1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
|
<?php defined("SYSPATH") or die("No direct script access.");
/**
* Gallery - a web based photo album viewer and editor
* Copyright (C) 2000-2013 Bharat Mediratta
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or (at
* your option) any later version.
*
* This program is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA 02110-1301, USA.
*/
class html extends html_Core {
/**
* Returns a string that is safe to be used in HTML (XSS protection).
*
* If $html is a string, the returned string will be HTML escaped.
* If $html is a SafeString instance, the returned string may contain
* unescaped HTML which is assumed to be safe.
*
* Example:<pre>
* <div><?= html::clean($php_var) ?>
* </pre>
*/
static function clean($html) {
return new SafeString($html);
}
/**
* Returns a string that is safe to be used in HTML (XSS protection),
* purifying (filtering) the given HTML to ensure that the result contains
* only non-malicious HTML.
*
* Example:<pre>
* <div><?= html::purify($item->title) ?>
* </pre>
*/
static function purify($html) {
return SafeString::purify($html);
}
/**
* Flags the given string as safe to be used in HTML (free of malicious HTML/JS).
*
* Example:<pre>
* // Parameters to t() are automatically escaped by default.
* // If the parameter is marked as clean, it won't get escaped.
* t('Go <a href="%url">there</a>',
* array("url" => html::mark_clean(url::current())))
* </pre>
*/
static function mark_clean($html) {
return SafeString::of_safe_html($html);
}
/**
* Escapes the given string for use in JavaScript.
*
* Example:<pre>
* <script type="text/javascript>"
* var some_js_string = <?= html::js_string($php_string) ?>;
* </script>
* </pre>
*/
static function js_string($string) {
return SafeString::of($string)->for_js();
}
/**
* Returns a string safe for use in HTML element attributes.
*
* Assumes that the HTML element attribute is already
* delimited by single or double quotes
*
* Example:<pre>
* <a title="<?= html::clean_for_attribute($php_var) ?>">;
* </script>
* </pre>
* @return the string escaped for use in HTML attributes.
*/
static function clean_attribute($string) {
return html::clean($string)->for_html_attr();
}
}
|
