/
EscapeModifierCompiler.php
56 lines (52 loc) · 2.01 KB
/
EscapeModifierCompiler.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
<?php
namespace Smarty\Compile\Modifier;
use Smarty\Exception;
/**
* Smarty escape modifier plugin
* Type: modifier
* Name: escape
* Purpose: escape string for output
*
* @author Rodney Rehm
*/
class EscapeModifierCompiler extends Base {
public function compile($params, \Smarty\Compiler\Template $compiler) {
try {
$esc_type = $this->literal_compiler_param($params, 1, 'html');
$char_set = $this->literal_compiler_param($params, 2, \Smarty\Smarty::$_CHARSET);
$double_encode = $this->literal_compiler_param($params, 3, true);
if (!$char_set) {
$char_set = \Smarty\Smarty::$_CHARSET;
}
switch ($esc_type) {
case 'html':
return 'htmlspecialchars((string)' . $params[ 0 ] . ', ENT_QUOTES, ' . var_export($char_set, true) . ', ' .
var_export($double_encode, true) . ')';
// no break
case 'htmlall':
return 'htmlentities(mb_convert_encoding((string)' . $params[ 0 ] . ', \'UTF-8\', ' .
var_export($char_set, true) . '), ENT_QUOTES, \'UTF-8\', ' .
var_export($double_encode, true) . ')';
// no break
case 'url':
return 'rawurlencode((string)' . $params[ 0 ] . ')';
case 'urlpathinfo':
return 'str_replace("%2F", "/", rawurlencode((string)' . $params[ 0 ] . '))';
case 'quotes':
// escape unescaped single quotes
return 'preg_replace("%(?<!\\\\\\\\)\'%", "\\\'", (string)' . $params[ 0 ] . ')';
case 'javascript':
// escape quotes and backslashes, newlines, etc.
// see https://html.spec.whatwg.org/multipage/scripting.html#restrictions-for-contents-of-script-elements
return 'strtr((string)' .
$params[ 0 ] .
', array("\\\\" => "\\\\\\\\", "\'" => "\\\\\'", "\"" => "\\\\\"", "\\r" => "\\\\r",
"\\n" => "\\\n", "</" => "<\/", "<!--" => "<\!--", "<s" => "<\s", "<S" => "<\S",
"`" => "\\\\`", "\${" => "\\\\\\$\\{"))';
}
} catch (Exception $e) {
// pass through to regular plugin fallback
}
return '$_smarty_tpl->getSmarty()->getModifierCallback(\'escape\')(' . join(', ', $params) . ')';
}
}