Rename clean_js to js_string and have it return a complete JS string (with delimiters) instead of just the string contents.

Benefits: Using json_encode(), which is very robust. And as a user, it's clearer how to use this API compared to what it was before.

1 files changed, 3 insertions, 11 deletions

diff --git a/modules/gallery/libraries/SafeString.php b/modules/gallery/libraries/SafeString.php
index 9614a213..0767a665 100644
--- a/modules/gallery/libraries/SafeString.php
+++ b/modules/gallery/libraries/SafeString.php
@@ -92,17 +92,17 @@ class SafeString_Core {
   }
 
   /**
-   * Safe for use in JavaScript.
+   * Safe for use as JavaScript string.
    *
    * Example:<pre>
    *   <script type="text/javascript>"
-   *     var some_js_var = "<?= $php_var->for_js() ?>";
+   *     var some_js_var = <?= $php_var->for_js() ?>;
    *   </script>
    * </pre>
    * @return the string escaped for use in JavaScript.
    */
   function for_js() {
-    return self::_escape_for_js($this->_raw_string);
+    return json_encode((string) $this->_raw_string);
   }
 
   /**
@@ -152,14 +152,6 @@ class SafeString_Core {
     return html::specialchars($dirty_html);
   }
 
-  // Escapes special chars (quotes, backslash, etc.) with a backslash sequence.
-  private static function _escape_for_js($string) {
-    // From Smarty plugins/modifier.escape.php
-    // Might want to be stricter here.
-    return strtr($string,
-		 array('\\'=>'\\\\',"'"=>"\\'",'"'=>'\\"',"\r"=>'\\r',"\n"=>'\\n','</'=>'<\/'));
-  }
-
   // Purifies the string, removing any potentially malicious or unsafe HTML / JavaScript.
   private static function _purify_for_html($dirty_html) {
     if (empty(self::$_purifier)) {