smarty/libs/plugins/modifiercompiler.escape.php

<?php
/**
 * Smarty plugin
 *
 * @package    Smarty
 * @subpackage PluginsModifierCompiler
 */
/**
 * Smarty escape modifier plugin
 * Type:     modifier
 * Name:     escape
 * Purpose:  escape string for output
 *
 * @link   http://www.smarty.net/docsv2/en/language.modifier.escape count_characters (Smarty online manual)
 * @author Rodney Rehm
 *
 * @param array                                $params parameters
 * @param Smarty_Internal_TemplateCompilerBase $compiler
 *
 * @return string with compiled code
 * @throws \SmartyException
 */
function smarty_modifiercompiler_escape($params, Smarty_Internal_TemplateCompilerBase $compiler)
{
    static $_double_encode = null;
    static $is_loaded = false;
    $compiler->template->_checkPlugins(
        array(
            array(
                'function' => 'smarty_literal_compiler_param',
                'file'     => SMARTY_PLUGINS_DIR . 'shared.literal_compiler_param.php'
            )
        )
    );
    if ($_double_encode === null) {
        $_double_encode = version_compare(PHP_VERSION, '5.2.3', '>=');
    }
    try {
        $esc_type = smarty_literal_compiler_param($params, 1, 'html');
        $char_set = smarty_literal_compiler_param($params, 2, Smarty::$_CHARSET);
        $double_encode = smarty_literal_compiler_param($params, 3, true);
        if (!$char_set) {
            $char_set = Smarty::$_CHARSET;
        }
        switch ($esc_type) {
            case 'html':
                if ($_double_encode) {
                    return 'htmlspecialchars(' . $params[ 0 ] . ', ENT_QUOTES, ' . var_export($char_set, true) . ', ' .
                           var_export($double_encode, true) . ')';
                } elseif ($double_encode) {
                    return 'htmlspecialchars(' . $params[ 0 ] . ', ENT_QUOTES, ' . var_export($char_set, true) . ')';
                } else {
                    // fall back to modifier.escape.php
                }
            // no break
            case 'htmlall':
                if (Smarty::$_MBSTRING) {
                    if ($_double_encode) {
                        // php >=5.2.3 - go native
                        return 'mb_convert_encoding(htmlspecialchars(' . $params[ 0 ] . ', ENT_QUOTES, ' .
                               var_export($char_set, true) . ', ' . var_export($double_encode, true) .
                               '), "HTML-ENTITIES", ' . var_export($char_set, true) . ')';
                    } elseif ($double_encode) {
                        // php <5.2.3 - only handle double encoding
                        return 'mb_convert_encoding(htmlspecialchars(' . $params[ 0 ] . ', ENT_QUOTES, ' .
                               var_export($char_set, true) . '), "HTML-ENTITIES", ' . var_export($char_set, true) . ')';
                    } else {
                        // fall back to modifier.escape.php
                    }
                }
                // no MBString fallback
                if ($_double_encode) {
                    // php >=5.2.3 - go native
                    return 'htmlentities(' . $params[ 0 ] . ', ENT_QUOTES, ' . var_export($char_set, true) . ', ' .
                           var_export($double_encode, true) . ')';
                } elseif ($double_encode) {
                    // php <5.2.3 - only handle double encoding
                    return 'htmlentities(' . $params[ 0 ] . ', ENT_QUOTES, ' . var_export($char_set, true) . ')';
                } else {
                    // fall back to modifier.escape.php
                }
            // no break
            case 'url':
                return 'rawurlencode(' . $params[ 0 ] . ')';
            case 'urlpathinfo':
                return 'str_replace("%2F", "/", rawurlencode(' . $params[ 0 ] . '))';
            case 'quotes':
                // escape unescaped single quotes
                return 'preg_replace("%(?<!\\\\\\\\)\'%", "\\\'",' . $params[ 0 ] . ')';
            case 'javascript':
                // escape quotes and backslashes, newlines, etc.
                // see https://html.spec.whatwg.org/multipage/scripting.html#restrictions-for-contents-of-script-elements
                return 'strtr(' .
                       $params[ 0 ] .
                       ', array("\\\\" => "\\\\\\\\", "\'" => "\\\\\'", "\"" => "\\\\\"", "\\r" => "\\\\r", "\\n" => "\\\n", "</" => "<\/", "<!--" => "<\!--", "<s" => "<\s", "<S" => "<\S" ))';
        }
    } catch (SmartyException $e) {
        // pass through to regular plugin fallback
    }
    // could not optimize |escape call, so fallback to regular plugin
    if ($compiler->template->caching && ($compiler->tag_nocache | $compiler->nocache)) {
        $compiler->required_plugins[ 'nocache' ][ 'escape' ][ 'modifier' ][ 'file' ] =
            SMARTY_PLUGINS_DIR . 'modifier.escape.php';
        $compiler->required_plugins[ 'nocache' ][ 'escape' ][ 'modifier' ][ 'function' ] =
            'smarty_modifier_escape';
    } else {
        $compiler->required_plugins[ 'compiled' ][ 'escape' ][ 'modifier' ][ 'file' ] =
            SMARTY_PLUGINS_DIR . 'modifier.escape.php';
        $compiler->required_plugins[ 'compiled' ][ 'escape' ][ 'modifier' ][ 'function' ] =
            'smarty_modifier_escape';
    }
    return 'smarty_modifier_escape(' . join(', ', $params) . ')';
}
- update for PHP 5.4 compatibility - reformat source to PSR-2 standard 2013-07-14 22:15:45 +00:00			`<?php`
			`/**`
			`* Smarty plugin`
			`*`
- fixed spelling, PHPDoc , minor errors, code cleanup 2014-06-06 02:40:04 +00:00			`* @package Smarty`
- update for PHP 5.4 compatibility - reformat source to PSR-2 standard 2013-07-14 22:15:45 +00:00			`* @subpackage PluginsModifierCompiler`
			`*/`
			`/**`
			`* Smarty escape modifier plugin`
remove html tags from PHPDoc blocks 2017-11-11 07:11:33 +01:00			`* Type: modifier`
			`* Name: escape`
- update for PHP 5.4 compatibility - reformat source to PSR-2 standard 2013-07-14 22:15:45 +00:00			`* Purpose: escape string for output`
			`*`
- fixed spelling, PHPDoc , minor errors, code cleanup 2014-06-06 02:40:04 +00:00			`* @link http://www.smarty.net/docsv2/en/language.modifier.escape count_characters (Smarty online manual)`
- update for PHP 5.4 compatibility - reformat source to PSR-2 standard 2013-07-14 22:15:45 +00:00			`* @author Rodney Rehm`
- fixed spelling, PHPDoc , minor errors, code cleanup 2014-06-06 02:40:04 +00:00			`*`
- fix PSR-2 coding standards and PHPDoc blocks https://github.com/smarty-php/smarty/pull/452 https://github.com/smarty-php/smarty/pull/475 https://github.com/smarty-php/smarty/pull/473 - bugfix PHP5.2 compatibility https://github.com/smarty-php/smarty/pull/472 2018-08-19 02:35:46 +02:00			`* @param array $params parameters`
Update PSR-2 2018-06-12 09:58:15 +02:00			`* @param Smarty_Internal_TemplateCompilerBase $compiler`
- fixed spelling, PHPDoc , minor errors, code cleanup 2014-06-06 02:40:04 +00:00			`*`
- update for PHP 5.4 compatibility - reformat source to PSR-2 standard 2013-07-14 22:15:45 +00:00			`* @return string with compiled code`
- bugfix plugins may not be loaded if {function} or {block} tags are executed in nocache mode 2018-03-28 07:35:52 +02:00			`* @throws \SmartyException`
- update for PHP 5.4 compatibility - reformat source to PSR-2 standard 2013-07-14 22:15:45 +00:00			`*/`
- bugfix plugins may not be loaded if {function} or {block} tags are executed in nocache mode 2018-03-28 07:35:52 +02:00			`function smarty_modifiercompiler_escape($params, Smarty_Internal_TemplateCompilerBase $compiler)`
- update for PHP 5.4 compatibility - reformat source to PSR-2 standard 2013-07-14 22:15:45 +00:00			`{`
			`static $_double_encode = null;`
- performance store flag for already required shared plugin functions in static variable or Smarty's $_cache to improve performance when plugins are often called https://github.com/smarty-php/smarty/commit/51e0d5cd405d764a4ea257d1bac1fb1205f74528#commitcomment-22280086 2017-05-27 11:04:00 +02:00			`static $is_loaded = false;`
Update PSR-2 2018-06-12 09:58:15 +02:00			`$compiler->template->_checkPlugins(`
- reformating for PSR-2 coding standards https://github.com/smarty-php/smarty/pull/483 2018-08-31 16:45:09 +02:00			`array(`
			`array(`
			`'function' => 'smarty_literal_compiler_param',`
			`'file' => SMARTY_PLUGINS_DIR . 'shared.literal_compiler_param.php'`
			`)`
			`)`
Update PSR-2 2018-06-12 09:58:15 +02:00			`);`
- update for PHP 5.4 compatibility - reformat source to PSR-2 standard 2013-07-14 22:15:45 +00:00			`if ($_double_encode === null) {`
			`$_double_encode = version_compare(PHP_VERSION, '5.2.3', '>=');`
			`}`
			`try {`
			`$esc_type = smarty_literal_compiler_param($params, 1, 'html');`
			`$char_set = smarty_literal_compiler_param($params, 2, Smarty::$_CHARSET);`
			`$double_encode = smarty_literal_compiler_param($params, 3, true);`
			`if (!$char_set) {`
			`$char_set = Smarty::$_CHARSET;`
			`}`
			`switch ($esc_type) {`
- fix PSR-2 coding standards and PHPDoc blocks https://github.com/smarty-php/smarty/pull/452 https://github.com/smarty-php/smarty/pull/475 https://github.com/smarty-php/smarty/pull/473 - bugfix PHP5.2 compatibility https://github.com/smarty-php/smarty/pull/472 2018-08-19 02:35:46 +02:00			`case 'html':`
			`if ($_double_encode) {`
			`return 'htmlspecialchars(' . $params[ 0 ] . ', ENT_QUOTES, ' . var_export($char_set, true) . ', ' .`
			`var_export($double_encode, true) . ')';`
			`} elseif ($double_encode) {`
			`return 'htmlspecialchars(' . $params[ 0 ] . ', ENT_QUOTES, ' . var_export($char_set, true) . ')';`
			`} else {`
			`// fall back to modifier.escape.php`
			`}`
- reformating for PSR-2 coding standards https://github.com/smarty-php/smarty/pull/483 2018-08-31 16:45:09 +02:00			`// no break`
- fix PSR-2 coding standards and PHPDoc blocks https://github.com/smarty-php/smarty/pull/452 https://github.com/smarty-php/smarty/pull/475 https://github.com/smarty-php/smarty/pull/473 - bugfix PHP5.2 compatibility https://github.com/smarty-php/smarty/pull/472 2018-08-19 02:35:46 +02:00			`case 'htmlall':`
			`if (Smarty::$_MBSTRING) {`
			`if ($_double_encode) {`
			`// php >=5.2.3 - go native`
			`return 'mb_convert_encoding(htmlspecialchars(' . $params[ 0 ] . ', ENT_QUOTES, ' .`
			`var_export($char_set, true) . ', ' . var_export($double_encode, true) .`
			`'), "HTML-ENTITIES", ' . var_export($char_set, true) . ')';`
			`} elseif ($double_encode) {`
			`// php <5.2.3 - only handle double encoding`
			`return 'mb_convert_encoding(htmlspecialchars(' . $params[ 0 ] . ', ENT_QUOTES, ' .`
			`var_export($char_set, true) . '), "HTML-ENTITIES", ' . var_export($char_set, true) . ')';`
			`} else {`
			`// fall back to modifier.escape.php`
			`}`
			`}`
			`// no MBString fallback`
- update for PHP 5.4 compatibility - reformat source to PSR-2 standard 2013-07-14 22:15:45 +00:00			`if ($_double_encode) {`
			`// php >=5.2.3 - go native`
- fix PSR-2 coding standards and PHPDoc blocks https://github.com/smarty-php/smarty/pull/452 https://github.com/smarty-php/smarty/pull/475 https://github.com/smarty-php/smarty/pull/473 - bugfix PHP5.2 compatibility https://github.com/smarty-php/smarty/pull/472 2018-08-19 02:35:46 +02:00			`return 'htmlentities(' . $params[ 0 ] . ', ENT_QUOTES, ' . var_export($char_set, true) . ', ' .`
			`var_export($double_encode, true) . ')';`
- update for PHP 5.4 compatibility - reformat source to PSR-2 standard 2013-07-14 22:15:45 +00:00			`} elseif ($double_encode) {`
			`// php <5.2.3 - only handle double encoding`
- fix PSR-2 coding standards and PHPDoc blocks https://github.com/smarty-php/smarty/pull/452 https://github.com/smarty-php/smarty/pull/475 https://github.com/smarty-php/smarty/pull/473 - bugfix PHP5.2 compatibility https://github.com/smarty-php/smarty/pull/472 2018-08-19 02:35:46 +02:00			`return 'htmlentities(' . $params[ 0 ] . ', ENT_QUOTES, ' . var_export($char_set, true) . ')';`
- update for PHP 5.4 compatibility - reformat source to PSR-2 standard 2013-07-14 22:15:45 +00:00			`} else {`
			`// fall back to modifier.escape.php`
			`}`
- reformating for PSR-2 coding standards https://github.com/smarty-php/smarty/pull/483 2018-08-31 16:45:09 +02:00			`// no break`
- fix PSR-2 coding standards and PHPDoc blocks https://github.com/smarty-php/smarty/pull/452 https://github.com/smarty-php/smarty/pull/475 https://github.com/smarty-php/smarty/pull/473 - bugfix PHP5.2 compatibility https://github.com/smarty-php/smarty/pull/472 2018-08-19 02:35:46 +02:00			`case 'url':`
			`return 'rawurlencode(' . $params[ 0 ] . ')';`
			`case 'urlpathinfo':`
			`return 'str_replace("%2F", "/", rawurlencode(' . $params[ 0 ] . '))';`
			`case 'quotes':`
			`// escape unescaped single quotes`
			`return 'preg_replace("%(?<!\\\\\\\\)\'%", "\\\'",' . $params[ 0 ] . ')';`
			`case 'javascript':`
			`// escape quotes and backslashes, newlines, etc.`
plugins: escape: javascript escaping secure fix 2021-02-28 16:43:54 +03:00			`// see https://html.spec.whatwg.org/multipage/scripting.html#restrictions-for-contents-of-script-elements`
- fix PSR-2 coding standards and PHPDoc blocks https://github.com/smarty-php/smarty/pull/452 https://github.com/smarty-php/smarty/pull/475 https://github.com/smarty-php/smarty/pull/473 - bugfix PHP5.2 compatibility https://github.com/smarty-php/smarty/pull/472 2018-08-19 02:35:46 +02:00			`return 'strtr(' .`
			`$params[ 0 ] .`
plugins: escape: javascript escaping secure fix 2021-02-28 16:43:54 +03:00			`', array("\\\\" => "\\\\\\\\", "\'" => "\\\\\'", "\"" => "\\\\\"", "\\r" => "\\\\r", "\\n" => "\\\n", "</" => "<\/", "<!--" => "<\!--", "<s" => "<\s", "<S" => "<\S" ))';`
- update for PHP 5.4 compatibility - reformat source to PSR-2 standard 2013-07-14 22:15:45 +00:00			`}`
- reformating for PSR-2 coding standards https://github.com/smarty-php/smarty/pull/483 2018-08-31 16:45:09 +02:00			`} catch (SmartyException $e) {`
- update for PHP 5.4 compatibility - reformat source to PSR-2 standard 2013-07-14 22:15:45 +00:00			`// pass through to regular plugin fallback`
			`}`
			`// could not optimize \|escape call, so fallback to regular plugin`
			`if ($compiler->template->caching && ($compiler->tag_nocache \| $compiler->nocache)) {`
- bugfix plugins may not be loaded if {function} or {block} tags are executed in nocache mode 2018-03-28 07:35:52 +02:00			`$compiler->required_plugins[ 'nocache' ][ 'escape' ][ 'modifier' ][ 'file' ] =`
- reformat all code for unique style 2016-02-09 01:27:15 +01:00			`SMARTY_PLUGINS_DIR . 'modifier.escape.php';`
- bugfix plugins may not be loaded if {function} or {block} tags are executed in nocache mode 2018-03-28 07:35:52 +02:00			`$compiler->required_plugins[ 'nocache' ][ 'escape' ][ 'modifier' ][ 'function' ] =`
- reformat all code for unique style 2016-02-09 01:27:15 +01:00			`'smarty_modifier_escape';`
- update for PHP 5.4 compatibility - reformat source to PSR-2 standard 2013-07-14 22:15:45 +00:00			`} else {`
- bugfix plugins may not be loaded if {function} or {block} tags are executed in nocache mode 2018-03-28 07:35:52 +02:00			`$compiler->required_plugins[ 'compiled' ][ 'escape' ][ 'modifier' ][ 'file' ] =`
- reformat all code for unique style 2016-02-09 01:27:15 +01:00			`SMARTY_PLUGINS_DIR . 'modifier.escape.php';`
- bugfix plugins may not be loaded if {function} or {block} tags are executed in nocache mode 2018-03-28 07:35:52 +02:00			`$compiler->required_plugins[ 'compiled' ][ 'escape' ][ 'modifier' ][ 'function' ] =`
- reformat all code for unique style 2016-02-09 01:27:15 +01:00			`'smarty_modifier_escape';`
- update for PHP 5.4 compatibility - reformat source to PSR-2 standard 2013-07-14 22:15:45 +00:00			`}`
- fixed spelling, PHPDoc , minor errors, code cleanup 2014-06-06 02:40:04 +00:00			`return 'smarty_modifier_escape(' . join(', ', $params) . ')';`
- update for PHP 5.4 compatibility - reformat source to PSR-2 standard 2013-07-14 22:15:45 +00:00			`}`