diff --git a/includes/common.inc b/includes/common.inc index 2abf198..f97aea6 100644 --- a/includes/common.inc +++ b/includes/common.inc @@ -2542,6 +2542,22 @@ function drupal_clear_js_cache() { * We use HTML-safe strings, i.e. with <, > and & escaped. */ function drupal_to_js($var) { + // The PHP version cannot change within a request. + static $php530; + + if (!isset($php530)) { + $php530 = version_compare(PHP_VERSION, '5.3.0', '>='); + } + + if ($php530) { + // Encode <, >, ', &, and " using the json_encode() options parameter. + return json_encode($var, JSON_HEX_TAG | JSON_HEX_APOS | JSON_HEX_AMP | JSON_HEX_QUOT); + } + + // json_encode() escapes <, >, ', &, and " using its options parameter, but + // does not support this parameter prior to PHP 5.3.0. Use str_replace to do + // it. + switch (gettype($var)) { case 'boolean': return $var ? 'true' : 'false'; // Lowercase necessary! @@ -2550,9 +2566,60 @@ function drupal_to_js($var) { return $var; case 'resource': case 'string': - return '"'. str_replace(array("\r", "\n", "<", ">", "&"), - array('\r', '\n', '\x3c', '\x3e', '\x26'), - addslashes($var)) .'"'; + // Always use Unicode escape sequences (\u0022) over JSON escape + // sequences (\") to prevent browsers interpreting these as + // special characters. + $replace_pairs = array( + // ", \ and U+0000 - U+001F must be escaped according to RFC 4627. + '\\' => '\u005C', + '"' => '\u0022', + "\x00" => '\u0000', + "\x01" => '\u0001', + "\x02" => '\u0002', + "\x03" => '\u0003', + "\x04" => '\u0004', + "\x05" => '\u0005', + "\x06" => '\u0006', + "\x07" => '\u0007', + "\x08" => '\u0008', + "\x09" => '\u0009', + "\x0a" => '\u000A', + "\x0b" => '\u000B', + "\x0c" => '\u000C', + "\x0d" => '\u000D', + "\x0e" => '\u000E', + "\x0f" => '\u000F', + "\x10" => '\u0010', + "\x11" => '\u0011', + "\x12" => '\u0012', + "\x13" => '\u0013', + "\x14" => '\u0014', + "\x15" => '\u0015', + "\x16" => '\u0016', + "\x17" => '\u0017', + "\x18" => '\u0018', + "\x19" => '\u0019', + "\x1a" => '\u001A', + "\x1b" => '\u001B', + "\x1c" => '\u001C', + "\x1d" => '\u001D', + "\x1e" => '\u001E', + "\x1f" => '\u001F', + // Prevent browsers from interpreting these as as special. + "'" => '\u0027', + '<' => '\u003C', + '>' => '\u003E', + '&' => '\u0026', + // Prevent browsers from interpreting the solidus as special and + // non-compliant JSON parsers from interpreting // as a comment. + '/' => '\u002F', + // While these are allowed unescaped according to ECMA-262, section + // 15.12.2, they cause problems in some JSON parsers. + "\xe2\x80\xa8" => '\u2028', // U+2028, Line Separator. + "\xe2\x80\xa9" => '\u2029', // U+2029, Paragraph Separator. + ); + + return '"' . strtr($var, $replace_pairs) . '"'; case 'array': // Arrays in JSON can't be associative. If the array is empty or if it // has sequential whole number keys starting with 0, it's not associative @@ -2562,15 +2629,15 @@ function drupal_to_js($var) { foreach ($var as $v) { $output[] = drupal_to_js($v); } - return '[ '. implode(', ', $output) .' ]'; + return '[ ' . implode(', ', $output) . ' ]'; } // Otherwise, fall through to convert the array as an object. case 'object': $output = array(); foreach ($var as $k => $v) { - $output[] = drupal_to_js(strval($k)) .': '. drupal_to_js($v); + $output[] = drupal_to_js(strval($k)) . ':' . drupal_to_js($v); } - return '{ '. implode(', ', $output) .' }'; + return '{' . implode(', ', $output) . '}'; default: return 'null'; }