_is_safe_html = $string->_is_safe_html; $this->_is_purified_html = $string->_is_purified_html; $string = $string->unescaped(); } $this->_raw_string = (string) $string; } /** * Factory method returning a new SafeString instance for the given string. */ static function of($string) { return new SafeString($string); } /** * Factory method returning a new SafeString instance after HTML purifying * the given string. */ static function purify($string) { if ($string instanceof SafeString) { $string = $string->unescaped(); } $safe_string = self::of_safe_html(self::_purify_for_html($string)); $safe_string->_is_purified_html = true; return $safe_string; } /** * Factory method returning a new SafeString instance which won't HTML escape. */ static function of_safe_html($string) { $safe_string = new SafeString($string); $safe_string->_is_safe_html = true; return $safe_string; } /** * Safe for use in HTML. * @see #for_html() */ function __toString() { if ($this->_is_safe_html) { return $this->_raw_string; } else { return self::_escape_for_html($this->_raw_string); } } /** * Safe for use in HTML. * * Example:

   *    
   *

* @return the string escaped for use in HTML. */ function for_html() { return $this; } /** * Safe for use in JavaScript. * * Example:

   *   
   *

* @return the string escaped for use in HTML attributes. */ function for_html_attr() { $string = (string) $this->for_html(); return strtr($string, array("'"=>"'", '"'=>'"')); } /** * Safe for use HTML (purified HTML) * * Example:

   *   purified_html() ?> 
   *

* @return the string escaped for use in HTML. */ function purified_html() { if ($this->_is_purified_html) { return $this; } else { return self::purify($this); } } /** * Returns the raw, unsafe string. Do not use lightly. */ function unescaped() { return $this->_raw_string; } // Escapes special HTML chars ("<", ">", "&", etc.) to HTML entities. private static function _escape_for_html($dirty_html) { return html::specialchars($dirty_html); } // Escapes special chars (quotes, backslash, etc.) with a backslash sequence. private static function _escape_for_js($string) { // From Smarty plugins/modifier.escape.php // Might want to be stricter here. return strtr($string, array('\\'=>'\\\\',"'"=>"\\'",'"'=>'\\"',"\r"=>'\\r',"\n"=>'\\n',''<\/')); } // Purifies the string, removing any potentially malicious or unsafe HTML / JavaScript. private static function _purify_for_html($dirty_html) { if (empty(self::$_purifier)) { require_once(dirname(__file__) . "/../lib/HTMLPurifier/HTMLPurifier.auto.php"); $config = HTMLPurifier_Config::createDefault(); foreach (Kohana::config('purifier') as $category => $key_value) { foreach ($key_value as $key => $value) { $config->set("$category.$key", $value); } } self::$_purifier = new HTMLPurifier($config); } return self::$_purifier->purify($dirty_html); } }