PHP 클래스 Escape

Class to handle context specific output escaping per OWASP recommendations. Most of this class is based on methods from Zend\Escaper, but modified for Kirby. Copyrighted (c) 2005-2014 Zend Technologies USA Inc. (http://www.zend.com) under the New BSD License (http://framework.zend.com/license/new-bsd).
링크 보기: https://github.com/zendframework/zf2/blob/master/library/Zend/Escaper/Escaper.php
링크 보기: https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
링크 보기: http://getkirby.com
저자: Ezra Verheijen ([email protected])
파일 보기 프로젝트 열기: getkirby/toolkit 1 사용 예제들

공개 메소드들

메소드 설명
attr ( string $string, string $strict = true ) : string Escape common HTML attributes data
charIsUndefined ( string $char ) : boolean Check if a character is undefined in HTML
convertEncoding ( string $char ) : string Convert a character from UTF-8 to UTF-16BE
css ( string $string ) : string Escape HTML style property values
html ( string $string ) : string Escape HTML element content
js ( string $string ) : string Escape JavaScript data values
noNeedToEscape ( string $string ) : boolean Check if a string needs to be escaped or not
url ( string $string ) : string Escape URL parameter values
xml ( string $string ) : string Escape XML element content

보호된 메소드들

메소드 설명
escapeAttrChar ( array $matches ) : mixed Escape character for HTML attribute
escapeCSSChar ( array $matches ) : string Escape character for CSS
escapeJSChar ( array $matches ) : string Escape character for JavaScript

메소드 상세

attr() 공개 정적인 메소드

This can be used to put untrusted data into typical attribute values like width, name, value, etc. This should not be used for complex attributes like href, src, style, or any of the event handlers like onmouseover. Use esc($string, 'js') for event handler attributes, esc($string, 'url') for src attributes and esc($string, 'css') for style attributes.
content
content
content
public static attr ( string $string, string $strict = true ) : string
$string string
$strict string Whether to escape characters like [space] % * + , - / ; < = > ^ and | which is necessary in case of unquoted HTML attributes.
리턴 string

charIsUndefined() 공개 정적인 메소드

Check if a character is undefined in HTML
public static charIsUndefined ( string $char ) : boolean
$char string
리턴 boolean

convertEncoding() 공개 정적인 메소드

Convert a character from UTF-8 to UTF-16BE
public static convertEncoding ( string $char ) : string
$char string
리턴 string

css() 공개 정적인 메소드

This can be used to put untrusted data into a stylesheet or a style tag. Stay away from putting untrusted data into complex properties like url, behavior, and custom (-moz-binding). You should also not put untrusted data into IE’s expression property value which allows JavaScript. text
public static css ( string $string ) : string
$string string
리턴 string

escapeAttrChar() 보호된 정적인 메소드

Callback function for preg_replace_callback() that applies HTML attribute escaping to all matches.
protected static escapeAttrChar ( array $matches ) : mixed
$matches array
리턴 mixed Unicode replacement if character is undefined in HTML, named HTML entity if available (only those that XML supports), upper hex entity if a named entity does not exist or entity with the &#xHH; format if ASCII value is less than 256.

escapeCSSChar() 보호된 정적인 메소드

Callback function for preg_replace_callback() that applies CSS escaping to all matches.
protected static escapeCSSChar ( array $matches ) : string
$matches array
리턴 string

escapeJSChar() 보호된 정적인 메소드

Callback function for preg_replace_callback() that applies Javascript escaping to all matches.
protected static escapeJSChar ( array $matches ) : string
$matches array
리턴 string

html() 공개 정적인 메소드

This can be used to put untrusted data directly into the HTML body somewhere. This includes inside normal tags like div, p, b, td, etc. Escapes &, <, >, ", and ' with HTML entity encoding to prevent switching into any execution context, such as script, style, or event handlers. ...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...
...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...
public static html ( string $string ) : string
$string string
리턴 string

js() 공개 정적인 메소드

This can be used to put dynamically generated JavaScript code into both script blocks and event-handler attributes.
public static js ( string $string ) : string
$string string
리턴 string

noNeedToEscape() 공개 정적인 메소드

Check if a string needs to be escaped or not
public static noNeedToEscape ( string $string ) : boolean
$string string
리턴 boolean

url() 공개 정적인 메소드

This can be used to put untrusted data into HTTP GET parameter values. This should not be used to escape an entire URI. link
public static url ( string $string ) : string
$string string
리턴 string

xml() 공개 정적인 메소드

Removes offending characters that could be wrongfully interpreted as XML markup. The following characters are reserved in XML and will be replaced with their corresponding XML entities: ' is replaced with ' " is replaced with " & is replaced with & < is replaced with < > is replaced with >
public static xml ( string $string ) : string
$string string
리턴 string