier Open project: getkirby/toolkit Class Usage Examples

Méthodes publiques

Méthode Description
attr ( string $string, string $strict = true ) : string Escape common HTML attributes data
charIsUndefined ( string $char ) : boolean Check if a character is undefined in HTML
convertEncoding ( string $char ) : string Convert a character from UTF-8 to UTF-16BE
css ( string $string ) : string Escape HTML style property values
html ( string $string ) : string Escape HTML element content
js ( string $string ) : string Escape JavaScript data values
noNeedToEscape ( string $string ) : boolean Check if a string needs to be escaped or not
url ( string $string ) : string Escape URL parameter values
xml ( string $string ) : string Escape XML element content

Méthodes protégées

Méthode Description
escapeAttrChar ( array $matches ) : mixed Escape character for HTML attribute
escapeCSSChar ( array $matches ) : string Escape character for CSS
escapeJSChar ( array $matches ) : string Escape character for JavaScript

Method Details

attr() public static méthode

This can be used to put untrusted data into typical attribute values like width, name, value, etc. This should not be used for complex attributes like href, src, style, or any of the event handlers like onmouseover. Use esc($string, 'js') for event handler attributes, esc($string, 'url') for src attributes and esc($string, 'css') for style attributes.
content
content
content
public static attr ( string $string, string $strict = true ) : string
$string string
$strict string Whether to escape characters like [space] % * + , - / ; < = > ^ and | which is necessary in case of unquoted HTML attributes.
Résultat string

charIsUndefined() public static méthode

Check if a character is undefined in HTML
public static charIsUndefined ( string $char ) : boolean
$char string
Résultat boolean

convertEncoding() public static méthode

Convert a character from UTF-8 to UTF-16BE
public static convertEncoding ( string $char ) : string
$char string
Résultat string

css() public static méthode

This can be used to put untrusted data into a stylesheet or a style tag. Stay away from putting untrusted data into complex properties like url, behavior, and custom (-moz-binding). You should also not put untrusted data into IE’s expression property value which allows JavaScript. text
public static css ( string $string ) : string
$string string
Résultat string

escapeAttrChar() protected static méthode

Callback function for preg_replace_callback() that applies HTML attribute escaping to all matches.
protected static escapeAttrChar ( array $matches ) : mixed
$matches array
Résultat mixed Unicode replacement if character is undefined in HTML, named HTML entity if available (only those that XML supports), upper hex entity if a named entity does not exist or entity with the &#xHH; format if ASCII value is less than 256.

escapeCSSChar() protected static méthode

Callback function for preg_replace_callback() that applies CSS escaping to all matches.
protected static escapeCSSChar ( array $matches ) : string
$matches array
Résultat string

escapeJSChar() protected static méthode

Callback function for preg_replace_callback() that applies Javascript escaping to all matches.
protected static escapeJSChar ( array $matches ) : string
$matches array
Résultat string

html() public static méthode

This can be used to put untrusted data directly into the HTML body somewhere. This includes inside normal tags like div, p, b, td, etc. Escapes &, <, >, ", and ' with HTML entity encoding to prevent switching into any execution context, such as script, style, or event handlers. ...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...
...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...
public static html ( string $string ) : string
$string string
Résultat string

js() public static méthode

This can be used to put dynamically generated JavaScript code into both script blocks and event-handler attributes.
public static js ( string $string ) : string
$string string
Résultat string

noNeedToEscape() public static méthode

Check if a string needs to be escaped or not
public static noNeedToEscape ( string $string ) : boolean
$string string
Résultat boolean

url() public static méthode

This can be used to put untrusted data into HTTP GET parameter values. This should not be used to escape an entire URI. link
public static url ( string $string ) : string
$string string
Résultat string

xml() public static méthode

Removes offending characters that could be wrongfully interpreted as XML markup. The following characters are reserved in XML and will be replaced with their corresponding XML entities: ' is replaced with ' " is replaced with " & is replaced with & < is replaced with < > is replaced with >
public static xml ( string $string ) : string
$string string
Résultat string