Skip to content

Commit

Permalink
uppdate case hex escapings
Browse files Browse the repository at this point in the history
  • Loading branch information
@marc-mabe @padraic
marc-mabe authored and padraic committed Jul 13, 2012
1 parent f61a0be commit c689b52
Show file tree
Hide file tree
Showing 5 changed files with 60 additions and 60 deletions.
32 changes: 16 additions & 16 deletions library/Zend/Escaper/Escaper.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -257,7 +257,7 @@ public function htmlAttrMatcher($matches)
if (($ord <= 0x1f && $chr != "\t" && $chr != "\n" && $chr != "\r")
|| ($ord >= 0x7f && $ord <= 0x9f)
) {
return '&#xfffd;';
return '&#xFFFD;';
}

/**
Expand All @@ -269,19 +269,20 @@ public function htmlAttrMatcher($matches)
}

$hex = bin2hex($chr);
$int = hexdec($hex);
if (isset(static::$htmlNamedEntityMap[$int])) {
return '&' . static::$htmlNamedEntityMap[$int] . ';';
$ord = hexdec($hex);
if (isset(static::$htmlNamedEntityMap[$ord])) {
return '&' . static::$htmlNamedEntityMap[$ord] . ';';
}

/**
* Per OWASP recommendations, we'll use hex entities for any other
* characters where a named entity does not exist.
* Per OWASP recommendations, we'll use upper hex entities
* for any other characters where a named entity does not exist.
*/
if ($int > 255) {
$hex = str_pad($hex, 4, '0', \STR_PAD_LEFT);
if ($ord > 255) {
return sprintf('&#x%04X;', $ord);
} else {
return sprintf('&#x%02X;', $ord);
}
return '&#x' . $hex . ';';
}

/**
Expand All @@ -295,10 +296,10 @@ public function jsMatcher($matches)
{
$chr = $matches[0];
if (strlen($chr) == 1) {
return '\\x' . bin2hex($chr);
return sprintf('\\x%02X', ord($chr));
} else {
$chr = $this->convertEncoding($chr, 'UTF-16BE', 'UTF-8');
return '\\u' . str_pad(bin2hex($chr), 4, '0', \STR_PAD_LEFT);
return sprintf('\\u%04s', strtoupper(bin2hex($chr)));
}
}

Expand All @@ -312,14 +313,13 @@ public function jsMatcher($matches)
public function cssMatcher($matches)
{
$chr = $matches[0];
if ($chr === "\0") {
return '\\0 ';
} elseif (strlen($chr) == 1) {
return '\\' . ltrim(bin2hex($chr), '0') . ' ';
if (strlen($chr) == 1) {
$ord = ord($chr);
} else {
$chr = $this->convertEncoding($chr, 'UTF-16BE', 'UTF-8');
return '\\' . ltrim(bin2hex($chr), '0') . ' ';
$ord = hexdec(bin2hex($chr));
}
return sprintf('\\%X ', $ord);
}

/**
Expand Down
28 changes: 14 additions & 14 deletions tests/Zend/Escaper/EscaperTest.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -59,10 +59,10 @@ class EscaperTest extends \PHPUnit_Framework_TestCase
'0' => '0',
'9' => '9',
/* Basic control characters and null */
"\r" => '&#x0d;',
"\n" => '&#x0a;',
"\r" => '&#x0D;',
"\n" => '&#x0A;',
"\t" => '&#x09;',
"\0" => '&#xfffd;', // should use Unicode replacement char
"\0" => '&#xFFFD;', // should use Unicode replacement char
/* Encode chars as named entities where possible */
'<' => '&lt;',
'>' => '&gt;',
Expand All @@ -74,8 +74,8 @@ class EscaperTest extends \PHPUnit_Framework_TestCase

protected $jsSpecialChars = array(
/* HTML special chars - escape without exception to hex */
'<' => '\\x3c',
'>' => '\\x3e',
'<' => '\\x3C',
'>' => '\\x3E',
'\'' => '\\x27',
'"' => '\\x22',
'&' => '\\x26',
Expand All @@ -93,8 +93,8 @@ class EscaperTest extends \PHPUnit_Framework_TestCase
'0' => '0',
'9' => '9',
/* Basic control characters and null */
"\r" => '\\x0d',
"\n" => '\\x0a',
"\r" => '\\x0D',
"\n" => '\\x0A',
"\t" => '\\x09',
"\0" => '\\x00',
/* Encode spaces for quoteless attribute protection */
Expand Down Expand Up @@ -138,17 +138,17 @@ class EscaperTest extends \PHPUnit_Framework_TestCase

protected $cssSpecialChars = array(
/* HTML special chars - escape without exception to hex */
'<' => '\\3c ',
'>' => '\\3e ',
'<' => '\\3C ',
'>' => '\\3E ',
'\'' => '\\27 ',
'"' => '\\22 ',
'&' => '\\26 ',
/* Characters beyond ASCII value 255 to unicode escape */
'Ā' => '\\100 ',
/* Immune chars excluded */
',' => '\\2c ',
'.' => '\\2e ',
'_' => '\\5f ',
',' => '\\2C ',
'.' => '\\2E ',
'_' => '\\5F ',
/* Basic alnums exluded */
'a' => 'a',
'A' => 'A',
Expand All @@ -157,8 +157,8 @@ class EscaperTest extends \PHPUnit_Framework_TestCase
'0' => '0',
'9' => '9',
/* Basic control characters and null */
"\r" => '\\d ',
"\n" => '\\a ',
"\r" => '\\D ',
"\n" => '\\A ',
"\t" => '\\9 ',
"\0" => '\\0 ',
/* Encode spaces for quoteless attribute protection */
Expand Down
20 changes: 10 additions & 10 deletions tests/Zend/View/Helper/EscapeCssTest.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -86,11 +86,11 @@ public function testAllowsRecursiveEscapingOfArrays()
),
);
$expected = array(
'foo' => '\3c b\3e bar\3c \2f b\3e ',
'foo' => '\3C b\3E bar\3C \2F b\3E ',
'baz' => array(
'\3c em\3e bat\3c \2f em\3e ',
'\3C em\3E bat\3C \2F em\3E ',
'second' => array(
'\3c i\3e third\3c \2f i\3e ',
'\3C i\3E third\3C \2F i\3E ',
),
),
);
Expand All @@ -103,7 +103,7 @@ public function testWillCastObjectsToStringsBeforeEscaping()
$object = new TestAsset\Stringified;
$test = $this->helper->__invoke($object);
$this->assertEquals(
'ZendTest\5c View\5c Helper\5c TestAsset\5c Stringified',
'ZendTest\5C View\5C Helper\5C TestAsset\5C Stringified',
$test
);
}
Expand All @@ -123,11 +123,11 @@ public function testCanRecurseObjectImplementingToArray()
$object->array = $original;

$expected = array(
'foo' => '\3c b\3e bar\3c \2f b\3e ',
'foo' => '\3C b\3E bar\3C \2F b\3E ',
'baz' => array(
'\3c em\3e bat\3c \2f em\3e ',
'\3C em\3E bat\3C \2F em\3E ',
'second' => array(
'\3c i\3e third\3c \2f i\3e ',
'\3C i\3E third\3C \2F i\3E ',
),
),
);
Expand All @@ -152,11 +152,11 @@ public function testCanRecurseObjectProperties()
}

$expected = array(
'foo' => '\3c b\3e bar\3c \2f b\3e ',
'foo' => '\3C b\3E bar\3C \2F b\3E ',
'baz' => array(
'\3c em\3e bat\3c \2f em\3e ',
'\3C em\3E bat\3C \2F em\3E ',
'second' => array(
'\3c i\3e third\3c \2f i\3e ',
'\3C i\3E third\3C \2F i\3E ',
),
),
);
Expand Down
20 changes: 10 additions & 10 deletions tests/Zend/View/Helper/EscapeHtmlAttrTest.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -86,11 +86,11 @@ public function testAllowsRecursiveEscapingOfArrays()
),
);
$expected = array(
'foo' => '&lt;b&gt;bar&lt;&#x2f;b&gt;',
'foo' => '&lt;b&gt;bar&lt;&#x2F;b&gt;',
'baz' => array(
'&lt;em&gt;bat&lt;&#x2f;em&gt;',
'&lt;em&gt;bat&lt;&#x2F;em&gt;',
'second' => array(
'&lt;i&gt;third&lt;&#x2f;i&gt;',
'&lt;i&gt;third&lt;&#x2F;i&gt;',
),
),
);
Expand All @@ -103,7 +103,7 @@ public function testWillCastObjectsToStringsBeforeEscaping()
$object = new TestAsset\Stringified;
$test = $this->helper->__invoke($object);
$this->assertEquals(
'ZendTest&#x5c;View&#x5c;Helper&#x5c;TestAsset&#x5c;Stringified',
'ZendTest&#x5C;View&#x5C;Helper&#x5C;TestAsset&#x5C;Stringified',
$test
);
}
Expand All @@ -123,11 +123,11 @@ public function testCanRecurseObjectImplementingToArray()
$object->array = $original;

$expected = array(
'foo' => '&lt;b&gt;bar&lt;&#x2f;b&gt;',
'foo' => '&lt;b&gt;bar&lt;&#x2F;b&gt;',
'baz' => array(
'&lt;em&gt;bat&lt;&#x2f;em&gt;',
'&lt;em&gt;bat&lt;&#x2F;em&gt;',
'second' => array(
'&lt;i&gt;third&lt;&#x2f;i&gt;',
'&lt;i&gt;third&lt;&#x2F;i&gt;',
),
),
);
Expand All @@ -152,11 +152,11 @@ public function testCanRecurseObjectProperties()
}

$expected = array(
'foo' => '&lt;b&gt;bar&lt;&#x2f;b&gt;',
'foo' => '&lt;b&gt;bar&lt;&#x2F;b&gt;',
'baz' => array(
'&lt;em&gt;bat&lt;&#x2f;em&gt;',
'&lt;em&gt;bat&lt;&#x2F;em&gt;',
'second' => array(
'&lt;i&gt;third&lt;&#x2f;i&gt;',
'&lt;i&gt;third&lt;&#x2F;i&gt;',
),
),
);
Expand Down
20 changes: 10 additions & 10 deletions tests/Zend/View/Helper/EscapeJsTest.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -86,11 +86,11 @@ public function testAllowsRecursiveEscapingOfArrays()
),
);
$expected = array(
'foo' => '\x3cb\x3ebar\x3c\x2fb\x3e',
'foo' => '\x3Cb\x3Ebar\x3C\x2Fb\x3E',
'baz' => array(
'\x3cem\x3ebat\x3c\x2fem\x3e',
'\x3Cem\x3Ebat\x3C\x2Fem\x3E',
'second' => array(
'\x3ci\x3ethird\x3c\x2fi\x3e',
'\x3Ci\x3Ethird\x3C\x2Fi\x3E',
),
),
);
Expand All @@ -103,7 +103,7 @@ public function testWillCastObjectsToStringsBeforeEscaping()
$object = new TestAsset\Stringified;
$test = $this->helper->__invoke($object);
$this->assertEquals(
'ZendTest\x5cView\x5cHelper\x5cTestAsset\x5cStringified',
'ZendTest\x5CView\x5CHelper\x5CTestAsset\x5CStringified',
$test
);
}
Expand All @@ -123,11 +123,11 @@ public function testCanRecurseObjectImplementingToArray()
$object->array = $original;

$expected = array(
'foo' => '\x3cb\x3ebar\x3c\x2fb\x3e',
'foo' => '\x3Cb\x3Ebar\x3C\x2Fb\x3E',
'baz' => array(
'\x3cem\x3ebat\x3c\x2fem\x3e',
'\x3Cem\x3Ebat\x3C\x2Fem\x3E',
'second' => array(
'\x3ci\x3ethird\x3c\x2fi\x3e',
'\x3Ci\x3Ethird\x3C\x2Fi\x3E',
),
),
);
Expand All @@ -152,11 +152,11 @@ public function testCanRecurseObjectProperties()
}

$expected = array(
'foo' => '\x3cb\x3ebar\x3c\x2fb\x3e',
'foo' => '\x3Cb\x3Ebar\x3C\x2Fb\x3E',
'baz' => array(
'\x3cem\x3ebat\x3c\x2fem\x3e',
'\x3Cem\x3Ebat\x3C\x2Fem\x3E',
'second' => array(
'\x3ci\x3ethird\x3c\x2fi\x3e',
'\x3Ci\x3Ethird\x3C\x2Fi\x3E',
),
),
);
Expand Down

0 comments on commit c689b52

Please sign in to comment.